Print This Article

If you are not subject to such precise laws and regulations, count yourself lucky that you can deal with the more generic problems of document retention policies. There are still OSHA requirements and tax records requirements that apply to nearly everyone, and statutes of limitations to worry about, but otherwise electronic documents are yours to keep or discard, as you may deem best. There are lawyers who have become used, in the paper world, to simply keeping everything forever. Old paperwork is simply warehoused on or off-site and accessed as needed. Some lawyers routinely establish a five or ten year timeline, after which they go through files, discarding all but such critical documents as wills, deeds, intellectual property documents, corporate documents for active corporations, the law firm’s own financial and tax documents, etc.

Lawyers and their clients tend to forget that saving unnecessary documents, paper or electronic, can constitute a significant danger. Consider the disaster that befell The Boeing Co. In 1997, the world’s largest aircraft manufacturer found itself confronted with a class action suit alleging securities fraud. In a deposition, the plaintiffs’ attorney learned that Boeing had some 14,000 e-mail backup tapes stored in a Washington, D.C. warehouse. Naturally, he demanded the tapes. The company tried to narrow the scope of discovery but became enmeshed in a snafu of its own devise. Boeing was unable to tell whose e-mails were on which tapes without restoring the tapes first. The situation was complicated by the fact that Boeing used several e-mail systems and its IT department was scattered throughout the world. Not only did Boeing retain far more data than needed, but its retention was woefully disorganized. In the end, Boeing incurred a fortune to restore all the tapes. The unhappy result was that the content of the tapes was sufficiently damning that Boeing concluded the lawsuit by settling for $92.5 million. The entire misadventure should serve as a warning that electronic document retention policies and the organization of retained documents should be a significant factor in corporate and law firm planning.

Amazingly enough, in 2000, 83% of American Bar Association attorneys responding to a survey said that their corporate clients had no established procedures to deal with electronic discovery. While the percentage has shifted significantly, it remains true that many companies have no policy and many more have what might charitably be called “muddled” policies. In most instances, only the largest law firms have any sort of policy at all.

The ones and zeros of the electronic world have complicated a process that was plenty difficult before technology added layers of complexity. It is a particular bane that backup media often becomes obsolete and its restoration can be a major task as technologists must recreate an antiquated environment. Nor does it help that larger law firms and companies tend to have a mish-mash of technology platforms, with a patchwork of incompatible, obsolete and unlinked systems, applications, and servers. Additionally, the data in legacy applications, such as old accounting and e-mail programs, may be hard to restore and search. If you are already reaching for aspirin thinking of your firm’s or client’s data becoming the subject of litigation, just wait until the flag comes down and your opponent is off and running. It has become standard for depositions to commence with an excruciatingly specific examination of a litigant’s IT structure, right down to home usage, and all computing peripherals, to say nothing of backup procedures and document retention policies.

If you, or your client, do not have a document retention policy, shame, shame, shame. Now is the time to begin crafting one. One exception to this: If your firm or your firm’s client is currently in the limelight for some alleged misdeed, this is the worst of all possible times to suddenly devise a policy. Inevitably, the policy will be self-serving and give you or your client a very public black eye. Work on the policy in tranquil times, when no litigation appears to be on the horizon – though for some clients, there may not be such a time! Microsoft comes immediately to mind as a company never lacking lawsuits against it.

Be forewarned that there is no one-size-fits-all document retention policy. As you begin to formulate a policy, consider who needs to be involved in the drafting – from the financial, legal, technical, and other departments. A number of people will have a role to play in drafting a practical policy. If you have outside counsel or an outside CPA, these individuals will probably also need to be involved. Frequently, an independent electronic discovery consultant is engaged as well. To give you general guidance, a sample Document Retention Policy is included at the end of this article. Regard it only as a jumping off point, for every entity’s needs are different.

The first rule of creating a document retention policy (DRP) is simple: 1) If you are governed by federal/state law or regulations, follow them! If federal and state requirements conflict, obviously follow the more stringent requirements. The second rule is equally simple: 2) If you are governed by internal by-laws, other mandatory procedures, or industry standards, abide by them. Now comes the dicey part. Rule #3: If you are on your own after following rules 1 and 2, assume all the documents in your possession, paper and electronic, will be the subject of a lawsuit somewhere down the line. Drafting these policies is no walk in the park. It requires more intensive thought than might appear at first blush. Will it help or hurt you to keep successive drafts of documents? The deeper you delve into policy formation, the more niggling issues will tend to pop up. Don’t expect to formulate a sound DRP overnight.

Nonetheless, DRPs don’t have to be epic novels. They can be just a few paragraphs, though most go on for several pages, the longer DRPs being more appropriate for larger firms or companies. The fundamentals of a document retention policy are these:

1. Define how long, how and where to store both paper and electronic records, making sure you specify specific retention periods for specific categories of records;
2. Make sure you have considered all forms of electronic data in all devices and media (don’t forget digital printers/copiers and voicemail!);
3. Specify how records are to be destroyed when their retention period has expired (is it automated or are users responsible?);
4. Detail the circumstances under which the policy should be suspended, such as when a lawsuit is anticipated or in progress, a subpoena has been served, or an investigation is known to be underway;
5. Specify the individuals responsible for enforcing, monitoring and updating the policy;
6. Define penalties for non-compliance and impose them!
7. Describe the manner in which to organize and catalog stored records so that they can be recovered with relative ease;
8. Make the document retention policy part of the employee handbook, that employees sign the policy, and that the handbook is updated when the policy is updated;
9. Review the policy on a regular basis, making the review deadlines a part of the DRP itself;
10. If the documents are electronic and encrypted, log the pass phrases and product version used at the time of encryption;

OK, so now you have a policy. Home free, right?

Maybe not. Talk to the folks at Arthur Andersen. They had a DRP in place when catastrophe struck in the form of the Enron investigation. On October 12, 2001, Andersen sent out a memo telling staffers to comply with the DRP, which specified how long employees should keep written and electronic records before destroying them. So how did they get in trouble?

1. Andersen neglected to tell staffers to retain all documents related to the SEC’s investigation of Enron, an Andersen client. Needless to say, Andersen was well aware of the investigation. As Homer would say, “Doh.”
2. It seemed just a tad suspect that Andersen, which had rarely invoked its DRP, suddenly decided to mandate compliance in the midst of the Enron debacle.
3. It didn’t help Andersen a whit that at least one document in question was in fact altered by an Andersen employee.

At the end of the sordid tale, a jury convicted Andersen in June 2002 of obstruction of justice. The moral here is straightforward. If you are going to have a DRP, enforce it, enforce it, enforce it! And for the love of Mike, enforce it in a consistent fashion! Selective enforcement is a sure ticket to a spoliation of evidence or obstruction of justice charge. Be aware that enforcement can be a ticklish business. Studies have shown that 10% of employees given an order to destroy documents in accordance with a DRP simply will not do so. Sometimes, they believe they will some day “need” the document for some reason or another. Some are just lazy. Others are naturally disinclined to obey orders. Whatever the reason, it will create headaches, so anticipate the problem as best you can. Periodically, you may wish to conduct audits to make sure the company’s deletion edicts have been obeyed.

Be aware that you are never really “out of the woods.” Delete all you like, empty recycle bins, format the hard drives, etc. and forensic technologists may still able to recover deleted data. It is therefore essential to convey to your employees that not everything should be written or converted to electronic form and that which is written should not be dashed off carelessly, or in a fit of pique. Our entire society has developed the habit of using e-mail as casual, informal correspondence without any regard for the fact that it may live on in perpetuity. Likewise, many people attend meetings with their laptops, keeping copious, and often inaccurate notes which may not be in context, may misquote what was said, etc. These transcriptions may later be construed as an accurate description of what happened, no matter how far off the mark they may be in actuality.

Remember too that document retention policies have real benefits. They preserve the storage space on the network and on user’s desktops. They optimize network performance. They lessen the chance of having documents used against the company in lawsuits. They force an imposed order and clean up which can be useful to productivity and to simply finding needles in a haystack whose size is at least controlled. All this organization will result in limiting the scope of discovery and easing its production, limiting time, and costs.

When DuPont went through an enterprise-wide reorganization of its corporate records, the company discovered, to its great chagrin, that more than 50 percent of the documents the company gathered for discovery between 1992 and 1994 should not have been retained. It estimated that it had spent an unnecessary $10-12 million in retention and production costs. Ouch. Its revamped DRP calls for a 60-day life for e-mail and a 14-day life for e-mail backup tapes. Every employee is considered a “record custodian” and must sign off on the policy. A four-person Corporate Records Information Management team is responsible for providing guidance and ensuring policy compliance. In 2001, it adopted a system that prompts employees to delete e-mails that are overdue for deletion. The employees are given the option to retain records by entering a retention code; otherwise the e-mails are automatically deleted. The result? The company has noted a marked diminution in the amount of data it must sift through to comply with discovery requests.

One thing the courts have definitely learned is that the sheer volume of a company’s data can be overwhelming. They have absolutely accepted the need for data management and recognized that it is unthinkable to have data stored and accessible indefinitely. The cost of restoring vast amounts of data from back-up media is staggering, and courts are sympathetic to the need for some sort of practical restraint on this process. In particular, the Zubulake v. USS Warburg opinions have been very helpful in sorting out the confusion. Courts have no quarrel with corporations that destroy data in the regular course of business, when there is no anticipation of litigation. On the other hand, the mere scent of spoliation will generally stiffen a judge’s resolve to determine whether a company has deliberately destroyed documents. In the main, penalties for spoliation have been severe, including stiff fines, prohibiting the testimony of the person responsible for the spoliation, altering legal presumptions to favor the other side and, in extreme cases, dismissal of claims. If the spoliation of evidence rises to the level of obstruction of justice, heaven help you because you are unlikely to find mercy in the courtroom.

Once you know there is a potential for litigation or a lawsuit has been filed, make sure the document retention policy is suspended insofar as the subject matter of the litigation or investigation is concerned. Always err on the side of caution. Make sure all involved parties know what documents, back-up tapes, etc. must now be preserved until the litigation or threat of litigation is resolved. Protect yourself by clearly putting such information in dated writings, whether paper or electronic.

A decade ago, almost no one thought in terms of document retention policies where electronic data was concerned. Even today, the vast majority of companies and law firms have no policy in place. A decade hence, and perhaps much sooner, it is probable that virtually 100% of all business entities will have a document retention policy. As Yogi Berra was fond of noting, “the future ain’t what it used to be.” Where technology is concerned, those are words to live by.

Sample Document Retention Policy

Ms. Nelson and Mr. Simek are frequent authors on legal IT subjects and have been published in Law Office Computing, The Internet Lawyer, Virginia Lawyers Weekly, The Virginia Lawyer, Glasser's Electronic Filing Newsletter, Michigan Lawyers Weekly, Ohio Lawyers Weekly, The Ohio Lawyer, The Vermont Bar Journal, The Ohio Association of Civil Trial Attorneys Newsletter, The Wisconsin Lawyer, The Nevada Lawyer, The Nebraska Lawyer, The Tennessee Bar Journal and The Fairfax Bar Journal. Ms. Nelson and Mr. Simek are also the co-editors of the Internet newsletter "Bytes in Brief."®