Data Retention Obligations – “Do They Apply To Me?”
January 20, 2016 by Brown Fox
With the recent attention given the former Secretary of State’s e-mails and their retention, even harkening back to the Nixon era “missing tapes”, the issue of retaining electronic data has come to the forefront of public opinion and the legal system. What do you keep? How long do you keep it? These questions, and others, trouble business leaders and individuals daily.
The first step in answering these important questions is to evaluate your current situation and determine which requirements apply to you or your company. You should consider the following four what your data retention requirements are:
If your industry is regulated (e.g., health care and life science) or a publically traded company, your retention responsibilities are likely mandated by statute or rule. It is important that you know the environment in which you conduct business and ensure that your systems and policies comply with what those obligations are under the prevailing statutes.
Are you currently under a corporate policy for retention? One of the worst scenarios for any business is implement a retention policy and fail to follow it. Thus, if there is an organizational policy in place, take the necessary steps to ensure you, your business, and your employees are in consistently meeting your own guidelines.
Most business people have concluded that it is simply a good idea to save electronic data. While it’s not a bad idea to save electronic data, the knee-jerk reaction to “save everything” is not a good practice. Pursuing the “save everything” approach is not practical and can create a situation wherein useful and relevant information becomes lost or difficult to find, buried in the morass of useless data. And it will cause your IT department to go berserk! Retention must be rational, useful, and consistent, but nevertheless comprehensive enough to be a supportable practice if challenged.
Unfortunately, at some point in time most businesses will become involved in a lawsuit or investigation. That creates a situational retention requirement and, unless a policy already exists, the person or business is now under a retention responsibility by virtue of the litigation rules of procedure that lawyers and clients must follow. Thus, in any situation involving an investigation, litigation, or the reasonable anticipation of litigation, each person or entity involved must enact a retention practice. This retention practice should be strictly followed, verifiable, and in writing.
Any retention practice or policy should be developed based on your business needs and in practical recognition of your business capabilities. Any retention decision must include voices from business, legal, and IT so that all aspects of the business are represented and any policy or practice created is one that is workable, both operationally and technically. Another important aspect of any retention decision is whether to make the retention policy implementation automatic or manual. Each approach has its own benefits. An automated policy is easier to operate; a manual policy is more discrete. Automation cannot discern between important and unimportant; manual is subjective and subject to bias. So, any company must evaluate the ultimate goals and determine which method is best. Likely, a combination of the two is the answer.
Each policy must also contain a training component, an annual review component and an audit component. Again, the worst situation is having a policy that is not followed. Train your employees how to interpret the policy and how to follow it. Review the policy periodically with decision-makers and key employees. It is highly unlikely that the typical retention policy would have the word “Twitter” in it, but that communication method is becoming mainstream. Another factor to keep in mind is whether employees purging business communications at the end of the retention period. For example, a general rule for common business communications is 3 – 5 years. It likely makes sense to periodically audit e-mail accounts to determine compliance. Some employees are pack-rats and if the policy is not being followed, it can be detrimental in the future.
Lastly, vest ownership of the policy in someone specific. The person in charge of implementing the above tasks, conducting the compliance audits or responding to litigation should be an identifiable person or position. That person or position should have the authority to manage this responsibility since they will ultimately be accountable for its execution.
Larry Henke is a Partner at Brown Fox and heads the firm’s Litigation & Trial Practice Group. If you would like to discuss this article or your specific data retention obligations, Larry Henke can be reached at firstname.lastname@example.org or 214.327.5000.
By Larry Henke