This week’s tip is applicable to both individuals and businesses, and is a headache for both. Lately, it seems that everyone I talk to is lamenting about what a hassle document retention and destruction is, both personally and professionally. For good reason. Like other areas of law (such as data breach notification laws), every state has its own requirements about how long records must be retained and no two states are the same. They are hard to keep track of and many of the laws are antiquated.

In response to the disorganized legal requirements, individuals and companies tend to keep records, both paper and electronic much longer than legally required or necessary. Some have told me that they keep records “forever.”

An important part of a data privacy and security program is to destroy records in accordance with the protocols established by an up-to-date record retention policy. This policy, which should be developed with the advice of counsel, should spell out what documents can be destroyed, when that destruction can occur, and when the threat of litigation or the issuance of a litigation hold notice requires suspension of scheduled destructions. And though it seems overwhelming, there are really good reasons to focus on data retention and destruction now.

First, as a long time litigator, I have seldom seen a piece of paper come back to help a client in litigation. Folks, there is a reason there is a term known as a “smoking gun.” Absent a litigation hold requiring the preservation of documents, keeping materials longer than the time frames provided in your record retention policy more often than not will not help you in litigation.

Second, the cost associated with storing documents forever, both in paper and electronic form, is unnecessary if you implement and follow a thoughtful record retention policy, complete with defined destruction protocols, and will even help your bottom line. Of course, work with counsel to make sure your program complies with applicable laws and includes provisions for the suspension of destruction protocols upon the issuance of a litigation hold notice.

Third, many old documents or electronic data include high risk data that is no longer included on forms or other documents for best practice, including full Social Security numbers, medical insurance numbers, drivers’ license numbers and health information. Keeping old paper records or electronic data (including old back-up tapes) increases the risk of a data breach because if they are lost or stolen, notification to individuals and regulatory authorities may be required because of the type of data included. This would not happen if you properly destroy them.

Think of old documents and electronic data like any other asset that is no longer needed. When you upgrade the furniture in your home or office, you don’t send the old furniture to storage. You give it away, sell it on Craig’s List or throw it away. The same is true of old data that is no longer needed (well, don’t sell it on Craig’s List!) But you see my point–if you don’t need it, and it’s not subject to a litigation hold, follow your record retention policy’s requirements to properly dispose of that paper and electronic data so it no longer poses a risk to you.

So get that dusty record retention program out, dust it off, update it as necessary, and get that program working for you. And while you are at it, get rid of the old stuff out of your home filing cabinet too.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Photo of Andrea Donovan Napp Andrea Donovan Napp

Andrea Donovan Napp is chair of the firm’s Electronic Discovery and Information Management Team. In addition to e-discovery, Andrea focuses her practice on complex commercial litigation, business torts, and market conduct cases, representing businesses, municipalities, and individuals in various jurisdictions. As chair of…

Andrea Donovan Napp is chair of the firm’s Electronic Discovery and Information Management Team. In addition to e-discovery, Andrea focuses her practice on complex commercial litigation, business torts, and market conduct cases, representing businesses, municipalities, and individuals in various jurisdictions. As chair of the Electronic Discovery and Information Management Team, Andrea coordinates Robinson+Cole’s use of the latest technology, such as Concordance, CaseMap, LAW, LiveNote, and various Web-based platforms, to achieve maximum efficiency and compliance for our clients. Andrea has significant experience in all aspects of e-discovery, including document retention and data management planning, development of defensible collection policies, and management of large scale reviews and production. She has managed several large, sophisticated e-discovery projects in government investigations and private litigation. Notably, she led United Technologies Corporation’s privilege review in the Department of Justice’s antitrust review of the largest-ever aerospace merger. She routinely counsels clients on the development of data retention policies, legal hold practices, and e-discovery response plans. Read her rc.com bio here.