Federal Record Retention Must-Knows
A comprehensive approach to information governance includes the retention and timely disposition of federal records. The retention of these data is prescribed by federal agencies. Many records are to be retained for a specific length of time (often based on the "RY" or "RFY" date per GRS 5.401); after that holding period, that data may be destroyed in a manner that ensures it cannot be reconstructed (e.g., overwriting or degaussing). Bear in mind that records do not just consist of paper documents; they can also include information in electronic form, such as emails, spreadsheets, and databases.
However, holding such information longer than required both contravenes a particular federal agency’s policies and hampers an organization’s data and network security posture. Too often, file servers become repositories of unclassified, easily accessible, and oftentimes sensitive information that puts an organization at risk. For example, if an organization is breached, attackers are likely to take the time to copy all of the data on the system; if this information includes federal data, it could result in a violation that costs an organization tens of thousands of dollars in fines and remediation. By the same token, an organization cannot afford to make a mistake by releasing classified data, which can often be more difficult to remediate if lost than unclassified information . Any agency that experiences such a breach could well be put in a position where it must notify Congress as well as the Department of Justice Office of Inspector General, the FBI, and others. For an example of what a breach of classified information can look like, refer to the personal email accounts that were set up and maintained by former Secretary of State Clinton while she served in that capacity between January 21, 2009, and February 1, 2013. The political sensitivities and ensuing debate surrounding that event make good fodder for dinner conversation, but the bottom line is that classified information was at risk because it was stored in unclassified systems. At this point, we have established a reasonable case for maintaining information per the requirements, but how is this accomplished? The National Archives and Records Administration (NARA) promulgates retention policies through the General Records Schedule (GRS). (Note that NARA also maintains individual agency dispositions schedules, which are an alternative to GRS.) The GRS is a schedule of records common to multiple federal agencies, such as records concerning accounting, acquisition, audit, customer service, human resources, travel, and many other functional areas. As agencies develop or update their records retention schedules, NARA approves or disapproves them. It is important to ensure that you keep track of these published schedules, as they are subject to change and govern the disposition of the associated information.
Essential Federal Record Retention Requirements
Many federal regulations require that certain records be maintained for several years or longer. While a full summary of the federal requirements is beyond the scope of this guide, it is informative to discuss some major federal record retention requirements. For example, health care organizations must comply with the HIPAA record retention requirements or they risk facing fines ranging from $100 to $50,000 for violations of HIPAA’s privacy and security rules. Generally, the HIPAA privacy rule requires covered entities to retain all medical records for six years and business associates to retain records for six years from the date of creation or the date when the information was last in effect (whichever is later).
The Sarbanes-Oxley Act of 2002 (SOX) requires businesses to maintain records related to its financial statements and business activities. Information retained by businesses includes business transactions, internal and external communications, and other records; typically these documents are retained for five to seven years. Publicly traded companies also have additional document retention responsibilities with respect to their governance records, including records relating to the financial transactions of their leadership. The Financial Industry Regulatory Authority (FINRA) regulations require that records be retained for a minimum of three years.
The Occupational Safety and Health Administration (OSHA) similarly requires that records be retained by employers. Typically, employers must retain records for a minimum of two years, but some records must be retained for longer (e.g. monitoring records must be retained for at least 30 years). Violations of OSHA rules can result in fines up to $10,000 per violation.
How to Create a Record Retention Chart
Just as you would maintain a comprehensive policy and procedure for any other task within your organization, the same is true for record retention. That said, policy and procedure is no good unless it is actually followed.
The first step in creating a record retention policy, chart or procedure is to:
a) Compile a list of all relevant regulations.
b) Categorize records by category (e.g., financial, employment, contracts, etc.).
c) Determine if there is a federal record retention requirement that applies to the record.
d) Determine what the retention requirement is for the record (e.g., keep for five years).
e) Create a policy consistent with the aforementioned requirements.
f) Create a chart setting forth all regulations, categories and requirements.
While it is not a short or easy process, once complete, it will be invaluable to your business. Proper record retention protects you from claims always a concern as noted in recent announcements made by the EEOC and other federal regulatory agencies.
Record Retention Compliance Problems
The challenges in complying with record retention rules go beyond the confusion inherent in the different agencies promulgating the various rules. Many businesses have large amounts of paper records, and the physical storage of these records can be costly. Insurance agents are known to retain records for the life of their clients and then some.
As companies move to electronic systems, keeping up with the flow of information and the need to archive this information can pose a challenge for providers of technical support services. Purchasers of electronic data storage systems must continue to keep abreast of the changes in technology to maintain effective storage systems. As companies move to primarily electronic methodologies, it is important that they not only stay abreast of the rules governing the electronic retention of records but also the policies of the storing vendors they choose.
One area in which this has become an issue of late is with email archives. Email records are potentially record retention compliance nightmares. In-house good-faith emails, such as emails from sales employees to customers with advice on employee benefits, would likely need to be preserved with the customer’s file for compliance purposes. It is import to have an effective system in place to preserve these emails in a searchable manner. Service providers of email archiving services to promote their services by noting the ability to retrieve emails from their archive, but if the archived email is custodian-named, this ability may be lost.
With the increasing use of mobile devices, this issue has become even more critical to companies. For instance, if you routinely send the logon credentials for your electronic record management system from your mobile device, the mobile device storage policy must be considered in the context of your overall record retention policy. We cannot assume that a mobile device’s storage policies will be the same as your computer.
Attorneys may also miss the mark when it comes to advising their clients on proper record retention. Attorneys often forget to discuss the possibility of having too many documents archived rather than creating an archive policy. Each time a new law passes, IT folks are busy with implementing the changes in electronic record retention for record keeping systems. As time goes on, new laws come down, amendments to existing laws are made, and laws expire. Having a reasonable amount of storage available for compliance records is better than assuming the amount of storage readily available in the software system will always remain the same or be updated automatically.
Situations involving large amounts of records such as emails, either inbound and/or outbound should be addressed immediately with IT to ensure the cleanup of these archived emails does not violate any record retention requirement. If a record retention schedule is not in place, consider whether there are any unique records requirements for the specific business based on the type of business, or based on the types of information the company must provide to its regulators.
All regulatory attorney’s fees are not paid for by the regulators, and keeping proper records of your budget is important to not only the regulators but to the company as a whole. Record retention compliance for budgets, financial accounting, and attorney billings is critical for business continuity, litigation hold requirements, and meeting regulatory requirements. Adding these areas to an enterprise system or ensuring the existing system has the capability is a key part of maintaining an effective records retention program.
Record Retention Best Practices
The best practices for record retention are not as simple as just assuming your organization is complying with federal requirements, or even that you know how long to retain each type of record based on your history with the requirement to do so. Improvements in technology have made it easier for organizations to put in place processes for record retention that have a broad data gathering and storage capability. There are several things that an organization can do to be better prepared for compliance with record retention requirements.
First, for those organizations subject to federal contract regulation, a periodic internal audit is useful to determine how well your current process is meeting federal contract requirements. If the result of that audit is the conclusion that the policy will work well for a reasonable period of time, then as a second step , consider using an automated audit program to schedule periodic reminders for a data collection system to begin maintaining the information that the audit concluded was relevant. If, on the other hand, your results after audit show that your organization cannot maintain the data or has a better way to gather, retain or store the data than the current policy, revise your policy to implement a more effective method.
Second, before you implement the new or revised program, provide training for your staff. Training may be all that you need to increase your effectiveness. In this case, you will conclude that your current process meets federal requirements and can be retained, although ongoing training will probably be necessary to keep your process current. On the other hand, depending upon your audit results, you may decide that a new automated policy is the best route to compliance. In that case, you have an additional trigger to schedule your office for a brief, disruptive but ultimately beneficial round of staff training.
The Risk of Non-Compliance
The impact of failing to retain records in accordance with federal record retention requirements varies from one regulation to the next. In some cases, non-compliance with federal record retention requirements can result in fines and other legal consequences. Other regulations such as records retention requirements for many environmental laws can result in civil and criminal liability for individuals and companies, and district courts have the authority to impose corporate probation to insure compliance by a convicted corporation. In addition to these regulatory fines and legal consequences, organizations will often suffer adverse publicity and damage to their professional reputation as a result of the non-compliance.
Record Retention Through Technology
A multitude of software programs exist to help organizations manage records from their inception to destruction or transfer. Such software may be particularly useful to organizations in keeping track of records at an enterprise level. Many such programs are designed for integration with Microsoft Outlook, which can be an increasingly useful feature for organizations that are already using Outlook as part of their records management strategy.
Other programs are designed for integration with Microsoft Sharepoint and Microsoft Office. These integrated platforms typically offer additional benefits , such as the ability to link files and projects across an organization, manage review dates, and create automated alerts and reminders for stakeholders.
Cloud-based storage solutions are also a popular technological option for organizations. These systems are typically relatively inexpensive, and provide a good amount of space for the cost.
Whether an organization uses cloud-based storage or more traditional on-premises methods, most will benefit by developing a strategy for implementation and organization of records.
