Wednesday, April 20, 2016

Panama Papers Hack Demonstrates Value of Record Retention Policies



More than 11 million confidential documents spanning nearly 40 years were recently hacked from Panamanian law firm Mossack Fonseca. The cache of documents, known as the Panama Papers, contain client information that never should have been accessible to hackers.  Clearly, a well thought out record retention policy could have mitigated Mossack Fonseca's liability.  As a business owner or executive, you should learn from Mossack Fonseca's mistake and ensure that your organization has a comprehensive record retention policy.

One of the fundamental policies any business should have is an effective, functioning, and compliant record retention policy. A good record retention policy will outline all legal and compliance recordkeeping requirements applicable to your business, provide your employees direct guidance to ensure that records are kept as long as legally required, require periodic document purging in a systematic and controlled way, and ensure that employees adhere to company stated recordkeeping requirements.

While it may seem daunting, there are many benefits to having a good record retention policy:

  • It ensures that records are kept for the proper period of time and that regulatory recordkeeping requirements are being followed.
  • It demonstrates compliance with recordkeeping statues and laws to regulators.
  • It improves the ability to locate and retrieve records.
  • It identifies the roles and responsibilities of staff.
  • It mitigates costs by controlling the growth of records and reducing the amount of duplicate records.
  • It reduces litigation risks, and provides the “green light” to purge certain documents.
  • It establishes transparency and good faith.

The risks of not having a good record retention policy are obvious, especially as a business grows. The Panama Papers are only one example of the value of such a policy. We’ve all spent time looking for a document we just can’t seem to find. But what happens when the subject matter of the document is under legal investigation or is being requested by a regulator like the Securities and Exchange Commission? Failing to keep a good record retention policy in place exposes a company to unnecessary risk. Adopting a written record retention policy ensures that your staff follows consistent guidance about document destruction and that document purging becomes a regular business practice.

There are several components to developing a good record retention policy. The first is knowing the rules and regulations that apply to your business. Not every piece of paper needs to be retained. Unfortunately, however, there is no single regulation for document retention that covers every business scenario. You’ll need to spend some time digging into the rules and regulations applicable to your business, or engage the help of a professional that already understands these rules and regulations.

Second, you’ll need to convey recordkeeping time frames to your staff in a clear and concise way. Rules and regulations can be confusing, and often documents are categorized into broad categories. Marry the applicable rules to the documents your staff uses on a daily basis so they understand exactly when each document can be purged, eliminating any guesswork and inconsistency. Some firms provide their employees a list of documents with destruction dates attached. Other firms use software that will automatically purge documents upon their expiration which is based on a standard classification code.

Third, develop a purge schedule and apply it in a systematic manner. Perhaps you’ll implement an annual “spring cleaning” event, whereby all of your staff reviews their files and purges accordingly. Or you might do this quarterly or monthly. A good record retention program should be part of your corporate culture and infrastructure. Both the implementation and deployment of a purge schedule are key elements in establishing "good faith" effort and ensuring a sound records management program. Always remind employees that certain events, such as litigation or regulatory investigation, may cause the record retention program to be immediately suspended. Have a way to communicate these events quickly to your staff.

Fourth, pay proper attention to confidential information, personally identifiable information, trade secrets and/or sensitive information. Documents that are sensitive should be handled carefully. Don’t allow your staff to throw these in the trash or recycle bin. Be sure that you have a shredder on the premises. Companies like ShredIt and Iron Mountain often can be hired to shred documents on a routine basis.

Fifth, don’t forget about email. While it may not be obvious, emails and the documents contained within them are records, and, therefore, email should also be addressed in your record retention policy.

In closing, as your business grows it becomes increasingly important to have a good record retention program in place. Not only will it ensure your compliance with the recordkeeping rules and regulations relevant to your business, but it will also make your day to day operations that much more efficient. While these programs do take time to develop, in the end you’ll find the benefits worth it. Learn from Mossack Fonseca's mistake.

Bob Zeglarski can be reached at 615-933-3545 or bobz@cutwaterlaw.com. Cutwater Law provides legal services to the creative industries. Clients include small and medium-sized businesses, and entrepreneurs in tech, television, film, music, publishing, and digital media.

No comments:

Post a Comment