Quimbee logo
DMCA.com Protection Status
On Demand 1h 6m 11s

Legal Aspects of Record Retention Policies and the Defensible Disposition of Records

5.0 out of 5 Excellent(2 reviews)
Start your FREE 7-day trial
Access Quimbee's CLE library for free with a 7-day free trial membership.
View all credits21 approved jurisdictions
Play video

Legal Aspects of Record Retention Policies and the Defensible Disposition of Records

Record-keeping and disposition policies and decisions are more important now than ever before, given the ease with which information is created and communicated, the multitude of digital applications, and the constant advancement of technology. Information, in either physical or electronic form, is an essential piece of doing business, yet the legal risks associated with retaining or destroying information are not always appreciated. Lawyers should understand the legal aspects of record-related policies and the possible legal consequences when records that should be kept are instead destroyed so they can counsel their clients when such issues arise.

Transcript

- Thank you for joining us for this program on Legal Aspects of Record Retention Policies and the Defensible Disposition of Records. My name is Marguerite Zinz, and I am going to walk you through the first part of this program. To give you an idea of what we're gonna talk about today, first, I'm going to discuss drafting a record retention policy, including some key terms and concepts that should be included in the policy. I'm also going to talk about record retention schedules, and some other related policies that are important to record retention. Then Brandi is going to talk about developing a defensible plan for the disposition of records, including the impact of the duty to preserve in legal holds on the disposition of records. So starting with the record retention policy, it can be called a lot of different things. From document retention policy, or records and information management policy, record keeping policy, information governance policy, there's a lot of names it could go by. But whatever it's called, a record retention policy, which is how I'm going to refer to it today, provides essentially the overall plan for an entity's record and information governance program. To do that, an affective record retention policy should do a couple of things. First, it should instruct employees on how to handle information generated or used in the course of business. Ideally this direction would be in very clear, simplified terms so that there is no ambiguity in what is required of employees. This is important because you really don't want employees making subjective determinations about things, so it's important that it's a very clear policy. It also protects the entity's records and proprietary information. This is important to help the business navigate and hopefully reduce any operational and litigation risks it might face. So there are four things that a record retention policy should accomplish. First, it needs to define some key terms and we're gonna go through each of these individually. But what are records? What is disposable information? It's important that the policy includes those definitions. It also should explain some key concepts. Legal holds, for instance, should be explained in the policy. Another thing is identifying information subject to retention in the proper retention periods. So what does the entity need to retain, and for how long? That's generally achieved through a record retention schedule, which we'll also discuss in more detail in a minute. Finally, it should clarify retention roles and responsibilities of both all employees and any specific employees that are responsible for implementing and managing the record retention policy. So it's important that all employees know what they're required to do under the policy, and know who the other individuals are who have specific responsibilities related to the policy. So what is a record? Records reflect information that is created, transmitted, or received in the course of business that the entity wants or is required to retain for business or legal purposes. So what is something that an entity would want to retain for business purposes? If the information serves as the entity's memory of an action or statement, if the information has enduring business value. So some examples where information evidence is a transaction, establishes or shows the rights or obligations of the entity. So it's essentially establishing or protecting the entity's legal interest, or it ensures operational continuity. So it's something that the business really needs to keep its doors open. Examples of legal purpose, so it has to be retained due to legal or counting or other regulatory requirements. Now with records, an important thing to remember is that their media neutral. So records include information in both paper or electronic format, but it also could include physical objects if they meet the definition of a record. So it's not just paper and electronic files, in some instances it could be physical objects. Disposable information, this is a very simple definition. It's information that is not a record as defined by the record retention policy. So if you're looking at what the definition of a record is, and trying to determine if what you have is a record, and it's not, its disposable information. Generally disposable information should be discarded when it no longer serves a business purpose and there's no other retention requirement. However, an entity must retain disposable information if it is subject to a legal hold, even once it no longer serves a business purpose. So if you have information that could have been disposed of because it was disposable information, but a legal hold pops up that covers the subject matter of that information, it's now required to be held. Disposable information, like records, are also media neutral. So it could include paper, electronic information, or even potentially a physical object. So some examples of disposable information, it could include duplicates of originals, preliminary document drafts that do not represent a significant step in preparation of an official record, any kind of reference materials that are obtained from outside the organization, spam or junk mail, newspapers, magazines, anything like that could be considered disposable information. So outside of defining the key terms, the record retention policy should also address some key concepts. It should discuss and explain the importance of legal holds, including what they are, and when and how they're implemented. It should explain that business records are owned by the entity, not the individual employee. So regardless of what that employee may think, if it's a business record, it's owned by the entity. It should emphasize the significance of records management. So why it's important to both the entity and the employee, why they should comply. It should identify who's responsible for managing the records programming, including who an employee can go to with questions regarding the record retention policy. This is really important to avoid that ambiguity that I discussed previously. They need to know who to go to with questions. It should clearly state every employee's record management responsibilities, again, so employees know what they need to do. And it should provide and explain the consequences of non-compliance, potential consequences for both the entity and the employee. Again, this goes to emphasizing that significance of the records management program, why it's important that they follow it. So record retention schedules, as I mentioned briefly before, describe record categories and indicate how long records must be kept. They're generally organized in the form of charts that include the department process or function. They include record categories for all records used by the entity in the ordinary course of business. Now this is very important, the schedule should provide enough detail regarding the record categories so that employees can readily identify the proper category for a particular record. Again, this is that clearness that I was talking about before and eliminating that ambiguity, so employees don't put things in the wrong spot. The retention periods for each category are based on legal and business factors, including legal and regulatory requirements, contractual obligations, business needs, industry standards, the cost of retaining the information, litigation risk, and strategic objectives. In general, information that's retained for a business reasons. So again, that evidence is a transaction, establishes or protects legal interest, or ensures operational continuity. It should be kept for as long as the information has sufficient value to the business, and that value outweighs the cost and risk with keeping the information. In determining the length of retention, the entity really should consult a number of different stakeholders. Really any users of the information and any departments that bear the cost of retaining the information. So it's important you get feedback on really how long that information is needed by the entity. The retention periods for information that's retained for legal reasons are generally set out explicitly in a statute or regulation, or possibly a contract. Some examples under ERISA, the Employee Retirement Income Security Act, entities responsible for administrating a company sponsored employee benefit plan covered by ERISA must retain any records that must be disclosed for at least six years from the date on which they were required to be disclosed. Another example with OSHA, it requires entities with 11 or more employees to retain logs of work related injuries and illnesses for at least five years. Retention periods for information that's retained for legal reasons can also be found in things like regulatory opinion letters, position statements, and audit procedures. So record retention schedules should include both minimum and maximum time periods if they are applicable. Maximum retention periods are the longest amount of time an entity may keep the information. They're most commonly prescribed by law, but they also may be required by contract or another external source. Probably the most well known example of a maximum retention period is the GDPR, the General Data Protection Regulation in Europe. That establishes the general policy that personal data should be retained only as long as required for a legitimate purpose for which it was gathered. If there's no maximum retention period applicable to a particular record category, the records in the category should really only be retained for the minimum time period stated in the schedule and destroyed within a reasonable time after that period ends. Of course, again, assuming that there's no legal hold. If there's a legal hold, then the time period is extended. Another thing that could be included, any additional information that might be helpful in the record retention schedule. So perhaps the identities of record owners, and then if there are any kind of additional or unique requirements regarding the storage or disposal of the records. So if there's anything different about a particular record category, you might wanna include that in the record retention schedule. The record retention policy should also include the retention responsibilities of different people. For all employees, the policy should explicitly state that every employee is responsible for following the policy, the schedule, and any other records management procedures. So if there's any storage requirements or naming conventions and legal hold procedures, of course, those are all things that employees should be required to follow. And that should be explained in the policy. Then depending on how big the entity is, the structure, its needs, it could have one or more of the other roles that I have listed there on the slide. You could have record managers or coordinators. These are people who, they supervise the record retention within a particular department or region or business unit, depending, again, on how the entity is structured. And they really help the employees within their area to follow the record retention policy. You could also have a records or an information management committee. That can include a number of different employees from different areas, you could have people from compliance, legal, IT, the corporate records managers if you have those, and any other people who might make sense for the particular entity. And that committee would oversee the record retention policy by making any decisions about the record retention schedule. So adopting the schedule, revising it, updating it when needed. They also review and revise the record retention policy. And they're also the committee that can kind of respond to questions regarding the record retention or information management program more broadly. You could also have a corporate records manager. So that's really the person that's in charge of the day to day record retention activities. They can also act as kind of an intermediary with the record coordinators and managers, and the records and information management committee if you have those people at your entity. Another important person that should be laid out in the policy is whoever's responsible for making legal hold decisions. The policy needs to indicate who that is, so everyone knows. Usually this is the legal department, but if an entity does not have an in-house legal department, it could be the chief operating officer, the head of IT, or someone else who, again, makes sense for the entity. The most important thing really there is that the policy says who that person is that makes those decisions. So a few other things to think about with the record retention policy. The record retention policy, it's not a standalone thing. There can be many other policies that come into play when you're considering record retention. You could have a computer acceptable use policy, a personal bring your own device policy, social media, data privacy policies, information security, trade secret policies. So there's a number of different information management policies that could come into play when you're considering record retention. Entities should also, and this is really important, I don't think I can emphasize this enough, audit compliance with the record retention policy and schedule. So audits can become really, really important if there's ever an issue in litigation, like if there's a claim of spoliation. If you can show that you followed your policy and you were monitoring it and you were checking it to make sure people were doing it right, it really helps in that claim of spoliation. Now audits can focus more generally on employee awareness, so do they know what the policy says and what the policies are? Or on reviewing actual practices, so going in and making sure that people are doing what they're supposed to do under the policy. They really should focus though on all aspects of the policy, so not only retention, are people retaining the great things? But also disposal, are people getting rid of the records when they're supposed to? Categorization of records and also, of course, compliance with legal holds. Another important thing is that an entity should provide training. Training should be conducted both at orientation and periodically, especially when the policy schedule or any kind of procedures are updated. It's important if those updates come out and change things, that people are aware of them. Training should cover both the policy and schedule, as well as any additional record management procedures. So if there's instruction on how to use document management systems, naming conventions, procedures for sending records to storage, for storing records electronically, any kind of methods for disposing of records, how to comply with legal hold notices. Those are all things that should be the subject matter for training. The policy should also be updated regularly. So reviewed at least once a year. And if there are any changes, again, those changes need to be communicated entity wide and perhaps there should be some training held again. So those are some important things to consider with the policy as well. So a few things to think about when you're talking about retention of legal files. So how long an attorney is required to retain legal files, it can depend on a lot of different things. But generally, legal files should be retained as long as needed to represent the client competently. Ethics opinions have found that retention periods of five to 10 years after a matter concludes are reasonable. But there are certain types of matters and certain records, such as originals of deeds, wills, and trusts, that may need to be retained longer than others. In determining what to retain in a client file, the attorney should consider whether a legal hold applies. So if you have a legal hold that applies to that type of information, then yes, of course, you should retain it. But if there's no legal hold, then the attorney or firm should retain the information if it is needed to represent the client competently or protect the client's interests while the matter is open. So if that's the case, then it should be retained. Should also retain it if it would be needed to defend itself against malpractice or other claims. If there's a rule of professional conduct that requires that the information be retained, or if the attorney or firm would be required to provide the information to the client on request or at the termination of the matter. So in most states, everything in the file but the attorney's work product belongs to the client. Since much of the legal file belongs to the client, the attorney may have the duty to either return the records to the client or obtain the consent before just dispositioning the file. So whatever retention period you have on the legal file, at the end of that retention period, you can't just dispose of the file. You need to contact the client and say, give them notice, "We're gonna be disposing of this file as of X date, unless you'd like us to return it to you or do something else with it." It is really important when you're considering legal files to consult your state professional conduct rules and advisory opinions for more definitive answers specific to your state. So states can have different requirements related to the retention of legal files. There may also be some requirement laid out by your malpractice insurance carrier. So it's important to consider any such requirements and seek the carrier's guidance on record retention as well. So a few pandemic implications. With 2020, there have been a lot of changes to what many work environments and workflows look like. While some businesses have gone back or partially gone back to how they operated before, many may not, really realizing the benefits of allowing a more remote workforce. Many entities in 2020, were forced to shift from an all in-person workforce to an all remote workforce in a very short amount of time. So what does that mean for record retention? While the use of personal devices, and potentially the duplication of information, most businesses were likely not prepared to go into an all remote workforce. That resulted in employees using their own personal devices from home. This, of course, has many issues. The security of information, generally the security systems on the personal devices are probably not as stringent as on the company devices. It also can result in duplication of information. So you could have two versions in two different places, one on a personal device and one on the company system. And will those records actually make it back to the approved company system? So you could have those records in two different places. You also likely have some violations of policies regarding personal device usage and the storage of information. Do those policies need to be updated to account for the changes in circumstances. The use of new technology and fewer in person communications. So there's been a lot of different technology that's popped over the last couple years. Before the pandemic, I had very limited experience with video conferencing and other messaging platforms. I admit that, but now I would say that most of my communications are through those mediums. So it's been a big shift, I have very few in-person meetings anymore. So with video conferencing, the most popular, of course, is Zoom. And Zoom and other platforms allow recordings of meetings. So you can press a button and get recordings of those meetings. With channel based messaging platforms, so you have Microsoft Team, Slack, Google hang app, Google Hangouts, excuse me, et cetera. With these platforms, users can create different channels for projects or user groups, and those users of the channels can share files and messages. And depending on the platform and the nature of the account the entity has, you might have limited information. So some platforms and types of accounts are more limited in the data that can be readily obtained. So you might not have that information. There's ephemeral messaging, Snapchat, WhatsApp, Confide. It's another means of messaging with two distinct features. So there's the automated disposition or deletion of the message from both the sender's and the user's application. And it also has end to end encryption. Used properly, those types of messaging apps can have benefits for an organization. It could facilitate compliance with privacy laws, also automatically eliminating data with no ongoing business value. So a large portion of data growth is in that type of information. So different routine communications, so like meeting requests, we all get lots of those. If that's handled through there, that could be disposed of quickly and not retained. Also data security, it minimizes the amount of data that's vulnerable to security breach, and it has that end to end encryption. So it could be beneficial for that. But it should also be approached with caution. There's some legal and regulatory risks. So if those platforms aren't used appropriately, you could have information that is being shared through ephemeral messaging that should be retained. So you have information going through that your entity would want. If not already addressed or considered in the policy, these new technologies need to be. So are those communications recordings on these systems, records under the entity's record retention policy? Does the entity want them to be records? Potentially you could carve them out if they don't, or you could change how people are using those different applications. Even if they are not records, they could still be subject to legal hold. So you do have to remember that as well. If a legal hold comes up and there's information that would be covered by it, it would be held. An entity really should develop policies for each of these systems, restrictions on systems that can be used, on types of communications that can occur on those platforms. So it's important to address those up front, rather than facing them. Another issue as a result of the pandemic are personnel changes. There's been a lot of people going in and out of different companies. Are the exit procedures for records and computers being followed? With more people out of the office, are they doing the things they're supposed to be doing to those computers? Are things getting turned in appropriately? Are they being retained appropriately? Also, are new employees being trained on record retention policies? That's an easy one to overlook in those circumstances. But all of these issues really highlight the need to review the policy and procedures regularly, and adopt new policies or procedures related to new technology. Again, auditing which I emphasized before, making sure employees are doing what is required regardless of the changed circumstances. And training, both new employees and current employees. A refresher of what is required, to the extent people have gotten a little lax working from home. And also on any new policies or procedures that might be adopted as a result of these new technologies. So the last slide in this section, I just wanted to give you guys some helpful resources. There are handouts for each of the Sedona Conference publications listed here. So I'm not gonna talk about those in detail, other than to say that they are all really helpful resources in this area. So I strongly suggest you take a look at them. The guidelines, they provide some really helpful tips to consider, things you need to consider. And we've talked about some of them here, but that talks about how counsel should ensure that the entity adopts reasonable policies and procedures. So making sure that those are things that can be followed. It develops a policy that's realistic, practical, and customized to the entity. So it's not just a form, but you really need to consider the entity and the entity's needs. It incorporates procedures to avoid the unnecessary retention of all electronic information. So again, you don't need to retain everything. That's really not what the purpose of the record retention policy is, it's retaining the right things. It should ensure that it takes a comprehensive approach to the information life cycle, so you're considering the whole information life cycle. And it mandates the suspension of ordinary destruction practices and procedures to comply with legal holds. So those guidelines kind of go over all of those in a little more detail. Then there's the commentary on information governance and on defensible disposition and ephemeral messaging. Those are all good resources in this area as well. Another resource is the ARMA, which is the Association of Record Managers Administration. Their principles are really another guide to understanding the issues counsel should consider, and include a lot of different principles for accountability. So making sure there's someone in the entity that oversees the program. Integrity, that the program should be designed so that records have a reasonable guarantee of authenticity and reliability. Protection, the program should provide reasonable level of protections to information that's private, confidential, privileged, proprietary, or essential to business continuity. Compliance, it needs to comply with applicable laws and authorities, of course. Availability, so the record should be maintained. That ensures people can timely and efficiently retrieve the information. Retention, retained for the appropriate amount of time. Disposition, the entity should securely and appropriately dispose of records it no longer needs. So again, you're not just keeping them, but you're also disposing of them properly. And then transparency, the entity should document the policy and process in a way that all employees can understand. So those are some good resources for you, as you kind of head down this road. And now I am going to turn it over to Brandi.


- The disposition of records is not top of mind for many organizations, why? I think the biggest reason is that record disposition activities require the use of resources that could be implied instead to other more demanding business needs. After the pandemic, ongoing supply issues and navigating the working from home situation, organizations today have more to deal with than ever before. Another reason is that most records these days are electronic, and electronic storage is inexpensive and easy to obtain. Electronic records do not take up physical office space. So unlike boxes and filing cabinets full of paper records, electronic records are out of sight, out of mind. Now some electronic information resides in old, dormant legacy systems that are no longer connected to a company network. Who has time to worry about an old system continuing outdated data? And as for physical records, they would be stored in boxes, filing cabinets, store rooms, and warehouses. There are probably no newer physical records competing for physical space, since most records are now electronic. So the stacks of boxes and filing cabinets may have just become part of the office landscape that no one thinks about. But organizations should think about record retention and the disposal of unneeded information. I will explain why record disposition is so important in a moment, but first I want to acknowledge the Sedona Conference. The Sedona Conference is a nonprofit organization devoted to the study of certain legal topics, and the publication of commentaries to guide attorneys and judges. It is a highly respected organization, and has become an authority on cutting edge discovery and information governance topics. The Sedona Conference's publications have been cited in numerous court opinions. The Sedona Conference commentary on defensible disposition, which is cited on this slide, provides useful guidelines for making record disposition decisions, including the factors that could come into play when making disposition decisions, and important considerations for all organizations dealing with record retention and disposal. The Sedona Conference commentary on defensible disposition outlines three principles or best practices for making sure disposition decisions are defensible. The first is that absent a legal retention or preservation obligation, organizations may dispose of their information. The second is that when designing and implementing an information disposition program, organizations should identify and manage the risks of over retention. And the third principle is that disposition should be based on information governance or record retention policies that reflect and harmonize with an organization's information, technological capabilities, and objectives. Now these principles are pretty high level and they do make sense, but they lead to a lot of questions. Why is disposition important? Why not simply leave electronic information alone? How does a business decide if and when disposition is appropriate? What should a business think about when coming up with a disposition policy? Who should have a say in disposition decisions? And what happens when records have been dispositioned, but are later needed for an investigation or a lawsuit? When an organization disposes of unneeded records by following a well-structured record retention program, it benefits in several ways, including the six listed on this slide. The first is increased efficiency and productivity. When an organization properly reduces the amount of records it retains, the information that is important and necessary for the business' operations can be located more easily. Have you ever spent a chunk of time searching for a document? I have, it's not unusual to spend 15 to 20 minutes sifting through emails to find the specific one you need, or looking for a memo that you might have misplaced. If every employee spends 15 minutes a day searching for a specific document, and an organization has 100 employees, at least 25 hours are being wasted each workday. Now imagine the organization has not been disposing of unneeded outdated records in a timely manner. When records are searched for, there would be more records to search through and electronic systems would probably not operate as quickly as they could. On a side note, I was reading the blog of an eDiscovery provider a few days ago and learned that there is so much digital information in the world today that it is now measured in zettabytes. A zettabyte is a billion terabytes or a trillion gigabytes. A zettabyte is a billion terabytes or a trillion gigabytes. So the amount of electronic or digital data that exists in the world today is simply mind boggling. And although an organization will not have that much, they still have a lot of information. The second benefit is reduced storage costs. Storage costs for electronic or digital records are small in comparison to storage costs for physical documents. However, most organizations possess a lot of electronic information. And as many organizations downsize their office spaces, they need to put physical records into storage or transfer them to electronic format. Either way, there will be a cost associated with that. Legal compliance is the third benefit on this slide. Timely disposition may be required by statutes or regulations, contracts, or court orders. Such as, a lot of commercial disputes have protective orders in which the court requires all parties to dispose of the other party's confidential information within a certain amount of time after the case is resolved. And that's just one example of a court order that could require disposition of information. Failing to dispose of information as required can result in fines, civil penalties, litigation sanctions, contempt citations, or even separate litigation seeking compensation for damages due to the continued retention of information. And fines and penalties for violating record keeping laws, regulations, and court orders, can really be significant. It can cost organizations tens of thousands, or even millions of dollars. The fourth benefit is data privacy and information security. Now all organizations may have a legal obligation to protect private information belonging to third parties that they happen to possess. This kind of information could belong to customers, employees, business partners, or other contacts. And the less private and personal information that an organization retains, the less it will cost to protect that information from a data breach. And if a data breach occurs, fewer individuals will be affected and less data will be compromised. If the data breach was in violation of a privacy law, the fines will be lower and it will cost less to notify the affected parties and remedy the loss. And I would wager a bet that every person viewing this program has been the victim of at least one data breach. They happen a lot. Some states have reacted by passing data privacy laws, and many other state governments are contemplating privacy laws. Generally, such laws require organizations that retain private personal information about individuals to safeguard that information. And they mandate that the personal data be retained, only as long as necessary, for the purpose for which it was collected. Some foreign governments have more stringent privacy laws than the United States. And if your client is doing business with a foreign entity, you should be aware of those laws and regulations. They concern the security and retention of information belonging to the foreign company and its employees. When a security breach occurs, an organization must notify those who have been affected. And sometimes it must provide services to remedy the breach, such as offering credit report monitoring services. The cost of information security breaches can be substantial. According to a 2014 study, it was sponsored by Raytheon, the average cost of an electronic information breach at that time was $4 million, or $148 per lost or compromised record. I don't think that includes any legal fines. But regardless, $4 million is a lot of money. The bottom line is that every organization has a strong incentive to limit data breach exposure by reducing the amount of information it retains. Another benefit is reduced discovery costs and risks. Over retention significantly increases discovery costs. It will take longer to search for and identify relevant information, longer to review it for privilege and responsiveness, and longer to process it for production. If records have been retained that should have been dispositioned in accordance with the record retention schedule, and they are relevant in a lawsuit, they must be treated as all other relevant records. Someone will need to review them for responsiveness and privilege, and they may end up produced to the opposing party. The retention of old electronic information in an inactive or dormant legacy system may not cost anything. But if the information is ever sought in a government investigation or is relevant to the claims and offenses in a lawsuit, it still exists. And even if it had no value to the organization before the investigation or lawsuit occurred, it may now have to be restored or extracted at a significant cost. Not only does an overabundance of records increase the expense of responding to discovery, but it can complicate other phases of a lawsuit as well. And it could ultimately affect the final outcome of the case. The last benefit on this list is maintaining the goodwill of business partners and customers. An organization's reputation can be severely damaged by an information or data breach that results in the loss of its customers' or employees' personal information. This can lead to lost business. When a bank experiences a cyber incident that exposes the personal information of its customers, or even makes a bank account inaccessible for a period of time, some of those customers will definitely withdraw their money and close their accounts. They will turn to another banking institution that appears to be more secure. A negative news story about a data breach can also sway potential customers to take their business elsewhere. Likewise, issuance of a public fine for failing to follow regulatory requirements can hurt a company's reputation. Bad publicity can lead to decreased sales and lower stock values. And if an organization's record retention or information handling practices are challenged or criticized during litigation, the organization can more easily establish its reasonableness in good faith if it disposes of unneeded information on a regular basis in accordance with a record retention policy. Marguerite has already discussed some of the things that organizations should consider when determining an appropriate retention period. I'd like to look at this from a slightly different angle. Rather than, how long should the information be retained? Ask, when can this information be dispositioned? Basically in the absence of a legal or regulatory obligation, business records should be dispositioned when they no longer have operational value for the organization. And the best way to determine whether information has operational value is to conduct a cost benefit analysis. This is not an easy task and will likely require input from different departments and users of the information, such as operations management, the record retention manager, the IT department, and the legal department. Some of the things that will need to be considered are listed on the next slide. How does the organization use the information? And how long will it be used? Some information has value for only a brief period of time, such as a customer's credit card number used to place an online order. I doubt the credit card number has much value to a vendor once the allotted time for a refund has expired. Some information has value for years, such as documents pertaining to a long term project or a multi-year contract. This type of information would naturally be assigned a longer retention period. And some information has permanent value to an organization, and that should be retained indefinitely. This would include things such as corporate governance documents, or a trade secret formula for a product. Organizations need to consider all applicable statutory and regulatory record keeping requirements. Marguerite mentioned a couple examples from OSHA and ERISA regulations, but there are many, many more. Some industries are heavily regulated and have numerous laws and regulations that pertain to records retention. For example, a financial industry, healthcare, and energy providers. Organizations should also be aware of data privacy and protection laws, which we've also already touched on. Two examples of this are the Children's Online Privacy Protection Act, and Europe's General Data Protection Regulation, or GDPR. These kinds of laws established policies that personal data of third parties should only be retained for as long as required, for the purpose for which it was gathered. Contractual requirements should be taken into account as well. A contract with a vendor or a business partner may require that certain information be retained for only so long, or be deleted or destroyed after the business relationship ends. And the organization's technology infrastructure should be considered, specifically, how does that technology infrastructure coincide with the objectives of the company? Technology driven companies tend to evolve at a quick pace, and fairly recent records may be obsolete and unneeded. But less technologically sophisticated organizations may rely on old records. And it may make sense for those records to be retained for a long period of time. It is best for attorneys who are advising a client on record keeping issues to become familiar with how the organizational client creates, retains, and uses information, as well as all of the locations where information is stored. Keep in mind that information may be stored in more than one location, and be used by many different business functions in different ways and for different lengths of time. The next slide lists additional factors that can affect an organization's disposition policies, and the retention period for its records. We have already touched on some of these, but they probably warrant repeating. The first factor is organizational setup. Disposition policies can apply across an organization, or can be specific to a department or a business group. They can also apply to unique categories of information, or to groups of record categories. Some organizations may be able to categorize their records by department, such as all marketing information, all accounting or finance information, or all sales records. And if multiple departments use the same information in different ways for different purposes, or for different lengths of time, department categorization won't work. Second factor is the location of records, as well as the sophistication of the system that they are stored in. For example, certain types of records may be stored only in a certain location that is configured especially for the data that allows for precise organization in a certain way. Or essentially, the same records may be stored in more than one location. This can be important for retention and disposition efforts. If the same records are in two locations, only one location needs to be preserve for record retention purposes. Email systems are another example. Some email systems are sophisticated enough that IT professionals can identify and archive records that must be retained without the employee who holds those emails even knowing. If these systems are configured correctly and work properly, then incoming and outgoing emails can be deleted after only a short period of time. A longer retention period may be needed for a less sophisticated email system to allow time for identifying and manually archiving information that could be needed by the organization. The third factor is automated disposition. Some information systems have an automatic disposition function. If an organization chooses to use automatic disposition, a system must be put into place that would allow that automated disposition activity to be suspended if and when a legal obligation to preserve those records arises. And when there is no longer an obligation to preserve the records, the organization must be able to resume normal retention practices, including its automatic disposition activities. Generally, automatic deletion is more reliable than manual disposal by employees. But it also has risks, is it set up correctly? Can disposition directives be altered, either accidentally or intentionally? And how easy is it to suspend the automatic disposition function? Next on the list is legal holds. A legal hold is the process most organizations use to comply with the obligation to preserve information that could be relevant in a pending or anticipated lawsuit or government investigation. Information that is subject to an active legal hold should not be dispositioned. There are different ways to implement a legal hold. Usually a written hold or directive is issued to the custodians of relevant records, identifying those relevant records and stating that they must be preserved until the case is resolved. Some organizations may choose to, instead, locate and copy all relevant information and store it in a separate secure location until it is requested in discovery, rather than suspend automatic disposition functions. Once a legal hold is lifted, information that is passed its retention period should be dispositioned, so long as there are no other regulatory or legal obligations to retain it. The fifth factor is disposition by business partners and vendors. Service providers may be entrusted with an organization's sensitive business information. For example, cloud storage providers, third party hosts of document review platforms, and an accounting firm that audits a company's financial statements. Business partners may also obtain each other's proprietary information when they're involved in a joint partnership or collaboration. Care should be taken to ensure that third parties who are given access to an organization's records return or dispose of the information when there's no longer a business need to keep it. An organization that shares its financial data with another company while considering a merger does not want to find out, 10 years after the merger falls through, that its information is still in that company's possession. Next is disaster recovery systems. Disaster recovery plans have changed over the years, but most organizations have some sort of system where essential business information is duplicated and stored in case its operational systems become inaccessible during a disaster. Theoretically, disaster recovery systems should not become subject to discovery or a preservation obligation. But never say never. If a backup system is the only source of discoverable information, a court could order that the information be pulled from that system. And recovering information from backup systems can be both complicated and expensive. It is recommended that disaster recovery systems have rotation cycles no longer than necessary to ensure the purpose of the system, which is business continuity. Maintenance and updates refers to technology systems. Technology is constantly being updated and replaced with more advanced and easier to use devices and systems. Organizations should periodically reassess their information, their technology, and their objectives, and update their record retention and disposition policies to account for any changes in circumstances. When new technologies are employed, organizations should ask whether they are compatible with existing record retention policies and practices. If they're not, the policies and practices may need revised, or the technology may need to be modified. The last factor on this slide is auditing for compliance. Marguerite has already addressed auditing, but to recap, regular audits should be conducted to ensure employees are following legal hold record retention and record disposition processes. Because audits enable management to catch mistakes or misunderstandings when they first occur, so that corrections can be made. Audits also demonstrate an organization's credibility in following a reasonable record retention and disposition program. Now regardless of the retention period assigned to a records category, before any of the records are destroyed, an organization should still ask itself these questions. One, is the information subject to a legal hold? Two, is the information relevant to the subject matter of a government inquiry or investigation? Three, is there a statutory or regulatory obligation to retain the information? And four, is there a lingering business need or use for the information? The answer to this last question should be, no. But if the answer is yes, then the retention period assigned to the information should be reconsidered. Legal challenges to disposition decisions do sometimes occur, and I'll give you an example. But first, there are two basic principles to keep in mind, both stated on this slide. An organization will be required to defend its record retention or record disposition policies only when information that it is required to retain is no longer available. This can happen during a government inquiry when an agency asks for information, and the organization is unable to provide it. Or this can happen during the discovery phase of a lawsuit, when a party requests information that is relevant and discoverable, and its opponent can't produce it because it no longer exists. An organization's record retention or disposition decisions, if challenged, should be measured by the standards of good faith and reasonableness. So would a reasonable organization under the same facts and circumstances have made the decision in question? Is there any evidence that records were destroyed in bad faith or with malice? These are some of the questions that courts would ask. Selective disposition is one type of record keeping activity that can be considered evidence of malice. Selective disposition is when an organization keeps one category of information for a long time period because it would make them look good if they were investigated or sued, but disposes of a similar category or subset of information when it is no longer needed for business purposes. For example, a manufacturer has a record retention schedule that requires a long retention life for test results that show its product is safe. And a much shorter retention period for other types of testing that tends to have less favorable results, and would be useful to a plaintiff in a product liability case. By selectively disposing of records that would be harmful in litigation, while retaining favorable records, the organization is practically inviting a plaintiff to question not only the reasonableness of its record retention program, but also its good faith and reasonableness as a litigant. Now in the event a record retention policy is challenged in court, how do courts determine whether it is reasonable? The Eighth Circuit Court of Appeals provided a framework for evaluating the reasonableness of a record retention policy, in Stevenson versus Union Pacific Railroad in 2004. in Stevenson versus Union Pacific Railroad in 2004. It provides three questions for courts to answer. One, whether the record retention policy is reasonable considering the facts and circumstances surrounding the document? Two, whether lawsuits of complaints have been filed frequently considering the type of records at issue? And three, whether the document retention policy was instituted in bad faith. Now this framework has been adopted and used by federal courts since 2004. And nearly always, the record retention policy in question is held to be reasonable. For example, the US District Court for the District of Minnesota used this framework in 2017 in the case called Owens versus Linn Companies to evaluate a gas station's policy of overwriting surveillance videos after 14 days. There are other discovery issues in this case as well, but the challenge to the gas station's record retention policy is the only issue pertinent to this discussion. So this lawsuit was filed by an employee, Owens, after she was fired. She claimed that she had been harassed by her manager because of her race. Owens allegedly reported the harassment to a different supervisor on February 5th when she first arrived at work, causing her to clock in five minutes late. Later that day, the manager who was accused of harassment fired Owens for being late to work. Owens sought discovery of surveillance videos from February 5th, the day she was fired, which she hoped would show her timely arrival at work and her discussion with her supervisor. And from February 1st, four days earlier, a day that Owens alleged she had complained about the harassing behavior. The defendant found the February 1st video and produced it, but the surveillance video from February 5th no longer existed. The defendant had no legal obligation to retain the February 15th at the time it would have been overwritten. So Owens challenged the defendant's policy of preserving surveillance videos for only 14 days. The court ultimately found that the retention policy was not unreasonable. The court noted that Owens had offered no evidence to show that the policy of overwriting surveillance tapes after 14 days was unreasonable. That the defendant had previously faced issues concerning destruction of surveillance videos, that surveillance videos have been relevant in other employment discrimination lawsuits, or that the policy had been implemented in bad faith. What kind of evidence could Owens have offered? She could have researched prior employment lawsuits against the defendant or against other retail establishments, and maybe she would have found some cases where surveillance videos were at issue. She could have served discovery requests or deposed the defendant to find out whether surveillance videos had ever been at issue in any previous cases. She could have inquired as to other companies' surveillance video retention practices, and perhaps she would've found that other companies retained videos for a longer period of time. None of this would've been easy to accomplish, however. And the end result may have been that no evidence existed to support Owens' arguments. Showing that a record retention or disposition policy is not reasonable is a difficult thing to do under the Stevenson court's framework. An organization is much more likely to be found liable for spoliation, the destruction of information relevant to a lawsuit or investigation that it had a duty to preserve. The next slide lists ways that record retention practices can cause problems. Records may be over preserved. This will not result in spoliation, but could be just as costly. For example, a company is sued for selling a defective product. It responds by placing all its design and manufacturing records relating to all the products it manufacturers on a legal hold. Why would it do such a thing, when that's clearly over preservation? Maybe the manufacturer has a poorly, poorly defined record keeping system. Or it's severely short-staffed and management hesitates to give employees legal hold directives that will be difficult or time consuming to implement. Or it may just be easier for the organization to preserve everything. This is fine, until another lawsuit concerning a different product is filed. And information that would have been dispositioned, if not for the legal hold, now has to be located and produced. Not to mention the huge amount of data that will accumulate, creating inefficiencies and increasing expenses. Next on the list is the simple failure to comply with policies. Employees may not put as much effort into their record retention responsibilities as their other job tasks. They may not appreciate the importance of record retention and disposition. When record retention policies are implemented, employees should be given training of the policies and the individual responsibilities. New employees should be trained on the organization's record retention program and their specific responsibilities with regard to record preservation and disposition. Then organizations should issue periodic reminders and provide follow up trainings, so that record retention responsibilities are not forgotten. And when a significant change to a policy is made, more training should occur. That is what should happen. In reality though, record retention training can be overlooked or pushed aside by more pressing or time sensitive operational needs. Every organization has information hoarders. Now there are employees who know they are supposed to store certain type of records in a certain location, and they probably do, but they also keep copies in their desk drawer because they might need them. In their minds, it's easier to keep records in printed form than to find them in an electronic storage system. When the time comes for the records stored in the organization's system to be dispositioned, the printouts will still remain in the desk drawer, waiting to be remembered or discovered at the least inopportune time. Another mistake that costs organizations is the untimely implementation of legal holds. Failing to implement a legal hold in a timely manner can cause relevant information to be lost in the normal operation of the retention program. This can happen even when a legal hold is implemented quickly after an organization anticipates litigation. Because later the plaintiff can amend his complaint, adding new causes of action and new legal theories that bring different information into play and requires expansion of the legal hold to cover additional categories of information. If the organization does not expand the legal hold to encompass the additional information, that information is still gonna be disposed of. Finally, the rogue destruction or deletion of information not yet scheduled for disposition. In these situations, records are destroyed on purpose despite knowing that they should be preserved. People have been known to delete electronic communications that could reflect poorly on them. Records may be destroyed before an audit occurs that will likely uncover poor job performance, or to hide personal conversations that are not supposed to take place in company time. Mistakes can be made as well, even by IT or management. Files may be incorrectly labeled, causing the wrong retention period to be applied. Or the wrong files may be shredded or deleted because of inattention or poor communication. When computers, cell phones, and tablets are replaced or lost, it's very possible that relevant or pertinent business information remains on the hard drives that should have been extracted and preserved, but isn't always. Mistakes can also occur when changing servers or email providers, or when transferring information from one system to another. This all comes with risks that information can be inadvertently lost. When records are destroyed before the retention period is up and those records are sought in a lawsuit or government investigation, the organization will look bad regardless of how the destruction occurred. And there are court opinions where records subject to a legal hold were dispositioned by accident. Yet the organization is found to have acted in bad faith, probably because the organization knew that the records should have been preserved, but did not take sufficient precautions to ensure they would be. What should an organization do when it realizes that information that should have been retained has instead been deleted or destroyed? First, it should determine whether the information can be replaced. If the information was electronic, IT professionals may be able to recover all or some of it. If the information was communications, either the service provider or other parties to the communications may still have access to those emails, texts, or instant messages. And some information exists in more than one form and is stored in more than one location. So discuss with IT staff and those who work with the information that has been lost to determine whether there's any possibility that the information could reside in an alternative location or another source. Second, investigate and determine how the inadvertent destruction happened and document it. An attorney would be useful here, especially if legal ramifications are a possibility. Third, decide whether any disciplinary actions should be taken. Fourth, modify policies to prevent the same mistake from happening again. Again, an outside attorney or record retention professional may be useful in doing this, as they may recognize other risks that are not apparent to you. Or they may have dealt with similar situations in the past. Fifth, conduct record retention and disposition training. Training is an important part of record retention. And when a mishap occurs, a company who wants to get it right will conduct more training to minimize the chance that the mistake will happen again. And sixth, last, is to document what happened and the actions taken in a way that demonstrates the organization's appreciation for its record retention responsibilities. If the document destruction becomes an issue, this documentation can help establish the organization's reasonableness in good faith. A few last notes, there is no obligation to document the disposition process, but documentation can support enforcement of an organization's policies, as well as the audit process. Engaging an attorney in these steps can be immensely helpful. This obviously depends on the situation, but if a lot is at stake and a court or government agency is involved, I would definitely turn to an independent attorney to help through this process. So this ends our presentation. We wanna thank you all for attending.

Presenter(s)

Brandi Doniere
Partner
Brouse McDowell
Marguerite Zinz
Partner
Brouse McDowell

Credit information

Jurisdiction
Credits
Available until
Status
Alabama
    Not Offered
    Alaska
    • 1 voluntary
    Available
    Arizona
    • 1 general
    Available
    Arkansas
    • 1 general
    Approved
    California
    • 1 general
    Approved
    Colorado
      Not Offered
      Connecticut
      • 1 general
      Available
      Delaware
        Not Offered
        Florida
        • 1 general
        Approved
        Georgia
        • 1 general
        Approved
        Guam
        • 1 general
        Available
        Hawaii
        • 1 general
        Approved
        Idaho
          Not Offered
          Illinois
          • 1 general
          Approved
          Indiana
            Not Offered
            Iowa
              Not Offered
              Kansas
                Not Offered
                Kentucky
                  Not Offered
                  Louisiana
                    Not Offered
                    Maine
                      Not Offered
                      Minnesota
                        Not Offered
                        Mississippi
                          Not Offered
                          Missouri
                          • 1 general
                          Available
                          Montana
                            Not Offered
                            Nebraska
                              Not Offered
                              Nevada
                              • 1 general
                              Approved
                              New Hampshire
                              • 1 general
                              Available
                              New Jersey
                              • 1 general
                              Approved
                              New Mexico
                                Not Offered
                                New York
                                • 1 areas of professional practice
                                Available
                                North Carolina
                                • 1 general
                                Unavailable
                                North Dakota
                                • 1 general
                                Available
                                Ohio
                                • 1 general
                                Unavailable
                                Oklahoma
                                  Not Offered
                                  Oregon
                                    Not Offered
                                    Pennsylvania
                                    • 1 general
                                    Approved
                                    Puerto Rico
                                      Not Offered
                                      Rhode Island
                                        Not Offered
                                        South Carolina
                                          Not Offered
                                          Tennessee
                                          • 1 general
                                          Approved
                                          Texas
                                          • 1 general
                                          Approved
                                          Utah
                                            Not Offered
                                            Vermont
                                            • 1 general
                                            Approved
                                            Virginia
                                              Not Offered
                                              Virgin Islands
                                              • 1 general
                                              Available
                                              Washington
                                                Not Offered
                                                West Virginia
                                                  Not Offered
                                                  Wisconsin
                                                    Not Offered
                                                    Wyoming
                                                      Not Offered
                                                      Credits
                                                        Available until
                                                        Status
                                                        Not Offered
                                                        Credits
                                                        • 1 voluntary
                                                        Available until

                                                        Status
                                                        Available
                                                        Credits
                                                        • 1 general
                                                        Available until

                                                        Status
                                                        Available
                                                        Credits
                                                        • 1 general
                                                        Available until

                                                        Status
                                                        Approved
                                                        Credits
                                                        • 1 general
                                                        Available until

                                                        Status
                                                        Approved
                                                        Credits
                                                          Available until
                                                          Status
                                                          Not Offered
                                                          Credits
                                                          • 1 general
                                                          Available until

                                                          Status
                                                          Available
                                                          Credits
                                                            Available until
                                                            Status
                                                            Not Offered
                                                            Credits
                                                            • 1 general
                                                            Available until

                                                            Status
                                                            Approved
                                                            Credits
                                                            • 1 general
                                                            Available until

                                                            Status
                                                            Approved
                                                            Credits
                                                            • 1 general
                                                            Available until

                                                            Status
                                                            Available
                                                            Credits
                                                            • 1 general
                                                            Available until

                                                            Status
                                                            Approved
                                                            Credits
                                                              Available until
                                                              Status
                                                              Not Offered
                                                              Credits
                                                              • 1 general
                                                              Available until

                                                              Status
                                                              Approved
                                                              Credits
                                                                Available until
                                                                Status
                                                                Not Offered
                                                                Credits
                                                                  Available until
                                                                  Status
                                                                  Not Offered
                                                                  Credits
                                                                    Available until
                                                                    Status
                                                                    Not Offered
                                                                    Credits
                                                                      Available until
                                                                      Status
                                                                      Not Offered
                                                                      Credits
                                                                        Available until
                                                                        Status
                                                                        Not Offered
                                                                        Credits
                                                                          Available until
                                                                          Status
                                                                          Not Offered
                                                                          Credits
                                                                            Available until
                                                                            Status
                                                                            Not Offered
                                                                            Credits
                                                                              Available until
                                                                              Status
                                                                              Not Offered
                                                                              Credits
                                                                              • 1 general
                                                                              Available until

                                                                              Status
                                                                              Available
                                                                              Credits
                                                                                Available until
                                                                                Status
                                                                                Not Offered
                                                                                Credits
                                                                                  Available until
                                                                                  Status
                                                                                  Not Offered
                                                                                  Credits
                                                                                  • 1 general
                                                                                  Available until

                                                                                  Status
                                                                                  Approved
                                                                                  Credits
                                                                                  • 1 general
                                                                                  Available until

                                                                                  Status
                                                                                  Available
                                                                                  Credits
                                                                                  • 1 general
                                                                                  Available until

                                                                                  Status
                                                                                  Approved
                                                                                  Credits
                                                                                    Available until
                                                                                    Status
                                                                                    Not Offered
                                                                                    Credits
                                                                                    • 1 areas of professional practice
                                                                                    Available until

                                                                                    Status
                                                                                    Available
                                                                                    Credits
                                                                                    • 1 general
                                                                                    Available until
                                                                                    Status
                                                                                    Unavailable
                                                                                    Credits
                                                                                    • 1 general
                                                                                    Available until

                                                                                    Status
                                                                                    Available
                                                                                    Credits
                                                                                    • 1 general
                                                                                    Available until
                                                                                    Status
                                                                                    Unavailable
                                                                                    Credits
                                                                                      Available until
                                                                                      Status
                                                                                      Not Offered
                                                                                      Credits
                                                                                        Available until
                                                                                        Status
                                                                                        Not Offered
                                                                                        Credits
                                                                                        • 1 general
                                                                                        Available until

                                                                                        Status
                                                                                        Approved
                                                                                        Credits
                                                                                          Available until
                                                                                          Status
                                                                                          Not Offered
                                                                                          Credits
                                                                                            Available until
                                                                                            Status
                                                                                            Not Offered
                                                                                            Credits
                                                                                              Available until
                                                                                              Status
                                                                                              Not Offered
                                                                                              Credits
                                                                                              • 1 general
                                                                                              Available until

                                                                                              Status
                                                                                              Approved
                                                                                              Credits
                                                                                              • 1 general
                                                                                              Available until

                                                                                              Status
                                                                                              Approved
                                                                                              Credits
                                                                                                Available until
                                                                                                Status
                                                                                                Not Offered
                                                                                                Credits
                                                                                                • 1 general
                                                                                                Available until

                                                                                                Status
                                                                                                Approved
                                                                                                Credits
                                                                                                  Available until
                                                                                                  Status
                                                                                                  Not Offered
                                                                                                  Credits
                                                                                                  • 1 general
                                                                                                  Available until

                                                                                                  Status
                                                                                                  Available
                                                                                                  Credits
                                                                                                    Available until
                                                                                                    Status
                                                                                                    Not Offered
                                                                                                    Credits
                                                                                                      Available until
                                                                                                      Status
                                                                                                      Not Offered
                                                                                                      Credits
                                                                                                        Available until
                                                                                                        Status
                                                                                                        Not Offered
                                                                                                        Credits
                                                                                                          Available until
                                                                                                          Status
                                                                                                          Not Offered

                                                                                                          Become a Quimbee CLE presenter

                                                                                                          Quimbee partners with top attorneys nationwide. We offer course stipends, an in-house production team, and an unparalleled presenter experience. Apply to teach and show us what you've got.

                                                                                                          Become a Quimbee CLE presenter image