Not long ago, the topics of data retention and records management elicited yawns from senior executives. After all, the storing of old documents and E-mails hardly seemed like a strategic imperative. But if those executives are yawning now, it’s not from boredom but from being up all night worrying.
Data retention is yet another new priority created as a result of corporate accounting scandals and Sarbanes-Oxley. What had once been the domain of file clerks has suddenly become an agenda item for CEOs and corporate boards concerned about the consequences of failing to keep certain records for specified periods of time.
“Records-keeping was something many people didn’t give a lot of thought to,” says Ronald Folwell, CFO at DiMare Home-stead, an agricultural company in Homestead, Florida. “Now we’re thinking about the kinds of data we have, where we keep it, and how we keep it.”
Senior financial executives, in particular, need to help drive efforts to better manage data and lend support to IT projects that achieve that goal. “At the end of the day, the CFO is the gatekeeper who has to make sure we keep good records and document the things we do and the business decisions we make,” says Marc Teal, CFO at Boston Capital, a real-estate financing and investment company.
Sarbanes-Oxley has made gatekeeping more hazardous, threatening heavy fines and prison sentences for those who alter, destroy, or falsify financial records or data that might be needed for proceedings such as government investigations and trials. Sarbanes-Oxley specifies how long certain data must be kept, but raises enough questions in other areas to create a field day for lawyers and consultants.
There are other data-retention regulations and laws, although they don’t all specify the length of time particular records must be kept. The Internal Revenue Service requires companies to retain accounting records and other financial data to support tax filings. The Uniform Electronic Transactions Act, approved by the National Conference of Commissioners on Uniform State Laws and passed by a majority of states, has data-retention requirements. The Occupational Safety and Health Administration has rules for retaining data about employees.
Retention requirements vary by industry. Financial firms must comply with Securities and Exchange Commission rules on data retention, including rules on how long to keep particular types of E-mail messages. The Food and Drug Administration (FDA) regulates the retention and security of electronic records in the pharmaceuticals and biotechnology industries. The Environmental Protection Agency has rules for managing environmental records and reports, whether paper or electronic. And health-care companies must take into account the Health Insurance Portability and Accountability Act when dealing with records retention. HIPAA focuses mainly on security and privacy but also involves data retention of patient records. Some data — such as customer-profiling information and sales trends — is of historical or business value and should be kept even if there’s no legal requirement to do so.
It may be tempting to keep everything, but companies should avoid the potentially costly problem of information overload. Many documents don’t need to be kept for more than two or three days, or for as long as they’re needed for business. This includes, for example, information used for background research, memos about company social events, and E-mails about trivial matters that don’t pertain to business.