We have been asked many times how long businesses should retain their records, whether in email, files or other venues. The simple answer to the question is that there isn’t “an” answer. Instead, there are a number of issues to consider in determining how long you should retain your records:
- What does your legal counsel advise?
- What have court decisions in your industry revealed?
- What is your organization’s tolerance for risk?
- What are the consequences of disposing of records too quickly versus keeping them for too long?
- What do government and industry regulations require as minimum retention periods?
To address the last question, we are assembling a database of regulations focused on data retention. We published the first edition in December with 421 regulations, but will be publishing the next edition in March with approximately 1,000.
Here’s a sample of the types of data retention regulations that exist today:
- Manufacturers and importers of chemicals must retain documents related to notification of risk, contact information about entities to whom chemicals are distributed, production volumes and other information for three to five years (40 CFR 82.13).
- Entities that operate as swap data depositories must retain records related to swaps or related cash or forward transactions for a period of five years, the first two years in an easily accessible place, but records of oral communications may be kept for only one year (17 CFR 1.31).
- Underground mine operators must retain certifications for safety equipment for one year (30 CFR 57.4201).
- Anyone who imports nonroad and stationary engines must retain documents supporting the information required in EPA Declaration Form 3520-21 for five years (19 CFR 12.74).
- Entities that operate air curtain incinerators that burn yard waste must retain records about all opacity tests for five years (40 CFR 60.1455).
- Manufacturers of heavy-duty vehicles and engines must retain records estimating how their fleets will comply with GHG emissions standards; estimated vehicle configuration, test group and fleet production volumes; expected emissions and fuel consumption test group results and fleet average performance; and other information (49 CFR 535.8).
- The Canada Revenue Agency (CRA) requires entities subject to various sections of the Income Tax Act, the Employment Insurance Act and the Canada Pension Plan to retain for two to 10 years any books and records that will permit the CRA to determine taxation, the qualification of registered charities, permit the verification of various types of donations, etc. (CRA Information Circular IC78-10R5).
There are two key takeaways from this:
- There is no such thing as an “unregulated” industry or company in the context of data retention: every business in every industry must retain records for some length of time.
- Data retention is not easy, particularly in the context of being able to find archived records, disposing of them properly, and migrating them to new archives and other information platforms. The technology used to archive, search for and migrate records is critical.
For more information on our Data Retention Requirements Guide, click here.
This is not a political post, I promise!
There are some lessons to be learned from the FBI no longer having access to five months worth of text messages between two staff members who were investigating former Secretary of State Hillary Clinton’s use of a private email server to conduct government business and the issue of Russian intervention in the 2016 presidential election, and Mrs. Clinton’s use of that private email server for sending classified and non-classified information. The one lesson I will discuss here is a simple one: you should not archive your email and texts.
More accurately, you, as an employee of your company, government agency or non-profit organization, should not archive your own email and texts.
Archiving should be based on pre-established and evolving corporate policy, not your choice of what content to save and what to discard. If your emails, texts, social media posts, files and other electronic content contain business records or any other content that is relevant to retain, it should be retained and archived automatically based on a set of corporate policies that have been established and approved by senior management, legal counsel, compliance, finance and any other stakeholders that are focused on the best interests of the enterprise. You, as an employee, should be involved in that process, but only as a voice among many in determining what to retain — you should not be the one who makes the final decision about what gets archived and what is discarded.
The reason for this is a simple one: there may be incriminating evidence, like mistakes or downright malicious activity in an email or text, that an individual might want to hide from the view of others. Someone responding to an email might mistakenly delete an important business record buried deep in the thread of an email that he or she did not see. Someone might fire off a text message or social media post in anger that reflects poorly on a client or colleague. In short, there is a temptation to delete information that violates corporate policy and we, as employees, should not have the ability to delete information in an attempt to cover that violation. While it might benefit us in the short term, it harms the organization in the long term.
In short, any good archiving process should prevent employees from being the key arbiter on what gets archived and what doesn’t.
Think about the process of sending a single email to one individual:
- You create and send an email and a copy of that email is placed into your Sent Items folder (copy 1).
- The recipient receives your email (copy 2).
- Your email admin makes a nightly backup of your email inbox (copy 3).
- The recipient’s admin does likewise (copy 4).
- Your company’s archiving system places a copy of your email into archival storage (copy 5).
- Ditto for the recipient’s company’s email archiving system (copy 6).
- The email you sent to recipient A gets forwarded to someone else (copy 7).
- That copy gets placed into a backup and archive (copies 8 and 9).
- You, your original recipient and the recipient of the forwarded copy access corporate email on a smartphone and a tablet (copies 10, 11, 12, 13, 14 and 15).
Now, let’s say you decide that you want to delete all of your old email because you’re afraid of incriminating evidence that might turn up in a lawsuit, a regulatory audit, or because you’re running for political office (ahem). Good luck with that. At best, you might be able to delete copy 1 and, if the recipient is nice, copy 2. Copies 3, 4 and 8 might disappear as admins reuse backup tapes over time or as the various mobile devices on which your email is stored deletes older content. But that means that of the 15 or so copies of your email that exist, only about one-third to one-half will ever really disappear.
What should you do? First of all, disabuse yourself of the notion that you can ever completely delete your email. You can’t – it exists and may exist forever in some cases. Second, realize that email will stick around despite your best efforts to purge it, and so plan on it reappearing at some point. That means that if you have incriminating emails floating around your company, it’s best to archive them reliably and prevent their alteration so that at least you have the same evidence that the other side will almost certainly have in a lawsuit or a regulatory audit. While the ideal state is never to have incriminating emails, if you have more than zero employees in your company that’s unlikely to happen.
All of this sounds quite basic, but our work has demonstrated that some are still under the false impression that the process of deleting email actually deletes email. In reality, it does delete email, but only your copies of them – most are still out there somewhere out of your control. The best you can do is ensure that you have copies of your email that you can reliably assume others will also have.
Archiving as a defensive tool is well-trod ground: it’s an important best practice for eDiscovery, litigation hold, regulatory compliance, storage management, and end-user access to content. Every organization should archive their employees’ data to ensure they can meet these defensive uses of archiving – what we call Archiving 1.0.
But what about Archiving 2.0, or a more proactive use of archived data? Here are some things you can do with your archives:
- Investigations: The ability to extract intelligence from the content within email archives can significantly reduce the amount of time spent on investigations, such as early case assessments in advance of an anticipated legal action, an investigation about inappropriate employee activity, or an investigation about why a key customer account was lost.
- Sales support: Communications with customers independent of a CRM system can be used to determine how sales, support and other staff members’ emails correlate with customer retention and follow-on sales. Similarly, the speed and quality of responses to customer inquiries can be correlated to sales in order to determine how best to respond to inquiries in the future.
- Risk mitigation: Archived data can be used to mitigate risks from data breaches, employee fraud and related types of threats. Senior managers can look for employees who are more likely to commit fraud by looking for managers who are treating their employees badly, they can find employees who are communicating with an organization’s competitors, transferring sensitive files to a personal email address, or running a personal business on company time.
- Customer service: Archived data can be useful in determining who in an organization is talking with specific customers, to whom in the customer organization they are speaking, the content of their conversations, and other relevant information.
- Supply chain management: Another application is analyzing messaging and relationship intelligence to visualize employee communication with unauthorized parties.
- Litigation management: Legal can use messaging and relationship intelligence to zero in on individuals or domains to understand communication trends and which individual(s) or domain(s) needs to be investigated further, enabling useful pre-trial or pre-litigation discovery information.
- IT support: Help desks can become more proactive by conducting ongoing investigations into what employees are saying about particular applications, the goal of which is to address problems as early as possible.
- Human capital management: An archive can be used to determine when employees are going to leave an organization and thereby minimize the impact of an employee departure.
We have written a white paper that focuses on Archiving 2.0 – please feel free to download it here.