A good document retention policy will save your business
time and money. After the Arthur Andersen meltdown, Congress and the
Securities Exchange Commission created laws making it a crime (including
obstruction of justice) for public companies to destroy records, even
if there are no pending proceedings. Protecting your company and its
directors, officers and employees now requires that document retention
policies be formalized and complied with before litigation arises. This
is particularly important with electronic "documents."
Electronic documents cover the range from emails, to
purchase orders, draft and final contracts, and supply-chain
information. All of these could be helpful — or hurtful — in any
investigations or lawsuits. On the other hand, keeping items
unnecessarily can be overly expensive on an operational level, and more
so if a suit or investigation arises.
The laws regarding document retention are complex, and
cannot be fully-covered in a short summary. What is important to know
is that the rules need to apply day to day (for simple items such as
purchase orders) and during any investigations or lawsuits.
Upon commencement of a lawsuit, the laws become more
severe, and require that you preserve all material that could be
evidence in the case. Continuing to destroy old materials "relevant" to
a case can, itself, be a basis for liability (under the spoliation of
evidence rules). Further, failure to produce evidence requested by
another party that you should have retained allows a judge to impose
broad sanctions — such as delay of trial, mistrial, an adverse inference
against you, and sanctions (particularly if you are shown negligent).
Remember that Morgan Stanley was ordered to pay $1.58 Billion in a case
involving a botched deal in a jury verdict that turned on the failure to
turn over requested documents. (To add to the pain, the SEC in
February 2006 imposed a $15,000,000 fine based on a probe into Morgan's
e-document retention policies). Even delays in responding to a request
for information can expose you to sanctions. The April 2006 issue of
CFO magazine refers to records retention issues as a "nightmare."
The more items that are retained, the bigger the cost
day to day, and when producing all copies of requested information. A
well-designed policy will allow you to operate day to day, control
costs, and when necessary to comply with discovery duties. Perhaps most
important, a well-designed policy can allow you to quickly locate
relevant materials when needed, sometimes allowing you to manage a
situation to resolution without litigation.
Deciding What to Keep
In the past, document retention policies were generally
loose and of the nature "When in doubt, delete!" This is no longer a
wise policy in the post-Arthur Anderson world. The decision of what to
keep depends, in part, on the type and size of business.
You need to be able to decide what is "relevant." Relevance needs to
be assessed by looking backwards from the perspective of a pending
lawsuit: Your company should ask whether certain material would be
discoverable by an adverse or investigating party. Discovery rules, in
turn, allow discovery of any item reasonably calculated to lead to
admissible evidence — regardless of whether the item itself is
admissible. Hence, the duty to preserve documents (from a litigation
perspective) hinges on a legal determination of whether the item at
issue is reasonably calculated to lead to admissible evidence. This
raises two distinct issues: What evidence would be admissible pertaining
to the matter at hand? What documents would a court likely consider
reasonably calculated to lead to such evidence?
Any information that rules or regulations require to be
saved must be kept. This includes federal and state rules from
licensing authorities (among others). Confirm whether there have been
changes to the rules that require a change in your procedures.
Importantly, you should consider the rules in each geographic area
(country and state) in which the company operates.
Judges will expect you to learn from prior litigation.
This means that your experience from prior litigation can be held to put
you on notice that you had to retain certain items (such as those
relating to the particular case or area of your business). It is
important to review past investigations and litigation to see if there
are prior events that could have such an effect.
Anything "sensitive" should be saved. Important
contracts (including customer and insurance contracts) should be saved.
Documents or emails that contain references to certain phrases (such as
"warranty" or "contract") should be identified and saved. This may
include drafts of agreements to provide insight as to what issues were
raised and how they ultimately were to be resolved in the final version.
Anyone who has been through a "battle of the forms" can attest to how
important it is to be able to peel away drafts to determine which form
governs. At the same time, you may decide that you do not want to keep
drafts of certain items (for example, drafts of securities offering
materials have often been destroyed once the final document is agreed to
— to avoid forensic eyes from second-guessing what disclosures were
made and why).
A filtering program for email can be programmed to save
copies of sensitive materials. A well-structured filtering program can
help tremendously in reducing the volume of what needs to be retained.
Importantly, you need to decide whether all (or some) attachments should
be saved with any original emails. On this level, you need to know
about metadata — electronic "fingerprints" that are often hidden in
documents. This goes well beyond what appears as a transmission string
in emails. Metadata is buried information that can be uncovered by
basic forensic analysis and can include who worked on a document on what
dates, what changes were made, and comments to documents. It can be a
treasure-trove of information you might prefer not to get out. You may
be unknowingly receiving this from outside parties, or you may be
including them with your outbound documents. It is vital to know how to
clean documents of metadata before they leave your computer system.
You cannot rely on the typical tools of a word processing program to
protect you — track changes in Word is one of the easiest ways to leave
clear fingerprints on your documents.
Certain types of files may be worth saving. These could
include certain modules within an accounting or reporting program. A
technology-based business or engineering/design firm may need to retain
CAD files. Any files that may contain or reflect intellectual property
of the company (such as trade secret items or customer lists) should be
saved, especially if the company has any patents that may need to be
asserted or protected.
We advise our clients to examine their computer systems
and design programs. For example, does the company have a central
network or something less centralized? A central network offers
document control options that are, frankly, easier to implement.
Extensive use of notebook computers and PDA's suggests that
synchronization software will be crucial to routinely copying matters
onto the central network for further filtering, copying and archiving.
Your work environment plays a role in determining what
type of records to retain. For example, corporate hoteling, or
telecommuting, raises specific issues. All information needs to be
accounted for. Forensic software tools can be used to identify, copy
and archive key files. Use of home computers particularly can
complicate matters if files from the central network are or can be
copied onto home PCs. Home PC's can be subject to examination unless
there is a central system for archiving from each home PC or
synchronizing information onto the central network.
There is no one-size-fits all approach. A
well-structured approach should allow for a regular process that makes
sense for your business. The presence of a thoughtful routine itself is
a form of protection, as regular destruction of items identified for
routine destruction generally will not expose your company to a
challenge of spoliation or obstruction. Anything less than a thoughtful
program that has become routine will be examined and the opposing party
can be expected to try to use it against you.
Test Your Systems.
Any system can work on paper. Your systems should be
checked under normal conditions and any shortcomings corrected (before
they cost you). The time to test your system is not when an
investigation or dispute has started.
First, identify who is in charge of the program and
confirm that she or he knows their responsibilities (such as following
the routine, or what to do if an inquiry letter is received). Involve
your responsible group in the design and administration of your program.
If practical, have a small committee that meets periodically to review
and update procedures. Create minutes of that meeting and create (and
review) log books to confirm that the routine is being followed.
Confirm who has the authority to order an end to any destruction
procedures if required to do so and what their subordinates would do if
alerted. Establish an email mailing list for rapid dissemination of
information, particularly an alert when a case arises and you should
halt your regular document destruction processes.
Second, identify all forms of media (such as written
documents, emails, photocopies, scans, telephone bills, and credit card
receipts). Inventory all media including your computers, servers,
storage devices, PDA's, and cell phones. Look at all communications
systems used — hardware and software — and list them on a central list.
Be alert to inventory or supply-chain tracking systems (including RFID
tags) that have remote components and communications links. Decide what
email attachments should be kept.
Third, periodically review and test your archiving and
destruction procedures. This means looking at your routines and confirm
they are being followed. Check the software filtering, copying, and
archiving functions. Check your backup hardware and software by
recalling some archived materials and running test searches to confirm
system compatibilities. If there has been a major hardware or software
change, make certain that prior storage media and files can still be
accessed. Verify that your physical storage system works (e.g., is fire
and theft proof and there is some redundancy). Confirm the system for
rotating back-up storage media. Check your log books and inventory
physical counts. Make certain everything is getting properly accounted
for. Confirm that any hardware changes since your last inventory have
been added to the system (such as synchronization software for laptops
and PDA's). Importantly, check logs of previous destructions. Regular
enforcement of your policy is key to showing that what was destroyed is
not itself the basis for a penalty.
Fourth, consider hiring an outside consultant to
periodically review and validate your policies and procedures. These
outsiders should interview key personnel and review a sampling of data
using cutting-edge forensic tools. Push them to give you a written
report identifying areas of compliance as well as areas where there is
room for improvement. Depending on the size of your business, you may
be able to include compliance testing with the basic fees you pay for
the actual retention services.
These programs need to be created before a lawsuit is
filed. Once a lawsuit is filed, you have three major duties that apply
automatically for data that is discoverable:
- The duty of preservation.
- The duty of retention.
- The duty of production.
A well-formed policy can lessen liability in a
lawsuit. It can even avoid a suit by providing easy access to
information that could avoid the exposure or support a defense.
Tactically, quick access to such information can be very useful to show
readiness for litigation to help you settle disputes faster or on more
favorable terms. Here, your program is serving an important deterrence
function. In short, you need to be ready.