This week’s tip is applicable to both individuals and businesses, and is a headache for both. Lately, it seems that everyone I talk to is lamenting about what a hassle document retention and destruction is, both personally and professionally. For good reason. Like other areas of law (such as data breach notification laws), every state has its own requirements about how long records must be retained and no two states are the same. They are hard to keep track of and many of the laws are antiquated.
In response to the disorganized legal requirements, individuals and companies tend to keep records, both paper and electronic much longer than legally required or necessary. Some have told me that they keep records “forever.”
An important part of a data privacy and security program is to destroy records in accordance with the protocols established by an up-to-date record retention policy. This policy, which should be developed with the advice of counsel, should spell out what documents can be destroyed, when that destruction can occur, and when the threat of litigation or the issuance of a litigation hold notice requires suspension of scheduled destructions. And though it seems overwhelming, there are really good reasons to focus on data retention and destruction now.
First, as a long time litigator, I have seldom seen a piece of paper come back to help a client in litigation. Folks, there is a reason there is a term known as a “smoking gun.” Absent a litigation hold requiring the preservation of documents, keeping materials longer than the time frames provided in your record retention policy more often than not will not help you in litigation.
Second, the cost associated with storing documents forever, both in paper and electronic form, is unnecessary if you implement and follow a thoughtful record retention policy, complete with defined destruction protocols, and will even help your bottom line. Of course, work with counsel to make sure your program complies with applicable laws and includes provisions for the suspension of destruction protocols upon the issuance of a litigation hold notice.
Third, many old documents or electronic data include high risk data that is no longer included on forms or other documents for best practice, including full Social Security numbers, medical insurance numbers, drivers’ license numbers and health information. Keeping old paper records or electronic data (including old back-up tapes) increases the risk of a data breach because if they are lost or stolen, notification to individuals and regulatory authorities may be required because of the type of data included. This would not happen if you properly destroy them.
Think of old documents and electronic data like any other asset that is no longer needed. When you upgrade the furniture in your home or office, you don’t send the old furniture to storage. You give it away, sell it on Craig’s List or throw it away. The same is true of old data that is no longer needed (well, don’t sell it on Craig’s List!) But you see my point–if you don’t need it, and it’s not subject to a litigation hold, follow your record retention policy’s requirements to properly dispose of that paper and electronic data so it no longer poses a risk to you.
So get that dusty record retention program out, dust it off, update it as necessary, and get that program working for you. And while you are at it, get rid of the old stuff out of your home filing cabinet too.