All professionals must maintain and follow a clearly documented record retention policy. These policies are more stringent and regulated for some professions. Each of the 50 states maintain regulations governing work-paper ownership and record retention for accountants, for example. Attorneys, too, may be guided by fairly specific record retention policies pursuant to the applicable Rules of Professional Conduct governing lawyers state-by-state. Despite these regulations, all classes of professionals routinely face legal woes as a result of poor record retention compliance. This risk intensifies as a result of cyber risk and associated liability from electronically stored information.
Record retention policies, if not technically required, are nonetheless necessary for all professionals to (a) save money; (b) provide better service to clients; and (c) to manage risk. According to a Price Waterhouse Coopers estimate, the average organization loses 1 of every 20 documents resulting in approximately $120 spent to locate each document and 25 employee-hours to recreate the document. Moreover, clients expect that the documents they provide to their professionals will be safeguarded appropriately, easily located and timely destroyed/returned if applicable.
Principles of risk avoidance also mandate that you maintain a clear document retention policy, particularly with respect to electronically stored materials. The number of reported incidents of identity theft and data breaches continues to grow in the US as more materials are available to hackers and other thieves electronically. According to the 2012 Data Breach Investigation Report, the number of compromised records rose to 174 million in 2011 and 855 reported incidents. These incidents may result in liability on the custodian of the materials and mounting costs. Moreover, the custodian of records may face sanction if protected information, confidential materials and other sensitive documents fall in the wrong hands.
Although document retention policies must be tailored to the specific professional, and the specific class of client, the following principles should be applied:
1. Identify your records and the definition of “document”;
2. Consider your organizational culture;
3. Develop a retention schedule;
4. Distribute and assign responsibilities;
5. Evaluate any applicable regulations governing the profession;
6. Maintain cyber and E&O insurance; and
7. Consult with counsel.