August 14, 2008

How to Modify a Form Data Retention Policy for Your Company's Use

By Cary J. Calderone, Esquire

Do you have a Records Retention Policy (“RRP”) form we can work from? Without question, this is the most frequent favor request from friends and associates and occasionally, even from relative strangers. So this article explains five steps to follow to take some other company’s form and make it your own without having to use an attorney, like myself, or a reputable document and management or eDiscovery consulting firm to assist you in the process.

1) Start by finding a form that might be a relatively good fit.
While RRPs all generally look similar and contain descriptions of computer content and timelines for retention, the ideal situation would be to have a form from someone in your industry that is about your size, with offices and products that cover the same legal jurisdictions. Also, they should have about the same technology as your company. Some may consider looking at forms used by a competitor.

2) If it is well written and thorough then you will need to make sure your other company documents that may overlap with or refer to information in this form, conform to it. Check your employee manuals, your technology, Email, Instant Messaging, PDA and cell phone policies to make sure they are consistent with the language of your new RRP. If not, you may need to acquire copies of those documents from the same source as the RRP. Also, be sure to replace the custodian names from the source document with the people from your company, who are likely to be called as witnesses and placed under oath to verify that the retention procedures are regularly followed. Be forewarned, some of your co-workers may feel uncomfortable with accepting this new responsibility.

3) Upper management needs to sign off on your new documents. The CEO, CFO, General Counsel and other high-ranking executives will be the ones who may face criminal penalties if the new policies do not pass muster in a court or audit proceeding-so get their signatures. Caution-they may not really want to know all the details of the source of the new RRP.

4) Now that you have your policy paperwork in order you need to make sure all the employees will understand and follow it. This may involve re-arranging your company’s current data file structure on the network and any current retention and records review habits, but it is a necessary step. It would also be preferable if you have the same archiving and backup procedures to match your form.

5) Warning Warning Warning. Now that you have saved money by modifying someone else’s forms all you need to do to complete the procedure is protect against the following missteps: a) Your company’s software applications must work the way the source company’s do. So if your applications are less capable you will need to purchase upgrades, or if you have better software, you may need to disable some of the features to comply with your new RRP. b) Check that your electronic storage also matches in capacity and security features, otherwise, follow the same routine as for software and upgrade or disable accordingly. c) Make sure your business group leaders understand that any growth plans or upgrades may need to be delayed unless they match those of your source company. d) Always a good idea to check your source company to find out if the form you have borrowed was successfully tested in court and did not lead to sanctions of a few million dollars. e) If it was tested in court than verify that the source company is the source company and used best practices to develop their Policy. Otherwise, it may have been copied and adopted from a dubious source and not be all that great a starter form. f) Lastly, make sure you do a very good job with search and replace for the source company and your company’s name because there is a good chance that this policy form contains confidential and privileged and/or trade secret information that may make it a crime for your company to have it in its possession. This would be especially bothersome if the form did come from one of your competitors.

In conclusion, my writing approach for this post was in honor of the late professor Dr. Randy Pausch who’s YouTube video, The Last Lecture, made him a celebrity. In following with his style of teaching, did you catch the head-fake? This was not really a way for you to work off somebody else’s form but rather a list of real-world reasons why you should not even attempt it. Records Retention Policies and Legal Hold Policies are like fire escapes and exit procedures for emergency evacuations. They really need to meet the needs of your particular building, layout and people. This is simply not an area where cookie-cutter form documents will do the job very well, if at all.


Ben Wright said...

Cary: Knowing e-discovery is inevitable, I argue an enterprise can use technology proactively to make its e-records more benign. What do you think? --Ben

About Cary said...

Interesting comment and it is my preference to work with companies proactively, as opposed to reactively. There are those very prudent companies where e-discovery might not be "inevitable", perhaps because they are more cautious in their business and pro-active in their approach to ESI. Using technology "proactively" and, this is important, in a meaningful way and not just with window-dressing altruistic sounding broad policy statements, certainly may help to make e-records more benign if not downright helpful to a company facing e-discovery.