Why every organization needs a record destruction policy

Blogs and Articles

A disciplined record destruction policy can save your firm from embarrassment, penalties and even litigation.

October 4, 20187 mins
Why Every Organization Needs a Record Destruction Policy- Woman destructing records | Iron Mountain

Holding on to copies of your grown daughter's sixth-grade homework is adorable. Doing the same with your client's 12-year-old financial statements could get you in big trouble.

When it comes to record keeping, more is not necessarily better. A disciplined record destruction policy can save your firm from embarrassment, penalties and even litigation. The process starts with knowing what you're required to keep and for how long. For information that isn't covered by regulation, you need to ask what benefit there is to keeping it.

This issue recently made headlines when the Australian government inadvertently released years of secret government documents by leaving them in locked file cabinets that were sold to a second-hand furniture store, as reported by ABC News. The files spanned more than 10 years and included embarrassing details about administrative missteps, national defense strategies and cover-ups.

A record destruction policy is more important than ever in a world of bottomless storage. Because it's cheaper to keep electronic records than to throw them away, organizations have an incentive to simply archive everything. But keeping records longer than is required by law, regulation or simply business value can open the door to problems down the road.

 

Malicious or negligent insiders are responsible for over 75% of data breaches.

 

Where to begin?

Consider this hypothetical case: A financial advisory firm's former client is being sued for falsifying financial records going back 10 years. The accused disposed of the documents long ago but during the discovery phase, the plaintiff's lawyers find that the financial advisory firm still has copies. The firm may now become party to a lawsuit, simply because it didn't throw away documents it no longer needed.

A sensible storage and shred program starts with understanding what documents a company is required to keep for regulatory or internal record-keeping purposes. Regulations differ by industry and governing body. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires medical practitioners to keep patient records for at least six years, while the Internal Revenue Service requires tax preparers to keep client returns for a minimum of three years. There are exceptions to all of these rules, so consult your legal counsel before setting your own limits.

Information must be properly managed throughout its useful life. Documents should be tagged based on the desired retention period. If they need to be retained indefinitely, they should be assigned and archived in a secure facility or scanned and destroyed. Documents should be tagged for rapid retrieval, since auditors tend to be impatient.

Archiving and storing documents yourself is both costly and risky. Few companies have the necessary skills in-house. Paper records stored in a filing cabinet take up space and aren't protected against deterioration, fire and water damage. They're also susceptible to compromise by malicious or careless insiders, who are responsible for the majority of data breaches according to the Ponemon Institute. When you factor in the labor, space and maintenance costs, storing paper records in a secure offsite facility is often cheaper than keeping them in your own facility.

A proper strategy

Destruction of sensitive documents requires specialized expertise. Simply running them through an office shredder doesn't guarantee complete destruction and extracts a penalty in time and disposal costs. A professional document destruction firm has both the facilities and the economies of scale to ensure complete destruction at a low cost per document.

For electronic records, the destruction process is even more complex. Deleting files from a disk doesn't actually remove them; it simply erases the pointers the computer uses to find them. Complete erasure requires several passes with data deletion software or physical destruction of the storage device. When records are stored on CDs or DVDs, physical destruction is the only practical way to delete them. A professional records and information management firm employs the best technology to do this, including machinery that reduces hard disks to powder.

Regardless of whether documents are on paper or disk, the disposal process should conclude with a certificate of destruction. This document is valuable protection in a discovery scenario because it verifies that documents are no longer in your possession.

Like it or not, paper records are with us for the long term. Having a secure, verifiable and environmentally friendly storage and shred process in place saves time, money and embarrassment. Just ask the Australian government.

Elevate the power of your work

Get a FREE consultation today!

Get Started