A carefully conceived and well-implemented document retention policy has long been an important component of an effective corporate compliance program. Recent events have made reviewing and updating corporate document retention policies a priority for most companies.
The basic keys to an effective document retention program are:
- establishing a framework within which important documents are available when needed, while other documents can be destroyed in the ordinary course of business without exposing the company to liability;
- recognizing circumstances that impose special document preservation obligations; and
- ensuring compliance with retention and destruction policies.
This Update explains some other key issues relating to document retention and offers practical advice.
Why Have a Document Retention Policy?
Absent a duty to preserve documents, document destruction is an expected and necessary element of an efficient, functional records management program. An effective document retention program will:
- provide a system for complying with document retention laws;
- ensure that valuable documents are available when needed;
- save money, space and time;
- protect against allegations of selective document destruction; and
- provide for the routine destruction of nonbusiness, superfluous and outdated documents.
What Creates a Duty to Retain Documents?
A legal duty to retain documents may arise from a number of sources, including:
- Statutes and Regulations. A number of laws expressly require that documents be retained for specified periods of time, including:
- the Internal Revenue Code;
- state and federal environmental statutes;
- labor and employment laws;
- criminal statutes that punish obstruction;
- the Sarbanes-Oxley Act of 2002 and related SEC regulations, which, among other requirements, mandate that auditors maintain workpapers and other audit or review records for seven years from the conclusion of the audit or review;
- industry-specific statutes and regulations that impose unique document retention requirements;
- statutes of limitations that indirectly impose document retention obligations by making certain documents, such as contracts and personnel files, relevant to potential disputes that may remain dormant until the statutory period for bringing suit passes; and
- codes of ethics and professional rules, which may require that certain materials be protected from destruction. For example, Rule 3.4 of the Washington Rules of Professional Conduct prohibits a lawyer from altering, destroying or concealing a document having potential evidentiary value.
- Common Law. Court decisions may also impose duties to retain documents. One of the most important common law document retention obligations arises out of the doctrine of "spoliation," which is the improper destruction of evidence relevant to a pending or reasonably foreseeable lawsuit or legal proceeding. "Spoliation" can result in severe sanctions being imposed on a party who improperly destroys documents in the face of information sufficient to place a reasonable person on notice that the documents could be relevant or discoverable in litigation.
- Contracts. Many contracts contain provisions requiring that certain materials be preserved for future use. For example, consulting agreements frequently require the consultant to retain analyses and data prepared as part of the contract for a specified period of time.
How Did the Sarbanes-Oxley Act Affect Companies' Document Retention Obligations?
The Sarbanes-Oxley Act had significant impacts on the requirements relating to document retention, including:
- Criminalizing the Destruction, Alteration and Falsification of Records in Federal Investigations, Bankruptcy Cases and Official Proceedings. Sections 802 and 1102 of the Act amended the federal obstruction of justice statute, Title 18 of the United States Code (Crimes and Criminal Procedure), to significantly increase penalties for the destruction, alteration and falsification of records in certain circumstances.
- Section 802. Section 802 provides for a fine and imprisonment up to 20 years for anyone who knowingly "alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry" in any record or document with intent to impede, obstruct or influence the investigation or administration of any matter within the jurisdiction of a federal department or agency or any bankruptcy case. See Title 18 of the United States Code Section 1519.
- Section 1102. Section 1102 establishes the same penalty for anyone who corruptly "alters, destroys, mutilates, or conceals" a record or document with intent to impair its integrity or availability for use in an official proceeding. Significantly, the official proceeding need not be pending or about to be instituted at the time of the offense. See Title 18 of the United States Code Section 1512.
- Updating Federal Sentencing Guidelines Related to Obstruction of Justice. Section 805 of the Act commanded the United States Sentencing Commission to review and amend the Sentencing Guidelines to ensure that the base offense level and sentencing enhancements were sufficient to deter and punish obstruction of justice. The Sentencing Commission amended the Guidelines, effective November 1, 2004, to define the essential elements of an effective compliance program.
- Significantly Expanding Record Retention Requirements for Auditors of Public Companies. Section 101(a) of the Act established a Public Company Accounting Oversight Board to oversee the audit of public companies, and Section 103(a)(2)(A)(i) commanded the Board to adopt auditing standards that require accounting firms to "prepare, and maintain for a period of not less than seven years, audit work papers, and other information related to any audit report, in sufficient detail to support the conclusions reached in such report." In addition, Section 802 of the Act amended Title 18 of the United States Code Section 1520 to require auditors of publicly held companies to maintain "all audit or review workpapers" and directed the SEC to enact related regulations.
The SEC regulations establish a seven-year retention period for "records relevant to the audit or review, including workpapers and other documents that form the basis of the audit or review, and memoranda, correspondence, communications, other documents, and records (including electronic records), which (1) are created, sent or received in connection with the audit or review, and (2) contain conclusions, opinions, analyses, or financial data related to the audit or review." In addition to the audit or review of financial statements of publicly traded companies, the retention requirement applies also to the audit or review of financial statements of registered investment companies. Knowing or willful violation of Section 802 (a)(1) of the Act or the related SEC regulations is punishable by fine and up to 10 years of imprisonment.
How Do You Create an Effective Document Retention Policy?
No single document retention policy will suit the needs of every company. An effective document retention policy must be developed through the collaborative efforts of the company's management, administrative staff, legal counsel and auditors. Each of these groups plays an important role in developing an effective document retention program:
- Management. Management of the company establishes the corporate goals served by the document retention policy and balances the tradeoff between the benefits of retaining documents for longer periods of time with the costs of document retention.
- Administrative Staff. Administrative staff typically know the most about the types of documents the company generates as part of its normal business processes and how particular document retention policies will impact the day-to-day operations of the company.
- Legal Counsel. Legal counsel identifies document retention requirements specifically applicable to the company and the potential ramifications of retention policies for documents with no specific retention requirements.
- Auditors. Auditors are responsible for ensuring that appropriate documents are retained for compliance with applicable auditing and tax requirements.
What Are the Elements of an Effective Document Retention Policy?
An effective document retention policy should, at a minimum, cover the following seven elements.
1. State the Objectives and Purposes. It is a good practice to explain the reasons for the policy. These may include providing a system for complying with document retention laws; ensuring that valuable documents are available when needed; and facilitating the orderly disposal of documents that are no longer required in order to save the company time, space and money.
2. Designate a "Records Management Officer" and Description of Organization. The policy should establish individual and organizational responsibility for implementation of the policy.
3. Identify Documents Subject to the Policy. The first step in developing a document retention policy is to distinguish between documents that are essential to the ongoing, legal and effective functioning of the company and those that are merely personal, nonbusiness and/or preliminary.
The former group of important business records includes, at a minimum,
- documents and data necessary to meet government record-keeping, reporting and compliance requirements;
- contracts and other transactional documents;
- insurance policies;
- personnel files;
- financial information;
- intellectual property;
- official correspondence;
- corporate policies and guidelines; and
- other materials related to the essential business of the company, its products, its formation and its governance.
At the other extreme are documents whose continued preservation serves no useful company purpose and may, in fact, needlessly expose the company to storage costs and legal liability, such as
- personal emails and correspondence;
- preliminary drafts of letters and memoranda; and
- other materials such as brochures and newsletters.
These materials should be promptly and systematically deleted and destroyed pursuant to the company's written retention policy, with the exception of documents relevant to or discoverable in pending or potential litigation and other legal and official proceedings. Essential email communications should either be printed or saved to a separate server or on tape or disk and should be subject to appropriate review and retention or destruction in accordance with the document retention policy applicable to other documents.
4. Establish Retention Schedules. The retention period for necessary business records depends on a number of considerations, including the retention periods specified in state or federal regulations, contractual obligations, pending or reasonably foreseeable lawsuits or official proceedings relating to the subject matter of the documents, statutes of limitations, protection of intellectual property, product development and research considerations. In the absence of a specific legal duty to retain documents, each company will need to balance the importance of specific records to the business against the costs of retaining the documents. Generally speaking, documents that are not subject to any retention requirement should not be kept longer than necessary to accomplish the task for which they were generated. Including citations to the legal authorities relied on in setting retention periods makes it easier to revise the schedules to reflect changes in the law.
5. Establish a Specific Process for Destroying Documents. The document retention policy should provide specific guidance on the process for destroying documents, including the timing of file reviews, a description of circumstances in which documents can be discarded or shredded and the identification of individuals who have authority and responsibility for carrying out the document destruction.
6. Establish Guidelines for Suspending Document Destruction. When a lawsuit or government investigation is pending, threatened or even reasonably foreseeable, destruction of all potentially relevant or discoverable documents should immediately cease. As one court explained, "While a litigant is under no duty to keep or retain every document in its possession once a complaint is filed, it is under a duty to preserve what it knows, or reasonably should know, is relevant in the action, is reasonably calculated to lead to the discovery of admissible evidence, is reasonably likely to be requested during discovery, and/or is the subject of a pending discovery request." Wm. T. Thompson Co. v. General Nutrition Corp., 593 F. Supp. 1443, 1455 (C.D. Cal. 1984). Because there is no "bright line" test as to when a lawsuit or proceeding is "reasonably foreseeable," the better practice is to err on the side of suspending destruction of documents potentially related to a lawsuit or proceeding until management of the company has confirmed with legal counsel which documents may be destroyed.
7. Document Compliance With the Document Retention Policy. To ensure that a company receives the full protection of a valid document retention policy, it is important to document not only the policy itself, but also its enforcement. A court will be less likely to draw an adverse inference against a company that shows a documented pattern of meticulously following its document retention schedules. It is better for a company to be able to point the court to the date of destruction of particular documents than to say that any relevant documents it may have had at one point have been destroyed, even pursuant to an otherwise valid document retention policy.
Establish a Document Creation Policy. It is good practice for all companies to adopt a document creation policy that prohibits employees from generating unprofessional emails and other documents. Far too often, the fruits of discovery in litigation include embarrassing, offensive and inflammatory emails that are not susceptible to easy, after-the-fact explanations. While a document retention policy that promptly disposes of nonessential emails is one way to limit the number of such communications that reside within the records of a company, a well-communicated professional policy regarding the creation and content of emails and other documents is the best way to make sure that off-the-cuff, ill-considered and other unprofessional communications do not become part of a company's records subject to production in connection with litigation, government investigations and audits.
What Are the Consequences of Improper Document Destruction? A company that destroys documents improperly could face serious penalties. Criminal sanctions for obstruction of justice under Title 18 of the United States Code Sections 1503 and 1505 can be imposed where documents under subpoena or relevant to a government investigation are destroyed. Criminal sanctions may also be imposed for the destruction or alteration of documents for use in "official proceedings" under Title 18 of the United States Code Section 1512(b)(2). Importantly, this statute does not require that an "official proceeding" actually be pending at the time of the destruction.
Companies that destroy documents that are responsive to a discovery order could face a variety of penalties under Federal Rule of Civil Procedure 37, including striking of pleadings, presumption of established facts against the party and monetary sanctions.
Finally, under the spoliation doctrine, when a party fails to produce documents that a reasonable person would be able to produce, the court may allow the fact finder to draw an adverse inference against that party. In other words, the fact finder may be permitted to presume that, by allowing the documents to "spoil" or to be destroyed, the party implicitly admits that the documents would have been unfavorable to that party if produced. While it is no defense that documents were destroyed pursuant to a document retention policy, pending changes to Federal Rule of Civil Procedure 37 would create a "safe harbor" from sanctions under circumstances where a party failed to provide electronically stored information that was lost as a result of the routine, good-faith operation of an electronic information system.
How Important Is It to Enforce a Document Retention Policy? A document retention policy that is not consistently enforced is not effective protection against allegations of bad-faith document destruction. Suspicions will be raised by the sudden vigorous enforcement of a policy that up until that point was only sporadically enforced. Moreover, selective destruction of documents after a subpoena has been issued could subject a company to criminal liability for conspiracy to defraud the government, Title 18 of the United States Code Section 371, as well as obstruction of justice.
Trap for the Unwary
Beware of Hidden Electronic Documents. A robust document retention policy will apply to documents kept in electronic form on the company's servers. However, many employees keep originals or copies of documents of their work on home computers. Unless these documents make it onto the company's server there is a strong chance that they will not be retained or destroyed as required by the document retention policy. As a result, the company could be subject to the same liability as if it had not adopted a document retention policy covering these documents. Accordingly, a document retention policy should include a routine notification to employees to keep all original documents on the company's servers and to delete all old copies of the files from their work or home computers.