Tax files, employee records, emails; they’re all a part of the day-to-day operations of running a business. Some of you might want to hang on to them for later reference, some you might feel like casually tossing them aside once you’re done with them, but despite these gut instincts, businesses nevertheless need to remain aware of the fragile balance between retaining files for too long and for not long enough.
A double-edged sword, when businesses do comply with record retention regulations and laws and regularly maintain a policy to destroy documents after passing their required retention period, document retention serves as an insurance. Steep fines can be side-stepped, while unnecessary documents aren’t putting the company at risk.
To give an idea of just how potent the implications of failing to follow record retention guidelines are, here’s a few examples of the lessons past organizations have learned the hard way:
Not Retaining Records Long Enough
Real estate is a valuable commodity in offices, leaving businesses both large and small frequently disposing or shredding documents just for sake of saving space and avoiding clutter. While this may be all well and good for businesses wanting to squeeze in another revenue-driving employee into the new space they’ve cleared out, organizations can’t lose sight of the safety net record retention creates.
The potent implications of failing to properly retain information frequently comes back to bite businesses in the event of legal or civil claims. If ever pushed to offer proof of whatever evidence needed and that the organization toes all legal lines, businesses can fall back on records they’ve properly retained, if they’re still preserved that is.
If on the other hand the necessary documents are destroyed prior to their required retention period, steep financial penalties can be imposed , just ask banking giant Morgan Stanley, who in early 2017 received a $13 million fine from the SEC when it was discovered during a surprise audit that Morgan Stanley failed to preserve and maintain client contracts.
Retaining Records Too Long
On the flip side of failing to retain records for long enough and leaving the business at risk for legal penalties, some companies go for the alternative strategy of keeping and archiving any and everything for a “just in case” strategy.
Like early disposal of records, however, keeping documents and files beyond their retention period can be equally damaging to companies, both in terms direct as well as indirect costs such as:
- Failure to protect personally identifiable information (PII) or personal health information (PHI). Penalties can range from basic violation fines to significantly higher penalties for willful violation.
- Breach notification laws are established in many states, requiring companies to notify all individuals affected.
- PR damage and loss of customer trust/loyalty, leading to lost business to competitor companies.
- Post-breach recovery needs including reinforcing securities, investigating causes, recovering lost information
As Edward McNicholas, a partner at the Washington-based law firm Sidley Austin pointed out, “If you retain too long, it’s very expensive, you expose yourself to litigation risks, and you might be violating privacy rights.”
Compounding this, the growing number and cost of data breaches is another factor to keep in mind. Considering both new and constantly shifting strategies for data theft, the more information businesses retain, the more security gaps there are to fill to protect information from being potentially stolen, lost, and abused.
Scandalous recent breaches at Yahoo, Target, and Home Depot to name a few are a poignant reminder of the financial impact breaches can have. From the direct costs of fines and legal penalties to the indirect costs of a damaged public reputation, failing to properly retain and regularly dispose of records can lead to serious and potentially crippling damage to a company.
How to Ensure You are Retaining Records Appropriately
Different types of information and businesses are subject to different retention policies in accordance with applicable laws. For example, retention policies for large, publicly-traded companies are governed by the SEC and its regulations such as the Sarbanes-Oxley Act.
Likewise, health clinics, medical practices, and hospitals must adhere to HHS, which also comes with HIPAA-mandated retention periods for PHI. Stretching from OSHA to the EEOC, retention policies range widely for different types of information.
Retention laws and regulations frequently change and are regularly updated, as with the accompanying fines for noncompliance, making it crucial that companies take the time to develop, maintain, and periodically audit their retention policies if they want to stay one step ahead of lawsuits and remain moving in a positive direction instead.
For reference on document retention periods and laws pertaining to your business or industry, find more information at:
- How Long Should I Keep Records?
- FDIC Law, Regulations, Related Acts
- The Record Retention Guide
- Retention Schedule
Ryan McHugh is the digital content specialist at Shred Nations—a lead-generation company working in a range of industries including document destruction, scanning, and record storage and management systems. Companies and organizations he has previously written for include Sales Star Networks as well as German-based DAA Deutsche Auftragsagentur GmbH. Visit Ryan on LinkedIn to peruse his previous work.