By: Alina Pargamanik, J.D.
Does your company have a record retention policy? If not, you could be putting your company at risk of significant legal repercussions.
What Is a Record Retention Policy?
Record retention policies specify the business’s processes and procedures for managing documents. A well-drafted record retention policy provides guidelines and procedures for the storage, organization, retrieval, and destruction of documents in accordance with both legal requirements and inter-company policy. Any record retention policy must provide a provision for the suspension of the policy in the event of litigation or upon the company’s notice of an investigation.
Depending on your company’s industry and the matter involved, there are various regulatory and legal standards for record retention. For example, the Internal Revenue Service requires organizations to retain employment tax records for a minimum of four (4) years; the Occupational Health and Safety Administration requires businesses to retain records on workplace injuries for five (5) years; and the Equal Employment Opportunity Commission requires employers to retain all personnel or employment records for one (1) year. The following federal laws also set forth specific record retention requirements:
Sarbanes-Oxley (SOX) Act: SOX created financial record keeping and reporting requirements for corporations to protect investors from fraudulent activity, including a five (5) year retention period for customer invoices, a seven (7) year retention period for tax returns and receivable or payable ledgers and an indefinite retention period for payroll records and bank statements.
Gramm-Leach-Bliley Act (GLBA): GLBA requires financial institutions to be transparent with consumers about their information-sharing practices and to make an additional effort to secure consumer data. GLBA does not require a specific retention period, but the general rule is to retain all financial records for a period of seven (7) years, in line with SOX.
Health Information Portability and Accountability Act (HIPAA): HIPAA is a regulation designed to protect patients’ private data against fraud and theft, but it does not set specific retention periods of medical records. It does, however, specify how long healthcare organizations must retain HIPAA-related documents. Healthcare organizations (or “Covered Entities”) are required to retain HIPAA compliance documentation for a minimum of six (6) years from when it was created or, in the event of a policy, from when it was last in effect.
Why Is It Important to Have a Record Retention Policy?
Having and implementing an appropriate and well-drafted record retention policy could prevent your business or organization from experiencing legal troubles should a government investigation or threat of litigation arise.
In 2005, the Supreme Court overturned the conviction of Arthur Anderson, a former Big Five accounting firm, for destroying documents related to a case involving Enron, an energy, commodities, and services company. Several weeks before the SEC launched an investigation into Enron’s accounting practices, Arthur Anderson destroyed approximately two tons of Enron work papers. The Supreme Court ruled that companies may destroy documents in the “normal course of business” and in compliance with a valid document retention policy. The destruction of documents in accordance with a record retention policy is permissible as long as the action is taken in “good faith” without any knowledge that the company is on notice of pending or anticipated litigation or a government investigation.
Even if your company has an existing record retention policy, it is important to regularly review and, if needed, revise the policy. Record retention laws and regulations are ever-changing, so it is critical to have an attorney confirm that your policy is in compliance and that your company is adequately implementing and enforcing the policy.
If your company or organization needs assistance in drafting or reviewing a record retention policy, please contact Batoff Associates. P.A. at 410-864-6211.
Comments