Jump to Navigation | Jump to Content
American Bar Association

ABA Section of Business Law


Volume 12, Number 3 - January/February 2003

Documents? What documents?
Some Guidelines About a Document Retention Policy and Its Implementation
    By Michael E. Arruda, Margaret R. Prinzing and Shruti A. Rana

The trial and conviction of Arthur Andersen on obstruction of justice charges splashed "document retention" concerns across the front pages of newspapers around the world. Even though the Andersen jury's conviction ultimately turned on a document that Andersen preserved — rather than the many that it destroyed under its on-again, off-again document retention policy — the episode served as another reminder to businesses of the importance of a smart records retention policy.

Indeed, it is interesting to note that this is a lesson that Andersen learned in stages. When the accounting firm fell under suspicion for its involvement in the Waste Management accounting scandal back in 1998, the SEC found incriminating evidence in files that Andersen retained even though there was no legal requirement to do so. Andersen responded to the scandal by adopting a perfectly legal records retention policy.

The next problem came when cost-cutting measures led to a break-down in the implementation of the policy: Andersen fired some of the workers who were charged with shredding the documents tagged for destruction. Among the documents piling up next to the idle shredders were those describing Andersen's role in Enron's flawed accounting practices. Had those documents been shredded on schedule, rather than after the investigation had become imminent, there may have been no indictment.

Of course, records retention policies are more appropriately designed to avoid inadvertent wrongdoing or the appearance of wrongdoing, such as the accidental destruction of a record that the law requires businesses to keep. This article explains how organizations can do that effectively by creating and then following a proper records retention policy, both in the course of ordinary business and when legal problems arise.

What follows is not intended to provide every business in every industry with an exhaustive roadmap for developing a sustainable policy. Instead, it is intended to provide a framework for thinking about a sound document retention policy. These are suggestions for a template that is applicable to businesses generally, with the caveat that each industry must observe different levels of state and federal regulation and apply adjustments that are unique to each business.

A good records retention policy will address the full life cycle of a document, from its creation through its maintenance, archiving and eventual destruction, including:

  • identifying which documents must be retained;
  • determining how and where documents will be maintained;
  • determining how long records must be retained;
  • understanding compliance obligations under potentially inconsistent federal and state requirements;
  • understanding compliance standards that vary by industry;
  • considering whether there are business reasons for maintaining records longer than required by law; and
  • preserving records necessary to defend against or bring litigation.
A properly designed and administered policy will address all of these matters so as to avoid the problems that flow from inadequate records retention programs.

A sound policy normally has two principal elements: (1) a schedule identifying the retention periods (minimum and maximum) for all documents created and collected by the organization and (2) a framework for the administration of the policy, including responses to government process.

Both of these pieces will be held together by a statement of company policy with respect to the purposes and goals of the document retention program. The company's policy statement sets the tone for the document retention schedule and its administration. It provides the backdrop for decision making where retention decisions are not clearly determined on the basis of the schedule, providing guidance for those that are charged with the administration of the process.

Development of the retention schedule requires the author to blend legal requirements with the particular business needs of the organization adopting the policy. Essentially, the policy must observe the minimum retention requirements imposed by law, while at the same time providing longer retention periods for documents that serve a particular use in that business.

For example, federal law may require an organization to keep a document for a minimum of two years but the needs of the business may dictate that the document be maintained for far longer in order to facilitate future research and development needs.

On the other hand, the human resources staff may see no business reason to keep old job applications, particularly where a function has been phased out, but must nevertheless retain them for a year or more under various federal or state laws, regardless of their apparent utility.

The starting point for developing a policy is to identify which federal and state requirements regulate an organization. That will determine the minimum retention requirements.

Adherence to minimum standards requires companies to keep an eye on both federal and state laws and regulations applicable to the management of business records, which often overlap and sometimes conflict. The federal framework includes a collection of industry-specific laws and regulations overseen by jurisdictional agencies. Some industries are largely regulated at the federal level.

For example, the Federal Communications Commission has established a document retention policy for the telecommunications industry that affects radio stations, television stations, cable television operators, and communication common carriers. Under the FCC's document retention policy, regulated companies must maintain records in such areas as employment and price and service information, and must also adhere to industry-specific requirements. Retention periods differ for each telecommunications category, ranging from one to 10 years; however, in most cases the FCC has not specified a retention period.

The energy industry is another example of an industry with lopsided federal regulation. Many of the requirements affecting the energy industry are found in Federal Energy Regulatory Commission regulations. In addition, depending on the nature of its activity, an energy company may have certain environmental reporting or clean-up obligations, bringing an additional layer of records management requirements into play. For example, under federal Clean Air Act regulations, a business must keep continuous emissions-monitoring records for two years.

States' requirements may mirror federal requirements — California law, for example, also requires businesses to maintain continuous emissions monitoring records for two years — but they often impose additional or inconsistent requirements.

One of the most heavily regulated industries is the financial services industry. At the federal level, the Federal Reserve Board, Federal Deposit Insurance Corporation, and the Office of the Controller of the Currency issue key document retention regulations.

California, though, has no general document retention statute applicable to financial institutions, but instead has specific statutes and guidelines directed at types of banking records. For example, under California's Unclaimed Property Law, California Code of Civil Procedure Section 1500 et seq., property passes to the state after a certain period of time goes by with no customer activity. Implicitly, this means that banks should keep records of escheated property until statutory periods for litigation have expired.

Industries of all kinds must consider the federal and state document retention policies applicable to their human resource departments. In the employment area, some categories of documents are governed exclusively by federal law, such as the federal I-9 form. Most categories, however, are regulated by both federal and state law. Both federal Title VII and the California Fair Employment and Housing Act require employers to retain job applications and resumes, for example, but federal law imposes a one-year retention period and state law imposes a two-year retention period.

Another source of legal requirements for a company's document retention schedule may be found in its contracts. Many contracts require parties to either return or destroy documents relating to a feature of the transaction after a certain event has occurred. This often occurs in the context of confidentiality provisions, where the receiving party has an obligation at some specified point to return or destroy confidential documents provided by the other party in the course of the contract. Companies must observe these obligations in much the same way as any other obligation under the contract.

Finally, one consideration that may often be forgotten relates to the maintenance of personally identifiable information. Companies in the business of gathering such information, either online or otherwise, may be subject to promises they have made to their customers via their Web site privacy policy, or via less-than- precise legal requirements.

Some privacy policies provide that a company will not maintain a customer's personally identifiable information for a period longer than is necessary to fulfill the purposes for which it is collected. Thus, it is important to build into a privacy policy a requirement that such information be monitored and that it be destroyed once that period of usefulness expires.

There are certain legal requirements that may also affect companies that are operating across borders and processing personally identifiable information from European Union residents. The EU Data Protection Directive requires that member states adopt laws that require data controllers to maintain personal information for only such time as it is being used for the purposes for which it was collected.

After identifying all federal and state laws — as well as contractual obligations — that apply to records relevant to operations, an organization must tailor those requirements to meet its own idiosyncratic business needs. This requires a lawyer familiar with the legally required retention periods applicable to a transaction to talk to specialists in the organization familiar with the document types and their usefulness to that organization and its goals.

Business goals may extend legal deadlines for any number of reasons, such as to aid in future research efforts, to assist in the development of future marketing campaigns, to track productivity, or to aid in capturing best practices. The point is that the legal experts must integrate or become familiar with the business needs so that the company is fully served by its records retention policy. Merge these guidelines, then, with realistic retention periods to avoid the pack rat syndrome.

The prospect or advent of litigation or investigation raises an entirely new set of document retention issues. What to do? Evaluate the company's records as resources that it may need to use as a sword or a shield, whether to defend against direct challenges by others or to protect its position in the marketplace by initiating litigation. Take precautionary steps to design a document retention policy that ensures the organization's ability to produce, review or explain the fate of potentially relevant documents as legal issues arise.

First, long in advance of litigation, try to identify records that may be relevant to defending future litigation, and determine how long the records need to be retained. The key here is striking a balance. A good policy can seek to minimize the burden and expense of storing aging documents, but must also make a good faith effort not to destroy evidence. A sound rule of thumb is to retain documents for the length of the statute of limitations for potential claims, even if this exceeds the time such documents must be retained under applicable retention laws.

Generally, the minimum retention periods set by law are not set with reference to a particular statute of limitations. Therefore, it will be necessary to consider whether the federal or state minimum requirements are congruent with the statute of limitations, or if a period of time must be added to ensure that a document is not destroyed before the period runs.

For instance, if a company has documents that pertain to a particular one-event transaction, it will be important to retain the relevant documents for the statute of limitation period associated with a contract action in that state. If the transaction contemplates serial transactions, including the repetitive manufacture of a particular product, it may be wise to keep all of the documents relating to the process through the last date of the statute of limitations once that product line or sequence is discontinued or replaced.

Second, consider whether the business may be subject to investigation by federal and state agencies. If so, it may need to retain documents that would be relevant to such investigations or requests for disclosure. For instance, federal securities laws such as the Securities Exchange Act of 1934 contain various reporting and disclosure requirements that most companies must comply with; thus, companies must ensure that they maintain the documents needed to support each applicable requirement.

Examples include duties to maintain shareholder lists and minutes of directors' meetings. The FTC has broad investigative powers under the FTC Act, Sec. 3, 15 U.S.C. Sec. 43, and may require companies to provide information related to any business activities that may violate federal competition or consumer protection laws, including customer practices, mergers and competitive agreements.

Third, consider whether the organization needs to preserve certain documents to protect its own position, such as in the area of patent litigation. If the organization contemplates affirmative litigation, it should then revisit its records retention policy to determine whether any of the documents scheduled for destruction should be saved because they would be relevant to such litigation.

Developing the policy may be the easy part. It seems that Arthur Andersen got that right. The key to success is developing an effective implementation strategy.

A company — preferably originating from the chief executive's office — must distribute the policy to every person who has a role in handling records. Consider having a training session or some other means to emphasize the policy if the organization is concerned that its workers may not otherwise grasp the details or importance of the policy. Determine what resources are necessary for implementation.

Does the organization have the capability in-house to store all the documents that need storing and to shred all the documents that need shredding, or does it need to hire more employees, acquire new equipment or identify external resources? It should develop a well-organized storage system to minimize the costs of locating or producing relevant documents if the need arises.

Each unit of the company should also keep records of the content and implementation of its records retention policy, including requests (and actions taken in response) for destruction of various types of documents. Such precautions can later help rebut allegations of bad faith or intentional destruction of evidence after litigation has begun.

Find a way to make the policy part of the way an organization does business over time. Identify an individual within the organization who will be responsible for the day-to-day policy oversight, including ultimate decisions in implementing the policy when issues arise. (The outside storage vendor is not this person.) This individual should be held accountable for training new employees in the policy and periodically checking to make sure the policy is being followed. Develop an internal structure to periodically audit policy compliance and administration.

In the wake of the Enron/Andersen experience, an effective policy must include special rules that go into effect once litigation or an investigation begins. Consider Arthur Andersen's cautionary tale: As the Enron accounting scandal began coming to light, Andersen auditors found incriminating evidence among the documents that should have already been destroyed. It was at that point that in- house counsel weighed in with her fateful reminder about the neglected document destruction policy. The word went out, and Andersen employees began deleting e- mails and lining up to shred documents. The indictment followed shortly.

Once an organization is threatened with litigation or an investigation, it is then on notice that it may eventually need to produce documents relating to the dispute or issue. It must stop destruction of any documents that could be relevant to the litigation or investigation, even if these documents would be subject to destruction under the company's retention policy.

The failure to do so exposes an organization to multiple risks. First, there is the risk that an organization would be unable to adequately defend itself without relevant documents. But it may also confront penalties for the destruction of documents, including potential disciplinary measures for its lawyers.

Of course, that is exactly what happened to Andersen. The indictment charged that Andersen knew about the SEC investigation, was aware of documents and electronic files that would be relevant to the investigation, and destroyed them nonetheless. It was enough that Andersen knew that an investigation was under way, even though it had not yet received a subpoena for documents.

Ultimately, Andersen was charged under an obscure federal law, Section 1512(b)(2) of Title 18. According to the government's theory, within Andersen, there were one or more "corrupt persuaders" who encouraged Andersen employees to destroy records that would be relevant to the government's investigation. Even though the jury rejected the theory (ultimately deciding that the corruption involved accounting rather than shredding practices), the risk remains for any who would follow Andersen's example.

Aside from criminal prosecution, a party that destroys documents may be subject to civil sanctions, negative jury inferences or even dismissal for "spoliation of evidence." In some cases, the existence of a formal document retention policy may be considered a mitigating factor in assessing whether documents have been destroyed in bad faith.

However, poorly designed or improperly followed policies create the risk of sanctions. For instance, if documents are destroyed according to a policy that is only selectively followed, or that allows destruction of documents that a business knew or should have known would be relevant to actual or potential litigation, the company may still be subject to sanctions.

Finally, parties embroiled in litigation must comply with applicable discovery rules. Federal courts, for example, may impose sanctions under Federal Rule of Civil Procedure 37 for failure to preserve or provide evidence. Many state courts require parties to preserve documents and other evidence in compliance with state discovery rules, and may impose monetary or discovery sanctions for violations of these rules.



To address the many requirements of federal and state law and to minimize corporate liability for improper document management practices, it is critical for all organizations to develop, maintain and observe a comprehensive document retention program. Properly drafted and followed, a sound policy can provide the sort of protection that an organization needs to defend itself against possible allegations of improper document destruction or other records management irregularities.

And — as is the case with all policies — a records retention policy is only as good as its observance, which means training and consistent application of the principles set out in the policy.




Arruda is a partner and Prinzing an associate at Bingham McCutchen LLP in San Francisco. Rana was previously an associate at the same firm and is now on a judicial clerkship. E-mail for Arruda and Prinzing are michael.arruda@bingham.com and margaret.prinzing@bingham.com.

Back to Top