Going Global:
Mapping an International Records Retention Strategy

The cost of defending a lawsuit can increase dramatically due to the existence of old records – that is, records that could have been properly destroyed under a formal records retention program. An organization’s goal should be to retain only those records needed to conduct business, to comply with the law, both in the United States and internationally, and to reasonably preserve archival documentation.

Thomas M. Jones, J.D.; Matthew D. Taylor, J.D.;
David O. Stephens, CRM; and Roderick C. Wallace, CRM

Good business practice is to systematically destroy other records under a records retention policy based on retention periods that can be demonstrated to be reasonable under the circumstances.

This synopsis of best practices with respect to records retention periods includes a basic overview of laws and regulations that an organization might face in both the United States and internationally. It begins with preliminary considerations for establishing records retention policy, then focuses on U.S. statutes and regulations governing various types of records. It concludes by summarizing international document retention.

The retention guidance discussed within this article consists of general principles and cannot be taken to constitute legal advice. Organizations are obliged to arrive at their own judgments concerning the retention of any and all records they own, based on a careful assessment of laws and regulations, business requirements, and other factors.

Formulating a Records Retention Policy

In the United States, general guidance for retention policy development can be found in two main sources, The Sedona Guidelines: Best Practices & Commentary for Managing Information & Records in the Electronic Age and U.S. statutes of limitation.

The Sedona Guidelines

The five best practices identified in The Sedona Guidelines were developed by The Sedona Conference, a nonprofit institute that brings together leading jurists, lawyers, experts, academics, and others to advance law and policy in the areas of antitrust, complex litigation, and intellectual property rights. These best practices can serve as a foundation for any organization’s records retention policy:

1. An organization should have reasonable policies and procedures for managing its information and records.
2. An organization’s information and records management policies and procedures should be realistic, practical, and tailored to the circumstances of the organization.
3. An organization need not retain all electronic information ever generated or received.
4. An organization adopting an information and records management policy should also develop procedures that address the creation, identification, retention, retrieval, and ultimate disposition or destruction of information and records.
5. An organization’s policies and procedures must mandate the suspension of ordinary destruction practices and procedures as necessary to comply with the preservation obligations related to actual and reasonably anticipated litigation, government investigation, or audit.

Statutes of Limitation

One important consideration for an organization seeking to formulate a retention policy is whether a particular statute of limitation will be relevant to the records it retains. Although statutes of limitation do not directly impose retention requirements, they are important because they specify the length of time a party has to file a claim. Thus, statutes of limitation tend to provide guidance regarding how long records may be of legal significance. Where applicable, the length of time specified by a statute of limitation constitutes a minimum for retention of records likely to be used in an action. Statutes of limitation may apply to:

Contracts. Where an organization’s business is such that it can expect possible lawsuits that will involve breach of contract, the organization must consider the statutes of limitation for contract actions when formulating a retention policy. The period of time during which a breach of contract claim may be brought varies depending on the type of contract and the jurisdiction, and it can range anywhere from three to 20 years. The typical U.S. statute of limitation for claims on most written contracts is six years.

Torts. Many organizations face significant exposure from tort claims arising out of their business. As with contract claims, the period of time during which a tort claim may be brought varies depending on the tort and the jurisdiction, and it can range from one to 10 years. Although the typical U.S. statute of limitation for a negligence claim is three years, most jurisdictions permit application of the “discovery rule” in tort claims. That rule provides that the statute of limitation does not begin to run until the claimant knew or should have known about his or her injury.

Statutory Claims. Where a cause of action is authorized by law, a statute of limitation is frequently built into the law. For example, this is the case in claims involving copyright actions in the United States. See, for example, 17 U.S.C. § 507(b).

U.S. Statutes,Regulations, and Guidelines Governing Specific Types of Records. An organization seeking to formulate a retention policy should evaluate the nature of the records it must preserve. U.S. statutes and regulations provide for differing treatment, depending on the type of record and the industry in which the organization operates. The following records are common to many organizations.

Transitory Records

For records of transitory value, organizations often apply retention periods briefer than three years, and in the case of duplicates, drafts, and working papers, retention periods of one year are often assigned. Additionally, retention policies frequently authorize disposal of such records immediately when they have been superseded by newer versions.

E-Mail

Frequently, when a so-called smoking gun is found among the records of an organization during pre-trial discovery in U.S. courts, it is an e-mail message. This can likely be explained by the ease of creating an e-mail relative to the effort involved in creating a traditional letter. The very act of writing a letter forces the author to be thoughtful, contemplative, and careful in wording and construction. By contrast, most e-mail messages are casual, spontaneous, and conversationally informal. Although these characteristics tend to make e-mail the penultimate goal of discovery, the large majority of e-mails are of very limited retention value.

Accordingly, an effective record retention policy may include daily management of e-mail, coupled with a stringently enforced uniform maximum retention period applied to the entire retained message store. Attributes of an effective e-mail retention policy are:

• E-mail storage within the messaging environment should be restricted for daily communications only; long-term, archival retention of e-mail should occur only in storage repositories dedicated for that purpose.
• Generally speaking, e-mail should not be saved unless there is a legitimate business reason for doing so. Employees should be encouraged to delete e-mail of transitory value daily.
• All messages not deleted during daily cleanup routines should be subject to a uniform maximum retention period, which should occur in a separate repository outside the messaging environment. Common options for this retention period range between three and seven years, depending on the nature of the organization’s business.
• Ten years tends to be the maximum retention period for e-mail. This is because within a 10-year period, it is likely that an organization will change and upgrade its messaging technology, which may render the older legacy messages unreadable.
• This maximum retention period should be effectuated by automatically migrating e-mails from the messaging environment to a dedicated e-mail archival retention repository. Thus, all e-mails (irrespective of content) remaining in employee mailboxes after a specified time period (typically 30, 60, or 90 days) will be automatically archived to the designated repository, where they will remain for the duration of the maximum retention period and after which they will be automatically destroyed unless destruction is suspended due to a litigation hold.
• Any e-mails that are required to be retained in excess of the maximum retention period should be saved in another software system or printed out and filed in a paper-based recordkeeping system.
• Backup of e-mail from the servers should be for business continuity purposes only, not for long-term archival retention. Thus, the backup retention should be equivalent to that applied to themessaging environment itself – frequently 30, 60, or 90 days.

Tax Records

The prevailing practice for retaining U.S. tax records and supporting documents has been to keep such documentation for a minimum of seven years. However, some tax-related records, including financial statements, books of account, and other summary financial records, are often retained for considerably longer than seven years, sometimes permanently.

Industry-Specific Records

Within the United States, regulations governing various industries specify the need to make and retain records. Examples include:

Auditors and Accounting Firms. The Sarbanes-Oxley Act of 2002 contains two mandates regarding records retention periods for accountants and auditors in the United States. First, the act requires that “any accountant who conducts an audit of an issuer of securities … shall maintain all audit or review workpapers for a period of five years from the end of the fiscal period in which the audit or review was concluded.” See 18 U.S.C. § 1520(a)(1).

Second, the act mandates promulgation of a rule requiring that public accounting firms “prepare and maintain for a period of not less than seven years, audit work papers, and other information related to any audit report in sufficient detail to support the conclusions reached in [an audit] report.” See 15 U.S.C. § 7213(a)(2)(A)(i).

Investment Companies and Advisors. U.S. investment companies must maintain and preserve records, defined as “accounts, correspondence, memorandums, tapes, discs, papers, books, and other documents[,]” see 15 U.S.C. § 78c(a) (37), for “such period or periods as the [Securities and Exchange] Commission ... may prescribe as necessary or appropriate[.]” Id., § 80a-30(a). Likewise, investment advisors are required to preserve such records for time periods specified by the SEC. 15 U.S.C. § 80b-4.

The SEC has further specified the nature and types of records to be maintained by investment companies and advisors in 17 C.F.R. § 270.31a-1, and it has set forth specific retention times for various type of records in 17 C.F.R. § 270.31a-2. For most specified documents, the minimum retention period is six years.

Securities Broker-Dealers. Securities broker-dealers may be required to retain records such as blotters, ledgers, and ledger accounts by several different governmental entities, including (1) the SEC, see 15.U.S.C. § 78q(a)(1); 17 C.F.R. §§ 240.17a-3-240.17a-25; (2) the National Association of Securities Dealers, see NASD Conduct Rules 3010-11; and (3) the New York Stock Exchange. Under SEC regulations, retention periods vary depending on the record, but broker-dealers are required to retain many for “not less than six years.” See 17 C.F.R. §§ 240.17a-4(a), (b), and (c).

Healthcare Providers. Federal regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 require healthcare providers to preserve and protect various electronic health care records for at least six years after the date of creation of the record. See C.F.R. 45 § 164.316(b)(2)(i).

Manufacturers. The issue of records retention where litigation is probable is of greatest concern for organizations that manufacture products that are subject to failure in performance or which may be harmful to the environment or to the health of consumers and the general public. For these types of records, retention requirements tend to be longer than the norm of three to seven years and include provisions governing:

• Product Design and Development Records. For many engineered or industrial products, as well as drugs and drug devices manufactured by pharmaceutical firms, organizations generally retain many types of product design and development records for the commercial life of the product plus a period of years thereafter (generally ranging from between five and 15 years). However, product testing and inspection records are typically retained for briefer periods of time, between three to seven years after product testing and inspection are complete.
• Environmental Records. As a general principle, organizations owning environmentally sensitive properties and facilities in the United States are obliged to retain in perpetuity records showing the environmental status of the property, including records documenting the remediation of pollution or other environmental damage.
• Employee Health and Safety Records. The U.S. Occupational Safety and Health Administration regulations provide that, with respect to employees who are exposed to hazardous substances in the workplace or who have suffered long-term health effects from conditions of employment, organizations must retain records of such exposure for a minimum of 30 years. Records documenting exposure to some hazardous substances must be retained even longer – 40 years or duration of employment plus 20 years, whichever is longer. See, e.g., 29 CFR 1910. 1018(q), 1910.1 044(p).

Determining International Retention Requirements

For organizations that transact business outside the United States, formulating a records retention policy poses additional difficulties. Indeed, international organizations must find and understand applicable international laws and regulations, carefully consider those regulations, and harmonize the regulations with U.S. law as part of developing a records retention program.

Moreover, such programs are particularly important given that in U.S. federal courts,both standard documents and electronic information stored abroad are clearly discoverable, and federal courts are empowered to compel production of such documents and information.

Locating international records retention requirements is a difficult and time-consuming task. The goal in conducting such research is to formulate a reasonable policy based on the best sources readily available to an organization.

In-House Resources

Records managers of international organizations should first determine what can be obtained from in-company sources, especially sources located in satellite offices outside the United States. Likewise, in-house counsels are invaluable resources to records managers and should participate in the process of researching applicable laws and regulations, as well as formulating the retention policy.

External Resources

Sources for international laws and regulations regarding records retention include government websites, university websites, non-governmental organization websites, and law libraries at large universities, where a librarian will be available to assist in conducting research. A search for international records retention laws and regulations should encompass areas of law to include:

• Companies acts
• Commercial codes
• Tax codes
• Civil codes
• Labor codes
• Environmental codes
• Securities exchange/bourse rules

Statutes of Limitation/Periods of Prescription

As is the case in the United States, statutes of limitations (called periods of prescription in civil law countries) are a major factor in establishing retention periods throughout the world. Multinational companies have an interest in retaining such records, which may be needed to institute legal proceedings or to defend against unwarranted claims.

Periods of prescription are frequently contained in civil, commercial, labor, and tax codes. Again, those pertaining to general contracts, taxation, product liability, and personal injury are of direct relevance to records retention, and records managers should work with counsel to incorporate them in all relevant retention policies.

Suggested Practice Guidelines

A recommended practice for developing retention policies for global organizations is to ensure that retention schedules comply with applicable laws and regulations and that the retention periods are both reasonable and developed in good faith. The following suggested practice guidelines are designed to achieve these objectives.

Absent other guidance, follow U.S. rules – In cases where a particular type of record is not governed by foreign retention requirements, multinational organizations should simply adhere to their current U.S. retention periods as their global default standard.

Adopt global norms where they exceed U.S. practice – Given that some international records retention guidelines are longer than U.S. guidelines, the best practice is to adopt the longer retention period. For example, the prevailing U.S. practice for retaining certain tax records is seven years, whereas the minimum retention period in Germany is 10 years.

For excessively long single-country requirements, issue “exception” policies – For excessively long retention requirements of a single country, make reasoned decisions as to compliance. For example, Argentina and Puerto Rico require accounting records to be retained until closure of business plus 10 and five years, respectively. In these cases, the best strategy is to issue single-country “exception” retention policies that mandate compliance for the business operations located there.

Weighing All the Factors

An organization seeking to formulate a records retention policy, whether in the United States or internationally, must carefully weigh many considerations, including the nature of the business transacted; the type and importance of records to be preserved; the laws, regulations, and statutes of limitations; and whether litigation is probable.

Thomas M. Jones, J.D., can be contacted at tjones@cozen.com.

Matthew D. Taylor, J.D., can be contacted at mtaylor@cozen.com.

David O. Stephens, CRM, can be contacted at dostephens@zasio.com.

Roderick C. Wallace, CRM, can be contacted at rodclive@cs.com.

From May - June 2008