Back in the "paper days" it was easier to have a document retention and disposal plan. Storing mountains of paper was expensive and an eyesore. Paper disposal was a matter of saving space, saving money, and aesthetics.
In the Cyber Age, data storage and retention is cheaper and to some extent unnoticeable. Some companies are unknowingly storing petabytes or even zettabytes of information because, as the saying goes - "out of sight, out of mind." Unfortunately, a company's data storage and retention policy (or lack thereof) becomes a critical issue when the government or a private citizen seeks company records and electronic discovery (e-discovery) commences. At that point, all data on any storage device (servers, hard drives, thumb drives, mobile devices) might be the subject of a subpoena.
Electronically stored information (ESI) is the primary focus of e-discovery in ltigation. It is such a major issue that e-discovery has become a sub-discipline in law and technology.
Having litigated many cases where e-discovery is an issue, I can confidently say that responding to an e-discovery request can be extremely expensive. But, with a little foresight and planning, the issue of data storage, retention, and e-discovery is manageable.
Data Storage and RetentionThere is no law that says electronic records must be kept forever. Yes, storage is becoming cheaper by the day, but the cost of maintaining the required technologies to access older storage platforms would make indefinite storage unreasonable.
Different industries have best practices to store and retain records. Some industries may require seven years, others might require five. Some companies keep records to comply with IRS requirements. In most situations, the IRS mandates the retention of records for three years, unless you file a loss from worthless securities or bad debt deduction, if you do not report income that you should report, or you failed to file a return.
Depending on your industry, and advice from your tax professional, every company should have a data retention policy. Preferably, the data retention policy is in writing and implemented across all departments. This means that the company's IT professional knows and understands the policy and implements a suitable plan. It is worthless to have have a data retention policy, but then learn that the IT department did not implement the policy and the company now has volumes of ESI beyond the period mandated in the policy.
A data retention policy should take into consideration that ESI not only comes in obvious forms such as email or word processing documents, but also databases, web pages, server logs, instant messaging transcripts, voice mail systems, social networking records, thumb drives, and even the storage devices on smart phones.
The data retention policy should address company information on personal mobile devices. Some companies have a bring your own device (BYOD) policy, which implicates privacy issues. Employees that conduct company business on personal devices might have to disclose information on the device that impinges on their privacy. At the point, the company should rely on its attorney to evaluate the privacy concerns and provide advice on the best method to comply with standard privacy laws and regulations.
Typically, courts do not have a problem with the destruction of business records in a routine and systematic fashion, as part of the “normal course of business operations.” Depending on the jurisdiction, there is a caveat that upon a suit commencing or the likelihood that it will, the company cannot purge any data that might be relevant to the litigation. The question of when the company should know that litigation is "likely to commence" is an area of debate.
While industry best practices and company policies might shield the company from discovery requirements, it should be noted that where discovery obligations are in direct conflict with business practices, the discovery obligations will likely prevail.
There are many other issues to consider when dealing with data storage and retention. For example, who maintains the data (possibly a third party service provider), where is it stored (in the country or overseas), are there back-up tapes that might be accessible, is the data subject to privacy laws like HIPAA or GLBA, is the data proprietary or a trade secret. Books have been written on the many issues related to data retention and e-discovery.
Needless to say, many of these issues become irrelevant if there is no stored data pursuant to a written retention policy. Meaning, if the company has a data retention policy, and complies with the policy by deleting data, then in some cases there might not be any data to produce. The company can safely say "sorry, we don't have the data."
Bottom line - Have a written data retention policy and make sure it is implemented consistently.