Developing and Maintaining a Document Retention Policy for the 21st Century
By Andy Allu, Certified Information Security Professional, Shred-it
In our current era of litigation and government oversight (at the State AND Federal levels) it is more important than ever that every financial institution have a consistent and uniform record retention policy that is accessible and easy to understand by all appropriate employees.
Getting a new employee to “sign off” during their onboarding process isn’t enough anymore as the rules and the geometry of the playing field are in almost constant and fluid movement. Today’s requirements call for continual and regular updating of the knowledge base and the skill sets of virtually any employee or contractor who handles a physical or digital company document. One transnational financial conglomerate, for example, now asks all current and new administrative employees and outside contractors to attend a one-hour educational webinar each year and requires certification through an online exam of key topics.
When we consider “our company records,” we often think of our formal paper documents, but in the 21st century, that is an ever-diminishing percentage of a company’s records. Records now may include memos, attached Post-it Notes, reports, contracts, customer data, and personnel information, as well as marketing materials, calendars and appointment books, all on paper. Remember, if it’s attached or included in a folder, it is considered legally disclosable.
In this new millennium, and going forward, we must also consider and make provisions for the absolute security of hard drives, USB storage devices, tapes, audio recordings (from recorded lines), emails, electronic documents, and content from both the company’s internet and intranet sites.
Establishing the Decision on Where Documents May Be Retained
Official Longer-Term Off-Site Records Retention
A variety of national, regional and local companies provide services that include pickup, storage/retention and then final withdrawal and destruction at a pre-defined interval, usually determined by the cataloging of the storage box by the financial institution.
Local Public Storage Sites
Smaller financial institutions may opt to select a local, secure public storage service to retain or archive smaller amounts of critical files. Once the security of such service providers is validated, they often present a more cost-effective solution for financial institutions with a smaller geographic network or a more constrained retention budget. They will, however, require a higher degree of internal attention by the financial institution because all date of destruction cycles must be maintained solely by the employees of the financial institution. Make sure that a document destruction index is properly set up, indexed by box, and that it is reviewed monthly (or a least quarterly) so boxes that have reached their end of retention cycle can be promptly retrieved and destroyed.
This is often limited to institutions that have available physical space to house their storage internally. The same disciplines for Local public storage sites (above) should be considered. In addition, the institution should make sure that the area is highly secured and not generally accessible to employees without security clearance and never in an unescorted manner.
Hard Drive/IT Lockups
- Electronic erasure of a hard drive may not fully remove confidential digital data from the drive platters themselves. Commercial technologies available at some retailers can recreate enough of the registry to permit some or all of the confidential data to be recoverable.
- Remember that units you lease or purchase for connected network printers/scanners/copiers may also have hard drives and these should be removed and secured before turning back a unit on lease or disposing and upgrading a company-owned unit.
- Make sure any internal storage of drives is secured in a tamper-proof manner. Drive connectivity devices are in wide circulation from companies who support tools and parts for the computer repair industry.
Establishing and Maintaining An Effective Policy
Here are some basic steps for establishing and maintaining a retention policy.
- Continually review your inventory of records to determine what you have and ensure you are not continuing to invest in storage of documents which can and should be destroyed.
- Be aware of any existing or pending litigations as they may impact your destruction schedule.
- Ensure your categorization of records relates to federal, state and local retention regulations.
- Develop your schedules with the period of time that business records are required to be stored. Indicators can be operational, legal, fiscal and historical value.
- Continually review your schedule and procedures for destruction. A third-party service provider certified by the National Association for Information Destruction (NAID) can help execute your company plan and provide the appropriate evidence of third party destruction.
- The new millennium has ushered in a new sense of corporate responsibility and corporate citizenship. Look for a service partner that can commit to an “environmental impact” position that reflects the values of your institution and the local community.
- A document retention policy should have flexibility for adjusting the process for pertinent information that could be required for unforeseen circumstances such as mergers, acquisitions or regulatory review.
- Make sure your employees are trained and that training is regularly refreshed so they are knowledgeable about the procedures for both digital and paper records. They should know how to locate procedural information if they have questions.
- Develop an internal compliance team to audit procedures in place to ensure that the policy is being followed.
For more information, visit www.shredit.com/national-accounts/state-bankers-association-program.