Panama Papers Hack Demonstrates Value of Record Retention Policies

More than 11 million confidential documents spanning nearly 40 years were recently hacked from Panamanian law firm Mossack Fonseca. The cache of documents, known as the Panama Papers, contain client information that never should have been accessible to hackers.  Clearly, a well thought out record retention policy could have mitigated Mossack Fonseca's liability.  As a business owner or executive, you should learn from Mossack Fonseca's mistake and ensure that your organization has a comprehensive record retention policy.

One of the fundamental policies any business should have is an effective, functioning, and compliant record retention policy. A good record retention policy will outline all legal and compliance recordkeeping requirements applicable to your business, provide your employees direct guidance to ensure that records are kept as long as legally required, require periodic document purging in a systematic and controlled way, and ensure that employees adhere to company stated recordkeeping requirements.

While it may seem daunting, there are many benefits to having a good record retention policy:

• It ensures that records are kept for the proper period of time and that regulatory recordkeeping requirements are being followed.
• It demonstrates compliance with recordkeeping statues and laws to regulators.
• It improves the ability to locate and retrieve records.
• It identifies the roles and responsibilities of staff.
• It mitigates costs by controlling the growth of records and reducing the amount of duplicate records.
• It reduces litigation risks, and provides the “green light” to purge certain documents.
• It establishes transparency and good faith.

The risks of not having a good record retention policy are obvious, especially as a business grows. The Panama Papers are only one example of the value of such a policy. We’ve all spent time looking for a document we just can’t seem to find. But what happens when the subject matter of the document is under legal investigation or is being requested by a regulator like the Securities and Exchange Commission? Failing to keep a good record retention policy in place exposes a company to unnecessary risk. Adopting a written record retention policy ensures that your staff follows consistent guidance about document destruction and that document purging becomes a regular business practice.

There are several components to developing a good record retention policy. The first is knowing the rules and regulations that apply to your business. Not every piece of paper needs to be retained. Unfortunately, however, there is no single regulation for document retention that covers every business scenario. You’ll need to spend some time digging into the rules and regulations applicable to your business, or engage the help of a professional that already understands these rules and regulations.

Second, you’ll need to convey recordkeeping time frames to your staff in a clear and concise way. Rules and regulations can be confusing, and often documents are categorized into broad categories. Marry the applicable rules to the documents your staff uses on a daily basis so they understand exactly when each document can be purged, eliminating any guesswork and inconsistency. Some firms provide their employees a list of documents with destruction dates attached. Other firms use software that will automatically purge documents upon their expiration which is based on a standard classification code.

Third, develop a purge schedule and apply it in a systematic manner. Perhaps you’ll implement an annual “spring cleaning” event, whereby all of your staff reviews their files and purges accordingly. Or you might do this quarterly or monthly. A good record retention program should be part of your corporate culture and infrastructure. Both the implementation and deployment of a purge schedule are key elements in establishing "good faith" effort and ensuring a sound records management program. Always remind employees that certain events, such as litigation or regulatory investigation, may cause the record retention program to be immediately suspended. Have a way to communicate these events quickly to your staff.

Fourth, pay proper attention to confidential information, personally identifiable information, trade secrets and/or sensitive information. Documents that are sensitive should be handled carefully. Don’t allow your staff to throw these in the trash or recycle bin. Be sure that you have a shredder on the premises. Companies like ShredIt and Iron Mountain often can be hired to shred documents on a routine basis.

Fifth, don’t forget about email. While it may not be obvious, emails and the documents contained within them are records, and, therefore, email should also be addressed in your record retention policy.

In closing, as your business grows it becomes increasingly important to have a good record retention program in place. Not only will it ensure your compliance with the recordkeeping rules and regulations relevant to your business, but it will also make your day to day operations that much more efficient. While these programs do take time to develop, in the end you’ll find the benefits worth it. Learn from Mossack Fonseca's mistake.

Bob Zeglarski can be reached at 615-933-3545 or bobz@cutwaterlaw.com. Cutwater Law provides legal services to the creative industries. Clients include small and medium-sized businesses, and entrepreneurs in tech, television, film, music, publishing, and digital media.

Status Update: Crowdfunding

In 2012, in an effort to revive the job market, President Obama signed into law a bill known as the “JOBS Act” (Jumpstart Our Business Startups). He called it a “potential game changer” for entrepreneurs seeking financing to start or expand a business. Most notably, it allowed entrepreneurs to solicit investment online and allowed the average investor (not just the wealthy “accredited investor”) to make an investment, a concept known as “crowdfunding.” On the federal level, the Securities and Exchange Commission (“SEC”) was slow in drafting the necessary rule amendments that would allow crowdfunding to occur across state lines (interstate crowdfunding). But state agencies and lawmakers were eager to open up capital for their local businesses. They began passing crowdfunding laws and regulations which let local businesses raise money from local residents on an intrastate basis, some taking action even before the JOBS Act was signed into law.

Kansas and Georgia were the first states to move forward with intrastate crowdfunding regulations, with their “Invest Kansas Exemption” and “Invest Georgia Exemption,” respectively, both adopted in 2011. They did this by writing their new crowdfunding exemptions so that they worked within the parameters of an existing federal intrastate exemption. Although state crowdfunding exemptions cannot supersede the actions of the SEC, there is a longstanding federal exemption from registration for intrastate offerings under Section 3(a)(11) of the Securities Act of 1933, as amended, and SEC Rule 147, which is a “safe harbor” means of compliance with Section 3(a)(11).

Other states followed suit. In fact, by the end of 2015, only a handful of states had yet to propose or enact regulation. Tennessee’s crowdfunding exemption, Invest Tennessee Exemption, or “ITE,” went into effect on January 1, 2015 while specific rules relating to ITE took effect December 16, 2015. I was so pleased with Tennessee's leadership in crowdfunding that I wrote a letter of support for the proposed regulations. While the rules create an opportunity for issuers to raise equity capital, there are unique anti-fraud risks. 

State rules, regulations and/or exemptions are not without limitations, however, and there has been much written about whether they will have the desired effect. There are restrictions on the offerings that can be conducted intrastate. Most obviously, issuers can only raise money from investors in their own state. But other restrictions, which vary state to state, can also be burdensome. These include: limits on funds to be raised, limits on the amounts an investor can invest, limits on those that can be issuers, limits on transferability, increased disclosure and reporting requirements, required use of broker-dealers or crowdfunding portals, required use of internet site operators, and required use of escrow agents. In addition, in order to qualify under the state rules, regulations and/or exemptions, the offering must fall under the federal exemption from registration under Section 3(a)(11) and SEC Rule 147.

]

In October 2015, the SEC finally issued 568 pages of final rules to implement the JOBS Act, which become effective May 16, 2016. These are the parameters of the crowdfunding rules:

• Issuers can raise a maximum of $1 million in a 12-month period
• Investors whose income or net worth are less than $100,000 are limited to $2,000 or 5% of their income, whichever is greater, in aggregate crowdfunding investments over a 12-month period
• Investors whose income or net worth is greater than $100,000 may invest up to 10% of their income or net worth, not to exceed $100,000 in a 12-month period
• All crowdfunding transactions must take place on an SEC-registered intermediary (either a broker-dealer or a crowdfunding portal)
• Intermediaries must take measures to educate investors and mitigate fraud
• Issuers must provide basic financial information (the proposed rules require audited financials for offerings greater than $500,000)