At the heart of the record retention challenge is the difficult question as to what types of documents to maintain for compliance purposes and how long to maintain them. In certain cases, applicable laws and regulations specify the types of documents to retain and the length of time to retain them. For example, for purposes of electronic records maintained in a company’s role as a taxpayer, IRS Revenue Procedure 98-25 serves as a useful guide to the IRS’s document retention expectations. In addition, IRS Revenue Procedure 97-22 provides guidance for taxpayers who maintain books and records in the form of electronic storage.
The significant cost of maintaining records has motivated many companies to aggressively discard documents that are not expressly required to be maintained under applicable laws or required to be held for production in pending litigation. Indeed, if a company were to retain all of its documents, the cost of searching, identifying and producing documents in a particular lawsuit might become so expensive that the company would be forced to settle the case rather than incur the expense of discovery. Certainly there is support for this position. Guideline Three of the Sedona Principles  states that an organization need not retain all electronic information ever generated or received. Also, Rule 37(e) of the U.S. Federal Rules of Civil Procedure  creates a safe harbor providing that sanctions will not be imposed on a producing party for “failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system”.
On the other hand, if a company adopts a “just barely compliant” approach to record retention, it runs the risk of being accused of spoliation or deliberately destroying documents in an effort to impede regulatory investigations or discovery in a lawsuit. While current case law is trending against requiring companies to maintain records merely on the speculation that they might be relevant for some unknown future litigation, companies still are required to maintain documents that are the subject of investigations that are pending or that the company knew or should have known were imminent  .
A catch-22 therefore faces many companies: if they retain too few documents, they may end up failing to retain key documents needed for regulatory audits or for production in litigation. This could result in the company being sanctioned by the regulator or by the courts. On the other hand, if the company retains all of its documents, the cost of retention may become exorbitant and the company may end up retaining documents that could hurt it in the course of a regulatory audit or in litigation. Clearly, a balance needs to be struck between keeping either too few or too many documents.
Further, the retention and archival of documents should be done in such a way that the company avoids the use of multiple repositories and data formats, to the extent possible, in order to simplify and speed up the identification and retrieval of documents for audit and litigation purposes. A current trend in regulatory compliance is the imposition of increasingly shortened reporting deadlines. For example, Section 409 of the Sarbanes-Oxley Act  requires public companies to disclose information on material changes in the financial condition or operations of the companies on a rapid and current basis. The SEC has implemented this Sarbanes-Oxley Act requirement, by, among other things, requiring that current reports on Form 8-K must be filed within four business days. Segregating current, live data from older, stale information to reduce the size of data repositories that must be searched for purposes of reporting and become subject to automatic production requirements in litigation can help to reduce the burden on companies.
In addition, in the process of crafting a new records retention approach or re-examining an existing records retention policy, companies should keep in mind recent trends in compliance. One key trend is that regulators tend to set standards of compliance, but are reluctant to specify what technologies and methodologies would be acceptable to achieve the mandated standards. For example, when states began enacting electronic signatures and records laws, a number of them also described digital signature technologies that would produce electronic signatures conforming to the state law’s requirements. When the federal government enacted the ESign  law, it prohibited states from specifying conforming technologies. On the one hand, this regulatory approach gives companies a great deal of discretion in deciding how best to meet regulatory compliance challenges. On the other hand, this approach can give a company just enough rope to hang itself if it makes poor technology choices.
In conclusion, companies today face a risk in connection with their records management approach of either keeping too many documents and potentially handing an investigator or plaintiff a “smoking gun”, or keeping too few documents and having a court impose sanctions on the company for alleged spoliation of evidence. There is no “one size fits all” solution to this catch-22 dilemma. Companies need to map applicable laws, standards and best practices against their business operations and implement a records retention policy that can be defended in the event of an investigation or litigation. In addition, the company’s approach needs to take into account the capabilities of the company’s employees and the IT infrastructure in place. Ultimately, this process will only be successful if it results from a combination of the right personnel, an accurate mapping against the processes of the company and effective and scalable technology that is suited to the company’s operational environment.
See, e.g., http://www.uiowa.edu/~fusrmp/irsprocedures.html.
See, e.g., http://www.du.edu/legalinstitute/news/Focus_Reprint.pdf.
See, e.g., http://www.mass.gov/obcbbo/eve.htm.
See the Section 102(a)(2)(A)(ii) of the “Electronic Signatures in Global and National Commerce Act (ESign)”, located at the URL of http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_public_laws&docid=f:publ229.106.pdf.
See, e.g., http://www.thelenreid.com/index.cfm?section=articles&function=ViewArticle&articleID=1388&filter=.
Jeff Jinnett is Governance, Risk Management & Compliance Industry Market Development Manager, US Financial Services Group, for Microsoft Corporation. Mr. Jinnett is a former partner of the international law firm of LeBoeuf, Lamb, Greene & MacRae, LLP (now Dewey & LeBoeuf) and has experience in advising Fortune 500 companieis in the financial services industry on the use of technology to support corporate governance, risk management and compliance programs. Mr. Jinnett has testified as an expert before committees of the US Senate on issues relating to the intersectiion of law and technology. He is a member of ARMA (a records and information management professional association) and the Society of Corporate Compliance & Ethics (SSCE).