Association Law & Policy
Designing a Compliant Electronic Record-Retention Policy for Your Association
Association Law & Policy
By: Jenna F. Leavitt, Esq.
|Summary: The retention and destruction of an organization's electronic records is more than just waiting a few years and then pressing the delete button. Rules and regulations can vary by department and media type, and the true destruction of electronic data is much more complicated than you might guess.|
With the increased reliance on computers, electronic information has become extremely important in litigation. This article deals solely with the policies implemented prior to litigation, not after, such as litigation holds or issues regarding electronic discovery ("e-Discovery"). Electronic mail (email) messages, instant messaging, blogs, chat room transcripts, databases, word processing documents, spreadsheets, deleted documents, web browser favorites, and cache are just some of the electronic information that can be maintained by an association. In fact, recent surveys show that more than 90 percent of all documents produced since 1999 are in electronic format.
Electronic documents are easier and cheaper to copy, distribute, and store than paper documents. For example, exact duplicates of electronic documents can be created at the touch of a button, without regard to the length of the document or the cost of creating the printed copy. In fact, there is general agreement today that the volume of electronic information greatly exceeds the volume of information kept in paper format.
So, how do you maintain this information, especially if you will need to produce it in response to an audit or litigation in the future, or if you simply need it later to help defend prior decisions or actions of your association?
"Records management, or RM, is the practice of identifying, classifying, archiving, preserving, and destroying records." With the passage of document tampering and destruction provisions of the federal Sarbanes-Oxley Act (including criminal penalties) in the summer of 2002 and the amendment of the Federal Rules of Civil Procedure in December 2006, associations have been paying increased attention to the storage and retrieval of electronic information. Records retention policies have become a hot topic. Not only do Sarbanes-Oxley and the Federal Rules require knowledge of the storage and retrievability of electronic records, many other Federal and local statutes do as well. Thus, not having a retention policy could lead to disastrous results. Moreover, having a retention policy allows for the freeing up of valuable storage space, as records are routinely deleted pursuant to the policy (and applicable law).
Retention policies are especially important for associations due to their unique, central role in so many industries and professions. Associations are often the target of document subpoenas in litigation and investigations, even when the association is not a party. Thus, it is important for an association to maintain and enforce its retention policy, so that it can effectively, efficiently, and lawfully respond to a subpoena without causing unintended harm to industry members.
So, how does your association go about creating a retention policy?
Often, the first step is to meet with the information technology department to learn where and how electronic information is created, stored, archived, and destroyed. In addition, the association's organizational structure should be taken into account when reviewing the information, as different departments may be subject to regulations. Once the information and types are located, a policy can be drafted that will directly address the information that is being created. Next, review with your legal department or outside counsel as to what information should be maintained and for how long, and what information can be destroyed.
Just because there are new rules regarding electronic information does not mean that you have to save it all. The rules don't actually prohibit the implementation of a record-retention policy which includes destruction of information after a set period of time. However, be careful, as the new rules do require that such a policy be suspended once there has been a notification of litigation or when litigation is reasonably anticipated.
A retention policy usually contains certain provisions, such as
- A statement as to the purpose of the policy;
- Whether the policy will be for the entire organization or a certain department;
- An exclusion from the policy for litigation or audit purposes;
- The name of the employee(s) or department(s) responsible for overseeing the policy;
- The name of the employee(s) or department(s) responsible for destruction pursuant to the policy;
- A description of the types of records along with the retention schedule.
Additional considerations can include specific instructions for how the records will be maintained (e.g., boxes labeled for offsite storage to be picked up every Friday, backup tapes to be stored in fire-proof box and locked in fire-proof safe nightly) and how they will be destroyed (e.g., hard drives sent for shredding after written approval received from legal, paper documents approved for shredding and disposed of by a third-party shredding company).
What documents need to be maintained and for how long?
As associations are generally subject to many regulations, it is important to review which ones affect your organization. Never use a generic retention policy, as it may not meet your needs. For example, most generic retention policies call for the destruction of emails after 90 days. However, certain regulations require you to maintain emails for periods of several years. In addition, since the statute of limitations on certain actions can exceed five years, documents which might be relevant to a particular action—such as terminated employees—should be kept for a minimum of five years, regardless of a shorter legally mandated retention period. Thus, you should develop a retention policy that not only addresses the applicable legal rules and regulations but also meets your specific organizational and industry needs.
To be effective at retention, you must know where your records are stored. Not knowing can prove to be especially dangerous, as most large dollar sanctions have involved the sudden appearance of documents not known to exist earlier in the litigation. This is especially important for associations, who not only have internal employee records (such as email) but also have records created by their volunteer leadership and members, often outside of the association's primary systems. These records between the association and its leadership and/or membership generally are discoverable and would likely be covered by any document subpoena. By creating the "map" of information, you can effectively delineate retention management to the correct people. Then, if a document request is served, you know which people have what information without having to search the entire association for it. For example, IT personnel can handle email retention, while HR would maintain employment records.
Another hot area for litigation is compliance with your record-retention policy. Just having a policy is not good enough. You must actively audit to ensure that the policy is being followed. For example, employees may delete their emails once a week even if association policy states that emails should remain on the inbox on the network server for a period of 90 days. By not enforcing the association's policy, you have now let potentially relevant emails be destroyed and could be sanctioned by a court for such noncompliance, even though a litigation hold had not yet occurred.
Record retention policies are not just about retention. An effective retention policy allows for the routine destruction of certain records after a set period
So, how do you "destroy" your records once your policy's retention time period has expired?
Most associations will simply delete the information from the hard drive and consider it "destroyed." However, for the most part a deleted file is not, in fact, "destroyed." As most computer-savvy people know, it is virtually impossible to completely destroy an electronic document. The most common reason for this is the method in which computer operating systems delete files. Generally, an operating system renames the file and removes it from the computer's "directory." Then, it designates the physical space on the hard drive to be overwritten by new information. The problem is that most of the time, the physical space is not actually overwritten, thus the deleted file can be recovered. If it appears that electronic information may have been deleted, and it may be responsive to a document request or relevant in litigation, it is important to quickly bring in a qualified computer forensic specialist to retrieve the information and prevent any further destruction by overwriting with new information.
A recent study of used hard drives being sold on the internet found that 80 percent of the drives still had recoverable information. So, if you are going to dispose of a hard drive, you need to make sure that it's done correctly. Taking a hammer to the drive, or drilling a hole (or multiple holes) in it, is not likely enough to make the data unrecoverable. While it may make the hard drive inoperable, it rarely makes the data stored on the drive unrecoverable. Companies are now offering hard-drive shredding, which completely destroys the data on a hard drive; the end process involves completely melting all the particles within the drive. While inexpensive, the shredding is only an option if you can afford to constantly purchase new hard drives. Otherwise, you must find a way to delete the data, but allow for reuse of the drive.
Another option for destruction of media such as hard drives or backup tapes is "degaussing." Degaussing equipment is often used by the government to destroy its records. Data is stored in magnetic media, such as hard drives, tapes and diskettes (floppy disks), by making very small areas change their magnetic alignment to go in a certain direction. Degaussing equipment applies a strong magnetic field to the media, effectively destroying it because it removes the magnetic alignment. Again, this process is only useful if you can afford to continually purchase new storage media. Further, there is no way to be sure that the degaussing was successful. There is no log file created, so you cannot use this process if you must be compliant with certain federal regulations, such as the Health Insurance Portability and Accountability Act ("HIPAA") (related to personal medical information) or the Gramm-Leach-Bliley Act (relating to personal financial information), which specify how data destruction must occur and be tracked.
There are several commercial products for sale that will delete information stored on a hard drive so that it is not likely to be recoverable. These programs, often called "scrubbers," work by using a technique which deletes the data and then overwrites it with random data several times. The Defense Department recommends that the data be overwritten at least seven times before a drive is discarded. However, the use of scrubbing software can be detected, so be sure there is no litigation hold in place and your retention policy allows for the destruction before commencing.
Destruction may also be a problem when it involves corrupted media. For example, corrupt hard drives and backup tapes cannot be erased. Thus, shredding or degaussing are the only options for completely removing the information. When moving forward with information or media destruction, be sure to check as to whether the media can be truly erased, or whether it needs to be destroyed.
Once you have a policy in place that allows for the destruction of information, you need to be careful as to who does the actual destruction. Delegating the destruction of records may be a trap for the unwary, as it can appear to be a menial task that management may feel overqualified to perform (e.g., the shredding of documents). However, because most of the records contain sensitive information, or information that would be of value to competitors, having upper management or a specialized outside company perform the destruction generally is recommended. Nonmanagement employees often have an economic incentive to maintain the information, rather than destroy it, as is evident by the numerous lawsuits involving theft of trade secrets by companies against former employees.
Once you have a record-retention policy in place, the next step is to make sure that it is properly implemented. There are now several commercial systems that can help you do so. These systems not only assist in the maintenance, storage, and destruction of paper records, but also use technology to capture, store, archive, and sometimes destroy your electronic information. A simple Google search for "record retention systems" or "document retention systems" will yield numerous vendors. Further, many of your current backup systems already contain programs that allow for the retention of electronic information (in addition to the programs to implement tape backups).
Data Structures and Organizations
The portability of digital documents has dramatically increased the number of locations where electronic information may be found. Typically, information is stored in places such as desktop computers, laptops, network servers, personal digital assistants ("PDA"), and, possibly, home computers. A computer may have several versions or copies of the same document on its hard drive, while other versions or copies may be located on a network server. Still other versions or copies may be downloaded on other desktop hard drives other than the desktop of the file creator. The document also may have been copied onto diskettes, CD-ROMs, USB flash drives, or other digital media, and there may be copies on a laptop or PDA. In addition, there may be copies or versions on an employee's home computer(s), either transferred via the internet or by traditional portable media.
Further, most associations protect their electronic information by duplicating it onto digital storage media (backup media) on a regular schedule for disaster recovery purposes. This creates yet another set of copies of the document. By association policy, the backup media generally should be retained for only a few days or months, and then it should be destroyed or recycled and reused in the course of subsequent backups. However, in practice, even if there is a destruction or reuse policy, the electronic information often remains on the backup media for much longer than the prescribed policy period, so audits must be done to ensure compliance.
As stated above, understanding the basic flow of information throughout your systems allows for more accurate retention and destruction of information. There are numerous sources which can contain electronic information. For example:
- Internet browser information (cached files, cookies, download records);
- Word processing documents, spreadsheet, presentations;
- Instant messaging/chat records;
- Electronic calendars;
- Text messages;
- Chat room/bulletin board postings.
Emails. For example, many associations rely on email as their primary form of communication. The current volume of email communications is astonishing. For example, an association of ten employees who receive 10 to 15 emails per day would generate approximately 36,000 to 54,000 email messages in a year. And, unlike telephone conferences and face-to-face meetings, the entire nature of the email communication is preserved in a written record that can be retained. Associations also should be cognizant of emails to and from their members and volunteer leadership, which adds an additional layer to the record retention principles. Generally, email is considered the most damaging of the electronic documents, as it tends to encompass more "smoking gun" information and communications. This is partially because employees don't seem to understand that association email is not necessarily as private as they think, but rather it is a permanent and discoverable association record.
Internet browser information. Another often forgotten area of electronic information is internet data. For example, internet bookmarks or favorites files provide a listing of the users' favorite websites, cached files record the internet address of web pages visited, cookies contain information about the user to a particular website that are used for quick recall when the user revisits the web page (including web beacons or web bugs which are usually transparent images that monitor the behavior of the website user), and information regarding files downloaded. Such files can serve as substantive evidence of wrongdoing (such as copyright infringement) and present circumstantial evidence of wrongdoing (such as improper viewing of pornography by employees).
Chat rooms. Chat rooms and bulletin boards are places where users can go to communicate with each other. Associations can host such chat rooms internally, for employee use, or externally, for membership and/or public use. They usually contain central areas for each topic of discussion and organize posts (messages sent to the room) in a threaded matter usually by date, subject matter, or author. Although chat rooms and bulletin boards can hold information that is crucial to a case, such as defamatory postings, they present logistical problems for retention. Complete transcripts of conversations or postings are seldom kept for more than a few days, so as to clear the disk space for new conversations or postings, as most website space is limited (much more so than internal association storage). Be sure to include such information in your record-retention policy so that there are no misconceptions as to how long the information will be maintained. After deletion, records may be limited to a user's participation in a conversation or posting, based on the user's log-in records, which are usually stored longer than the actual text of the conversation.
Blogs. One of the newest forms of electronic communication is what is commonly known as a blog—which is short for the term "web log." A blog typically serves as a publicly-accessible personal journal for an individual or company. Blogs are generally updated daily, as the success of a blog is largely determined by the availability of up-to-date, current information. Blogs are usually like chat rooms or bulletin boards in that they maintain information for short periods of time to free up space for new information. Again, be sure to include a blog in your record-retention policy, as blogs have become a hot topic in the litigation arena.
Other communications. Other forms of electronic communication include instant messaging, text messaging, voicemail, and electronic collaboration. Instant messaging is a type of communication that creates a virtual private chat room that allows two or more people to communicate with each other in real time over the internet. It is largely a text-based communication that creates a written record. Text messaging typically uses cellular telephones or PDAs to send text-based messages from one party to another. Text messaging communications are generally limited to a few hundred words due to the memory and size limitations of the receiving devices. Text messages can often be sent from websites, leaving a trail of information. Voicemail is an often overlooked electronic communication. Voicemail systems are now generally computer-based systems which maintain electronic information regarding voicemail messages in computer files. Thus, voicemails should be stored in a manner similar to emails. Electronic collaboration includes such things as virtual post-it notes, virtual white boards, and web casts, which all create some sort of discoverable written record and thus should be covered in a retention policy.
The creation and implementation of a policy to retain records, including electronic information, can be daunting, but it is an extremely useful tool in managing your association's information. By understanding how and where information is stored, you can easily obtain relevant information, should the need ever arise. At the same time, an appropriately conceived and managed retention policy permits your association to conserve resources by freeing up valuable storage space and avoid preserving an endlessly large pool of "discoverable" information, while still fulfilling its legal obligations.
Jenna F. Leavitt is an attorney in the Los Angeles office of Venable LLP, and works regularly with the firm's association and nonprofit clients. For more information, call 310-229-9900 or email firstname.lastname@example.org
 Wikipedia, http.//en.wikipedia.org/wiki/Records_Management.
THE INFORMATION CONTAINED IN THESE MATERIALS IS IN SUMMARY FORM AND SUBJECT TO CHANGE WITHOUT NOTICE. THE INFORMATION IS NOT INTENDED TO BE A PRIMARY RESOURCE AND NO REPRESENTATIONS ARE MADE AS TO ITS COMPLETENESS OR ACCURACY. PLEASE CONSULT STATE AND FEDERAL LAWS, AS WELL AS LEGAL COUNSEL, IF YOU HAVE QUESTIONS ABOUT THE TOPICS CONTAINED IN THESE MATERIALS.
© 2007 Jenna F. Leavitt