Minimizing liability with an effective document creation and retention policy.

Abstract

An increasing number of statutes and governmental regulations impose obligations on organizations to retain documents. The failure to do so could expose the company to sanctions, liability and criminal penalties. This paper discusses why firms retain documents, considerations in creating documents, and the implementation and enforcement of an effective document retention policy to avoid or minimize the risk of liability.

Introduction

There have been an increasing number of statutory and regulatory schemes that impose obligations to retain documents on business organizations, including small businesses. For example, the Sarbanes-Oxley Act, enacted primarily in response to the Enron and Arthur Andersen scandals, impose, potential liability for shredding corporate documents on those who knowingly alter or destroy a document with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction or agency of the United States. The statute does not require that there be a pending proceeding. If a person has reason to believe that a document may be requested by a federal agency at a later time, even though no litigation or formal investigation is pending, and destroys or alters that document, that person may be found guilty of obstruction of justice and be subject to fines and up to 20 years imprisonment [9].

There are also federal and state obstruction of justice statutes that apply when there is a pending court proceeding, and there is a connection between document destruction and the proceeding. For example, under the Occupational Safety & Health Act (OSHA) an employer is obliged to keep detailed records of worker injuries and illnesses. An employer would face stiff fines or penalties if some or all of these records were found missing or destroyed while a court action was pending regarding an OSHA violation involving worker safety [7].

Courts have also held that there is a duty to preserve and not to destroy documents before litigation begins if a party knows of the existence of a potential claim and can identify relevant evidence [10]. Further, there are statutory time periods for retaining documents. Federal obstruction [4], and document retention requirements can also be found within various professional and industry standards, (e.g., a real estate broker or attorney must retain client trust fund records for a certain period of time). As a result, potential liability and sanctions (a penalty or punishment provided as a means of enforcing obedience to a law) can be avoided or minimized with an effective document retention policy (DRP).

In addition, instituting an effective DRP has other advantages. Litigation costs and sanctions can be reduced by lessening the time and expense spent in locating documents requested during discovery. By periodically destroying documents pursuant to a DRP, the firm reduces the volume of documents required to be produced in response to a search for stored documents, thereby enhancing business efficiency and minimizing storage costs. Also, documents can be legally destroyed pursuant to a reasonable and systematic DRP if no threat of litigation or government investigation is pending, thus preventing a claim of willful destruction of evidence.

It is important for the policy to consider the business objectives of the company, and DRP policies will vary from firm to firm and even within the company itself. Further, it is not enough to have a DRP in place without an effective enforcement mechanism. This paper will discuss the more important considerations in the development of a DRP, keeping in mind that the policy must be tailored for the particular firm.

Consider a Document Creation Policy

Before the retention policy is implemented, the company should first consider adopting a document creation policy that anticipates possible future litigation [2]. This is especially significant with the advent and extensive use of electronic communications. Documents are often created spontaneously and under pressure, using PDAs, e-mail, text and instant messaging, forums, bulletin boards and chat rooms. Employees often believe some documents and electronic communications are private, not aware or realizing that they may become evidence subject to subpoena (i.e., a court process where pertinent documents must be produced) in subsequent litigation. For example, an employee may have made comments via e-mail to other employees that may be construed as sexual harassment, and may expose the employer to liability. Often in civil and criminal cases issues of intent, dishonesty, wrongful conduct and judgment are the focus of the investigation: that is, there will be great interest in who said what, where and when to determine the party's motive. Employees are not always careful in their choice of words. They may simply be trying to do a good job. A simple, innocent communication can become harmful to the firm in the hands of a skillful trial lawyer as he introduces the document as evidence before a jury.

Employees may also think, often incorrectly, that their electronic communications are not recoverable since they were "deleted." For the most part employees believe they have a right to privacy with regard to many of these communications, when in fact there is often no such right since these electronic devices are owned and controlled by the employer. Any employee right of privacy stems from whether they had a reasonable expectation of privacy when using the employer's equipment, e.g., where the employer has a stated policy of allowing employees to make personal e-mail communication. Usually an employer will prohibit or restrict the employee's use of the equipment for personal purposes, thus barring any expectation of privacy.

In creating documents, the work force must be educated to understand the risks that are created whenever a document is created, either in paper or electronic form. Therefore firms should adopt a policy that controls the creation of potentially harmful documents. This can be accomplished by:

1. Prohibiting employees from creating documents that use vulgar and unprofessional language.

2. Prohibiting the use of company computers and electronic devices for activities such as viewing pornographic websites, participating in chat rooms, trading in securities, posting messages on message boards and similar conduct.

3. Discussing and resolving internal disputes only in person.

4. Avoiding the creation of documents that include unfounded assumptions or opinions (i.e., gossip) that may lead to misinterpretation and misunderstanding. The facts should be verified to assure accuracy of the written communication. Criticism of the firm's products, practices and employees should be avoided. Words should be chosen with care. Employees should not comment on potential legal liability of the firm.

5. Avoiding writing anything unless it is necessary. Nonessential or sensitive matters should be discussed and communicated in person or by phone.

6. Educating and informing employees that they are to assume that every written document will be read by an adversary in litigation. The federal and state court rules allow disclosure of nearly every potentially relevant e-mail, report, letter, and memo if a lawsuit is filed. Employees need to exercise caution and reflect before they write, and realize that if a communication can be interpreted to mean something else, it will be in litigation. Employees must be educated as to the importance of creating documents that could be harmful to the company, and be made aware that their e-mails are not destroyed when deleted. Further, management should understand that they must monitor documents created in their departments.

7. Taking corrective action to address issues raised in an original document that reveals a legitimate problem with the firm's products and practices, e.g., where test results show serious side effects of a new drug. Such action should be fully and carefully documented.

8. Restricting and controlling dissemination of all writings to only those individuals who have a need to know. Drafts of the final document, with markups and notes, should not be retained. These drafts can be harmful in that they may disclose other ideas and statements that were eliminated for sound business reasons but may be used later to show that the firm should have known there were better ways to proceed than the one chosen. Personal notes should not be kept if they are no longer needed. Retention of these notes often serves no business purpose. An exception would be notes taken during a stockholder or director meeting.

All of these actions create documents which, even if disclosed during an investigation, will minimize embarrassment or liability to the company. In addition, to be effective, the document creation policy must be communicated to all relevant parties. Meaningful enforcement procedures must be put in place and adhered to: for example, taking appropriate disciplinary action against those who violate the policy.

Reasons for Keeping Documents

Firms should keep documents for a number of different reasons: for example, compliance with statutes and regulations that require preservation of documents, anticipation of future litigation, and preservation of knowledge and information essential to the firm's present and future business practices. Often, however, companies retain documents out of habit and inattention, which in many cases would be a good reason not to keep them.

Statutory and Regulatory Duties

In today's business environment there are an increasing number of statutes and regulations that deal with issues such as employment, securities, health and safety, immigration, financial institutions, retirement benefits, privacy, terrorism, and the environment. They impose document retention obligations on firms involved in activities subject to the government's regulatory powers. Failure to meet these retention regulations could result in criminal prosecution, fines, and liability for the firm and management. Some of the statutes and regulations were referred to above.

To determine what documents are to be kept, and for how long, the firm must thoroughly review the laws and regulations that apply or may apply to the business's operations. Once these laws and regulations are identified and integrated into the DRP, it will allow the firm to respond more simply and effectively to inquiries and government investigations as to its compliance with applicable laws and regulations, thus minimizing the possibility of criminal and civil penalties.

Information and Knowledge Preservation

Over time, firms acquire and develop valuable knowledge, information and business practices that they want to preserve for future use. This organizational knowledge includes customer information, sales techniques, business methods, operations manuals, pricing information and the like. Other documents must be kept for practical necessity in the ordinary course of business, and to refer to in the event of a legal dispute. These documents include leases, business contracts, insurance policies, employment agreements, confidentiality agreements, deeds, intellectual property registrations, and sales documents such as invoices and statements. These documents should be retained and stored in such a manner as to be readily available as needed by the firm.

Planning for Possible Future Litigation

Firms should not ignore the possibility of future litigation. The United States is considered to be a very litigious society so there is a real threat that a company may be sued at some point in time, at great cost and economic loss. It would be in the firm's best interest to create a document retention policy in preparation of future litigation. Business records and other documentary evidence are often given more weight by a jury than oral testimony. A company's document creation, retention and destruction will often have a major impact on who will prevail in a lawsuit.

In evaluating the firm's DRP, courts use a "reasonableness" standard, i.e., that the policy be adopted and implemented in good faith, and not with the intent to make sure documents that are potentially damaging in any future litigation are deliberately purged or made not available [5]. Regular purging of a firm's documents should be part of an effective DRP as long as it is done in good faith--that is, with no knowledge or reasonable expectation that a document could be harmful to the company--and on a regular and systematic basis. This routine destruction may also have the indirect effect of disposing of uncomplimentary or dangerous documents that may otherwise be discovered litigation, to the surprise and advantage of opposing counsel.

This is especially the case with instant messaging and company e-mails. It has been estimated that e-mail use worldwide has reached to over 30 billion e-mail messages per day [11]. The upward trend in the use of these forms of communication is likely to continue. Attorneys in litigation are very interested in determining who knew what and when, and therefore it is not unusual for them to seek e-mail and data files from the opposing party prior to trial. E-mails and messages are often written and sent with little attention given to how these communications might be interpreted by third parties, or even by the recipient. These cursory communications are not given the same consideration as is a written letter or similar correspondence. As a result, what was thought of as an innocent, harmless e-mail may ultimately end up causing substantial harm to the company. It is common for e-mails and instant messages to contain factual errors, personal opinions, misstatements and other errors that commonly occur during oral communications. For example, an e-mail communication from an employee to management stating "We did see serious defects in the product," when the employee meant to say "We did not see" such defects, could be used against the company in litigation brought by an injured party alleging a defective product, to show the firm had been aware of a defect.

Further, the large volume of e-mail is often stored unnecessarily, and many users do not empty their Delete folders as well as their In Box and Sent items. Backup tapes of e-mails made by some firms may never be destroyed, also leading to damaging disclosure of the data to opposing counsel [8]. With an effective document destruction policy, these dangerous communications will not be available for review.

As a practical matter a company has no need to keep every e-mail, and storing this data can also be very expensive--but not as costly as responding to court-imposed disclosure of the data during litigation. Often, storing this data is done simply because of inattention or bad habit [2]. A well planned, implemented, and enforced DRP should eliminate the wrong reasons for retaining documents.

Subject Matter of a Document Retention Policy

What Should Be Preserved?

An effective DRP should require that the documents be classified in various categories relevant to business operations; for example, legal, accounting, personnel, marketing and sales, contracts and environment. Documents not only consist of paperwork but also may include computer disks, spreadsheets, e-mail, photographs and blueprints. Which documents should be retained, for how long, and how they should be stored depends on the categories in which they are placed, the business purpose, and how often the firm uses and reuses them. The policy specifics will require collaboration and input from management, counsel, the people who create the documents, information systems people, and those who are in charge of records management, keeping in mind there may be good business reasons for different policies for different divisions, operating units and geographic areas.

DRP Objectives

The DRP should delegate a person in each business unit to be responsible for oversight and implementation of the policy. It should achieve and include important objectives such as stating the purpose for implementation of the DRP, complying with statutory and regulatory requirements to retain the documents, and making sure important documents are preserved, categorized and stored so they can be easily retrieved when necessary (for example, to support the firm's legal position in litigation).

The policy should also implement procedures to prevent improper destruction or alteration of documents in the event a governmental investigation or litigation is commenced, and should also provide for a systematic and routine destruction of all documents once there is no longer a legal or business need to retain them. Doubt concerning whether to retain or destroy certain documents should be resolved in favor of preservation. The firm should list all document retention periods set by statutes and regulations. It is difficult to determine how long each document should be retained if there is no regulatory or legal time period. The length of time a business should retain documents depends on a number of industry specific factors, and pragmatic reasons such as insufficient storage space. At a minimum, a document should be kept for the statute of limitations period designated by law to be applicable or implicated by the particular document (a statute of limitation is the designated time at the end of which no legal action can be taken). For instance, if a loan transaction generated a promissory note, then the note should be retained for the loan period and for the statute of limitations period in the particular (e.g., three years in California for bringing an action to recover or sue on the note after default in payment).

In addition, other laws may apply to this example and should also be taken into account in retaining the note. For example, certain tax and corporate laws require proof that a shareholder took a loan, rather than a capital contribution. Also, governmental regulations require DRPs in many industries. In health care, for example, the firms are required to keep records for designated periods of time regarding handling and prescribing drugs, medical condition of patients, and Medicare and Medicaid reporting [3]. Further, key business documents such as deeds, patent registrations and the like should be retained indefinitely. E-mail in accessible format should be subject to a short retention period unless business needs dictate a longer period.

Execution and Enforcement of the Document Retention Policy

The DRP must be put into effect uniformly within the business firm, with complete support of management, and diligently enforced. Failure to follow the company's DRP can result in disaster to the firm, as was the case with the accounting firm Arthur Andersen when it found it necessary to shred damaging documents and later attempted to justify the destruction under its document retention policy.

Adherence to the DRP requires proper and regular training for all management and other personnel throughout the organization, emphasizing the importance of compliance. Each business unit within the firm should designate a person to be responsible for ensuring compliance with the policy. The responsible party in each unit should prepare reports to a top level management individual with executive authority over the entire firm.

The DRP should be updated and revised periodically, possibly every one to two years in the ordinary course of business, and reviewed whenever there is a reorganization such as a merger or acquisition. It may also be in the best interest of the company to bring in an outside auditor to review the policy for compliance. Any noncompliance must not be ignored and should be corrected quickly, possibly by additional training and/or discipline. Infrequent or sporadic enforcement may be considered bad faith destruction, and not document management in the ordinary course of business.

If government investigation or litigation occurs, the firm will have the burden of proving compliance with their policy, which will include records of regular training and enforcement actions taken. Further, once the firm has reason to believe (such as upon the receipt of a demand letter) that litigation or a governmental investigation is about to be initiated, the DRP must be suspended in whole or in part. To allow for such an eventuality, the policy must provide a procedure for suspension, including giving notice of suspension within the entire organization, who has the power to suspend the policy, and when and under what circumstances the policy should be reinstated.

More specifically, the following steps should be taken by the firm once it becomes aware of a potential lawsuit or government investigation [1]:

1. Suspend the DRP and give notice of its suspension to all employees.

2. Ascertain the scope of the investigation or lawsuit and determine the location of potentially relevant documents.

3. Decide, with advice of counsel, which documents need to be preserved. Segregate privileged communications, e.g., between attorney and client, and confidential business information, i.e., trade secrets, which are not to be produced or disclosed.

4. Put into place reasonable procedures to ensure suspension and preservation compliance, and assign a person to manage the document retrieval process.

5. Make sure no documents are deliberately or inadvertently destroyed.

6. Gather all relevant documents, store them in a safe place, and identify the source for each. Make sure employees produce all relevant electronic documents while maintaining the integrity of the original.

7. After the investigation/litigation is concluded, reinstate the DRP.

The penalties for destruction of evidence are determined by the court. An inference can be drawn that the documents destroyed were harmful to the firm's case. Monetary sanctions and exclusion of evidence can also be imposed. In the worst case, the lawsuit could be dismissed or the company can be held liable without a trial if the court finds that the firm intentionally concealed or destroyed evidence [6]. The type and extent of the penalty for destruction of evidence will vary from jurisdiction to jurisdiction, and will be more severe if the court finds the destruction was done in bad faith or if the other side is prejudiced by the destruction.

Conclusion

Given that certain statutes and regulations, including obstruction of justice statutes, are intended to prevent documents from being destroyed, there is an inherent conflict with a document retention policy that requires companies to routinely destroy documents. The firm should have a reasonable DRP which is consistently applied and enforced. The policy should be suspended when the firm learns of the imminent investigation or litigation, and should be reinstated as soon as practical after the legal action has been concluded. In summary, the penalties for illegal document destruction or alteration are severe and the risk of liability and harm is high if the company does not have or follow a well-thought-out document retention policy.

Endnotes

1. Balwin, Merri A. "Corporate Management and Ethical Issues; to Shred or Not to Shred?" 6th Annual Institute on Privacy Laws: Data Protection, Vol. 1, Practicing Law Institute, 2005, 809-816.

2. Ballon, Ian C. "Assessing and Limiting E-Commerce Liability through Policies, Procedures and Website Audits," E-Commerce and International Law, Chap.7, Glasser Legal Works, 2001.

3. COBRA (Consolidated Omnibus Budget Reconciliation Act 29 U.S.C. Section 601-608, 1985. See also www.ssa.gov/mediinfo

4. Federal Obstruction of Justice Statutes, 18 U.S.C. Section 1501 et seq., 2003.

5. Lewy v. Remington Arms Co., Inc. 836 F. 2d 1104 (8th Cir. 1988).

6. Martin v. DaimlerChrysler Corp., 251 F 3rd 691 (8t Cir. 2001).

7. OSHA, 29 U.S.C. [section] 5(1) 1993; See also Immigration Reform & Control Act, 8 U.S.C. [section] 1324a (1986) regarding hiring new employees; Fair Labor Standards Act Section 29 U.S.C. [section] 201 et seq. (1938) regarding minimum wage and overtime, child labor and equal pay; Employee Retirement Income Security Act, 29 U.S.C. [section] 1001 et seq. (1974) regarding retirement plans and employee benefits; Consumer Product Safety Act, 15 U.S.C. [section] 2051-2084 (1972), which protects consumers from unreasonable risk of injury from hazardous products; Comprehensive Environmental Response, Compensation & Liability Act (CERCLA) (1980) 42 U.S.C. [section] 9601 regarding hazardous waste cleanup and liability; State Obstruction of Justice statutes, See e.g., California Penal Code [section] 1321-1324.

8. Rowe Entertainment v. William Morris Agency, Inc., 205 F.R.D. 42 (SDNY, 2002).

9. Sarbanes-Oxley Act, 18 U.S.C. Section 1519 (2002)

10. Silvestri v. General Motors Corp., 271 F 3rd 583 (4th Cir. 2001).

11. VNUNET 2005, www.vunet.com

Thomas M. Apke, California State University, Fullerton