Information is an important asset to your company, but it can also pose a great risk. As a result, it is important for organizations to have a reasonable and consistently implemented document retention and destruction policy.
Consider the following ten tips to ensure that a document retention policy protects your company in the case of litigation, is compliant with current data protection and privacy laws, and is cost-effective.
1. Don’t keep your information indefinitely.
Gone are the days of keeping information forever. Many recent data privacy laws, including the California Consumer Privacy Act (CCPA), incorporate the concept of data minimization.
Under this concept, organizations should only collect and retain personal information which is necessary. In general, there must be a good reason to keep information indefinitely.
Thus, there are regulatory reasons to review and update your policies, in addition to business concerns.
Another reason to limit the amount of information that is retained is cost. Companies are keeping more information than they used to, and the volume of information you need to comb through during e-discovery can be measured in terabytes.
Even assisted by artificial intelligence and other technology, it can be costly to engage in discovery and there is no way to review everything. Having a solid retention and destruction policy can help reduce costs.
2. Take a team-based approach to drafting or reviewing your policy.
Various stakeholders, led by your legal department, should have a voice in the development of your document retention policy. Department heads, the individuals responsible for maintaining records, and the information technology department should all play a role.
Bringing in the latter two stakeholder groups is important, as they are well versed in the organization’s current document management practices, will be intimately involved in the implementation of the policy, and can provide guidance on what policies are feasible from a logistical and technical standpoint.
3. Make sure the policy you create is “reasonable.”
In litigation over document production, one of the first questions a court will ask is whether a company’s document retention policy is reasonable. If the court determines that is not the case, the company will not be able to rely on its policy when it cannot produce the information required as part of discovery.
The time periods for document retention will vary based on the type of information, the company’s business needs, and other factors. All parts of the policy must be justified from a business perspective and conform with applicable state and federal laws.
4. Be thorough in the types of data that are included in your policy.
Policies should address as many types of data as possible, including voicemails, instant messages, photographs, and metadata, as well as financial information, employee records, contracts, and more. Some data retention policies include emails, although companies often have separate email usage and retention policies.
Each type of data included must be governed by a retention period. Decisions should also be made about when you should retain backups, copies, or printouts along with the official document.
Be careful to ensure that the policy isn’t too complex or cumbersome as that will negatively impact implementation.
5. Retain your documents only as long as necessary.
For business and legal reasons, you may need to retain different types of documents for different lengths of time. Based on current best practices, you should keep documents long enough to meet business and legal requirements, but not longer than is reasonably necessary for the purpose that it was collected in the first place.
Federal and state law also will dictate the minimum period you must keep some of the information. Keep in mind that state and federal laws and laws in other countries may vary from your own jurisdiction’s rules.
6. Be specific about what will happen to the data after the retention period ends.
Some retention policies state that information will be kept for a specific period, but do not outline whether the information will be destroyed at that time. What happens to the information after the retention period is over? If your policy does not answer that question, you may not be able to rely on it during litigation to explain why records were destroyed.
Therefore, your policy needs to state clearly that the information will be destroyed after the retention period is over. Make sure the retention period is adequate for the data to outlive any business or legal need or government-required retention period.
7. Ensure that employees can and do follow your policy.
For a document retention policy to be defensible, the company and its employees must have followed it consistently. That means it must be clear and not too cumbersome.
It must also be supported by training and retraining to ensure that employees understand the policy and how to implement it. Large companies often have automated destruction schemes in place, but employees still destroy documents manually in many cases.
8. Don’t forget to include mobile phones and personal devices.
If you allow employees to use their personal devices to access business e-mails or do other business tasks, you will need to outline the policies for how that information will be governed and make sure employees know the rules.
In the case of personal device use, there are many factors to be considered to ensure the security of company data while maintaining privacy for the employees. Most companies have remote access to business information on a personal device and mandate their employees give them permission to view the business data; some have technology to automatically wipe the business-related information if needed, such as when a phone is lost.
Another consideration is how employees should transfer business-related information from their personal devices into company-managed systems for retention purposes.
9. Be prepared to implement legal holds.
Legal holds are exceptions to the document retention policy that are put into effect at the earliest notice of potential lawsuits, subpoenas, audits, government investigations, and the like.
The retention policy should detail the events that would suspend routine destruction, what would trigger a hold, and when the policy can recommence. Employees and other stakeholders should be reminded of any legal holds in place on a regular basis.
10. Don’t forget to save your chats.
During e-discovery in recent antitrust litigation between Google and Epic Games, it was found that many relevant chats and instant messages containing business information were missing because they had been automatically deleted after 24 hours.
When litigation first began, Google issued a litigation hold and employees were directed not to discuss information relevant to litigation on Google’s internal messaging service. If information relevant to the litigation was discussed on the instant messaging system, employees were required to preserve the conversation.
Google, however, left it to the employees’ discretion to determine whether relevant information should be saved. Google never turned off the 24-hour auto delete function.
The court ultimately found, among other things, that Google failed to live up to its duty to preserve evidence because chats containing relevant information were deleted. In order to reduce the chance of sanctions in litigation, companies should review their policy regarding the use of internal messaging or chat services, enforce the policy, and check for compliance.
Reviewing and updating your document retention policy is critical to alleviating risk and protect the privacy of your stakeholders, stay compliant with the current legal landscape, and reduce costs for your company.
Updating your data retention policy also gives you a chance to determine or confirm the types of data you hold, who owns the data within the organization, and where the data is stored.
Knowing this will put your organization in a better position during discovery in litigation, as well as giving you the information you need to help revise and improve policies.
Author: Elaine F. Harwell, Partner at Procopio (Meritas Member Firm)