The Seven Deadly Sins of Records Retention

Records retention periods are increasingly governed by regulations. Here are worst (and best) practices for securing data and documents.

By Sarah D. Scalet

Page 6

Once a company learns that it is under discovery or being auditedor learns that it's about to be audited or served with a subpoenadestroying anything could make you look like you're hiding something.

A policy can help you keep records in order so that, if needed, you'll only have to trawl through a reasonable amount of information. At American Savings Bank, where Kenneth Newman reluctantly accepted responsibility for records management, the security group sends out quarterly e-mail reminders about certain records that need to be destroyed. "We issue a reminder that if you have these types of documents in any format"—paper or electronic—"the time has come to arrange for their destruction," says Newman, VP of security for the $371 million Honolulu-based bank.

For instance, if a certain loan file has a seven-year retention requirement, his group would send a notice in the first quarter of 2006 that "any of these loan documents that are older than Q1 1999 can be deleted." He follows up as best he can. For papers stored with an offsite provider, it's easier to track. For electronic records, however, he depends on business units to follow through.

The system can be complicated or simple, automated or centered around users. The important part is establishing a system that you can describe, follow and stand behind. It can make your head hurt, says Herrod, the former SEC CSO. "You want to give up. But at the end of the day, you have to have some sort of written policy around it."