Document Retention Policy

1 February 2001
Seemingly innocuous documents can haunt your company in a courtroom. The best defense is destroying documents. If you do it right, you're legal and safe. If you get it wrong, you may find a judge accusing you of destroying relevant evidence. The answer is a well-formulated document retention policy (DRP).

While I admit that nobody will ever win a business leadership and vision award from the Chamber of Commerce for giving time and attention to the development of a DRP, you need to do it. It's like sleep. You may not feel like it's productive time, but you shouldn't try to live without it.

Especially with information going digital and the price of digital storage on its way down, it's too easy to keep everything. The problem with that approach is that when you're involved in litigation, you're almost inviting the other side to go fishing through your ancient records. Who knows what evil lurks there?

It only gets worse when you're faced with a subpoena for a document and you have so much data that you can't even find what you need to find. Now, you look recalcitrant. (Throughout this column, I'm going to use the word document broadly to mean any type of record, whether written, digital, audio, visual or whatever).

Let's start with what you wish your DRP could say, but can't. ``When litigation is threatened or filed, immediately review all relevant documents. Upon completion of the review, destroy all documents that are detrimental to our position.'

Somehow, this policy conjures up something having to do with 18 minutes of tape. Let's just say that it didn't work for Nixon and it won't work for you.

No matter what your policy is, it must call for a complete halt to document destruction once litigation is threatened or filed.

If you ignore this rule, you may find yourself accused of spoliation. ``Spoliation' can be loosely defined as the intentional and wrongful destruction of evidence that is material to an ongoing or imminent litigation matter. If a court feels that you're guilty of spoliation, it has many weapons at its disposal if it wants to sanction you. You don't want to go there.

It's an ugly place to be. In creating your DRP, you're going to have to assemble a team which should consist of a high level executive responsible for the project, your chief information officer (CIO), department heads, tax counsel, regulatory counsel and legal counsel. Ultimately, the CEO should be the one to sign off on the DRP. You need the CIO because one of the considerations is the technological feasibility of what it is you want to do.

An important issue is to what extent can you safely and effectively automate the process. You need department heads so that they have an opportunity to comment on the unique document retention needs of their department.

Your tax and regulatory counsel are there because of tax laws, and if you're in a regulated industry, then those regulations may also impose some very specific requirements. The first principle is that you should be sure to keep everything needed to successfully run your business. This is a pure business issue. What do you need and how long do you need it?

The second principle is that you should never destroy anything that the law requires you to keep. This principle requires you to stop all document destruction once somebody threatens or commences litigation or other legal proceeding against you. You can start again only with the approval of your lawyer.

Subject to the second principle, tax law and regulatory requirements, the general rule is that you can destroy your documents anytime you want. Having said that, if a court ever puts your destruction of documents under scrutiny, it looks much better if you did the destruction in a systematic way based on a schedule and a documented DRP.

It's common sense. If you destroy all e-mail when it's six months old, it's hard to accuse you of spoliation because a year old e-mail is long gone. If you suddenly have a DRP in place the day before a lawsuit is filed--well, you get the picture.

One pitfall to avoid in creating your DRP is not taking into account the fact that most documents have multiple copies. You have to consider your employees' personal files, local hard drives and backups. It doesn't help to destroy working data if you keep your backups forever.

Dealing with backups will probably require your CIO to create backups with the DRP in mind. Depending upon the media that you use for the backup, it may not be possible to selectively destroy parts of the backup. This creates a problem for you if your DRP requires you to destroy e-mail after six months but tax records after seven years, yet they both reside on the same tape.

If you think that the prospect of creating a DRP sounds like a boring and thankless task, you're probably right. It is boring and thankless. Still, the penalty for not dealing with the issue could be a long-forgotten memo rising up from the depths to hurt you in a courtroom.

Mark Grossman's "TechLaw" column appears in numerous publications. Mark Grossman has extensive experience as a speaker as well. If you would like him to speak before your group or corporate meeting, please call (305) 443-8180 for information.

You can find a TechLaw archive at:

If you have any comments, please send them to

Disclaimer: The advice given in the TechLaw column should not be considered legal advice. This newsletter only provides general educational information. You must never rely upon the advice given here. Your individual situation may not fit the generalizations discussed. Only your attorney can evaluate your individual situation and give you advice.

Except as provided below, you may feel free to forward, distribute and copy the TechLaw column if you distribute and copy it without any changes and you include all headers and other identifying information. You may not copy it to a Web site.