[authors: Kaiser Wahab and Lauren Mack]
Writing a Data Retention Policy may seem unimportant when there are so many other aspects of running a business that require your attention, but having one in place will save your company lot of time, money, and headache if it ever becomes involved in litigation or is the subject of an investigation. A well-drafted and executed policy will reduce the cost of producing data in these situations, as well as keep the company compliant with the rules and statutes governing the storage and destruction of electronic data on the federal, state, and international levels.
A comprehensive data retention policy should cover FOUR basic pillars:
I. Purpose and Enforcement
The first section generally gives a statement as to the purpose of the data retention policy and specifies whether it applies to the entire company or just a certain department. It should also appoint a specific person or department to oversee the implementation and execution of the policy and explain how those responsibilities will be carried out.
II. Management of Different Data Types
The different types of electronic data that a company may have and need to manage include email, instant messages, text messages, blogs, chat room transcripts, voicemail, electronic calendars, databases, word processing documents, efaxes, spreadsheets, and Internet browser information such as cached files, cookies, and download records. The data retention policy should describe where each type of data is stored, in what format, and when it will be archived and backed up. How special types of data (such as financial or employee records) are stored may be governed by different federal, state, and international laws that need to be carefully followed. How different versions and duplicates of data will be handled should also be addressed, as the same document may be stored on several hard drives, in various email message attachments, and multiple backups. To ensure that the data is maintained in a manner consistent with the policy, a specific person or department should be put in charge of maintaining the storage of each type data with the duties of each listed.
III. Retention Periods For Each Data Type
A data retention policy must include a chart of all of the types of information that need to be kept and for how long. At a minimum, the length of time the company’s data is preserved needs to comply with federal, state, and (if applicable) international laws, but the needs or obligations of the company may require data to be stored for longer and should be considered while drafting the policy. Making sure that data is periodically destroyed will reduce storage costs and avoid a situation where the company could be forced to produce every piece of data from its inception onward during discovery, which might include a “smoking gun” document that could have been legally destroyed if a written policy was in place.
It is also important to establish how each type of data will be destroyed. Just deleting information from a hard drive generally does not “destroy” it because it can still be recovered, so another more permanent method such as scrubbing, degaussing, or shredding should be used. Once again, the data retention policy should note what person, department, or third party will oversee that destruction along with specific responsibilities.
IV. Electronic Discovery Provisions
When a company reasonably suspects or becomes aware of potential litigation or investigation, it is legally obligated to prevent the destruction, alteration, or mutilation of potentially relevant evidence. In such a situation, a litigation hold must be placed on the destruction of relevant data. This is where appointing a specific person or department to be in charge of managing and destroying certain types of data becomes essential. Having someone knowledgeable to go to will avoid a lot of stress and confusion for the company’s lawyer when he or she needs to either stop the destruction of or locate information. The data retention policy should explain how each responsible person or department will respond to a discovery request and most importantly to a litigation hold request, as the company may face serious consequences in court if relevant data is destroyed.