The FCPA requires corporations to “make and keep books, records, and accounts.” But “keep” can’t mean forever. Whether government, corporate, academic, or in private practice, FCPA and compliance professionals have rightly spent much time, energy, and ink on the nuances of creating and preserving accurate books and records.
A post on the FCPA Blog urged corporations to ensure that their retention policies account for the numerous (non-email) apps employees now use to communicate. Though not entirely ignored, a much neglected topic is the other side of the records and information management (RIM) and data controls coin: records disposition.
Corporations should define and enforce the full lifecycle of their records retention policies for business reasons and as a risk mitigation measure. Data is not free to store. And uploading, searching, and producing legacy data is costly in terms of time and resources and may offer little measurable benefit.
Many of us encounter in the course of document review, documents — emails in particular — that are seven, ten, or even twenty years old which do not appear to be preserved for any particular business reason. While RIM schedules are common at corporations, strict enforcement of and adherence to those schedules seems less common.
My experience in government stands in contrast. The government, though sometimes slow or sloppy in its execution, has meticulous records retention (and disposition) policies. DOJ alone has nine records officers. In December 2017, the National Archives completed a five-year project to update, revise, and compile the General Records Schedules for all Federal RIM.
The overarching theme of the summarized policies seems to be a healthy level of discretion. Many of the provisions read like requirements to destroy certain documents but authorize longer retention “if required for business use.”
An effective RIM policy serves the needs of the business while striking an appropriate balance between the dual risks of premature destruction and over-retention.
The right policy could make the difference between telling an enforcement official “we may or may not have that record but will need four weeks, an e-discovery contractor, and outside counsel to answer,” or “under our RIM policy the retention period for this record is expired; after searching unsuccessfully, we have concluded that the record was destroyed in accordance with policy.”
Four key questions should guide an effective RIM program:
Are there statutory or regulatory requirements to preserve given records for a set time?
If so, does the RIM program seek to prevent over-retention? How?
Are there other legal considerations that counsel specific periods of retention?
Statutes of limitation vary for different types of conduct. Which statutes may come into play? What records will be necessary to mount a defense, account for corporate conduct, or disprove an accusation? DOJ and the SEC have written extensively about the definition of corporate cooperation and it may be that the corporation that keeps all of its records can cooperate more extensively than the one that does not. On the other hand, the retentive company may also find that its old records inculpate the company whereas the company with a strict RIM policy does not. This central question requires balancing legal risk and business purpose and deserves the attention of experienced hands.
What are the business reasons for retention?
This is the central question of an effective policy and may counsel longer retention periods for certain types of records than a pure legal analysis would. Certain sectors or industries may also have customs or guidelines that will dictate certain minimum retention periods. A good policy will also delegate authority to make exceptions to policy — particularly in favor of greater retention.
What exceptions will apply?
There will be reasons to segregate specific documents in order to preserve them for more or less time that policy typically requires. Two immediate examples are in the case of a litigation hold, or where a company is temporarily responsible for information they do not own. One will require longer retention and the other shorter. A strong records management policy will ensure that the ultimate disposition of these records is monitored and documented.
In the end, a policy is only as good as its implementation. Companies should consider having its internal audit function audit the implementation of its RIM policy. Indefinite and indiscriminate records retention does not a good policy make.
After all, it’s sometimes what you don’t know that will save you.
Matt Reeder, pictured above, is a litigation associate at Orrick. Before joining Orrick he was a civil litigator for the Department of the Navy. All the views expressed in this post are his alone and do not reflect the views of Orrick or the U.S. government or any of its components. He can be contacted here.