By Andy Allu, Certified Information Security Professional, Shred-it
In our current era of litigation and government oversight (at the State AND Federal levels) it is more important than ever that every financial institution have a consistent and uniform record retention policy that is accessible and easy to understand by all appropriate employees.
Getting a new employee to “sign off” during their onboarding process isn’t enough anymore as the rules and the geometry of the playing field are in almost constant and fluid movement. Today’s requirements call for continual and regular updating of the knowledge base and the skill sets of virtually any employee or contractor who handles a physical or digital company document. One transnational financial conglomerate, for example, now asks all current and new administrative employees and outside contractors to attend a one-hour educational webinar each year and requires certification through an online exam of key topics.
When we consider “our company records,” we often think of our formal paper documents, but in the 21st century, that is an ever-diminishing percentage of a company’s records. Records now may include memos, attached Post-it Notes, reports, contracts, customer data, and personnel information, as well as marketing materials, calendars and appointment books, all on paper. Remember, if it’s attached or included in a folder, it is considered legally disclosable.
In this new millennium, and going forward, we must also consider and make provisions for the absolute security of hard drives, USB storage devices, tapes, audio recordings (from recorded lines), emails, electronic documents, and content from both the company’s internet and intranet sites.
Establishing the Decision on Where Documents May Be Retained
Official Longer-Term Off-Site Records Retention
A variety of national, regional and local companies provide services that include pickup, storage/retention and then final withdrawal and destruction at a pre-defined interval, usually determined by the cataloging of the storage box by the financial institution.
Local Public Storage Sites
Smaller financial institutions may opt to select a local, secure public storage service to retain or archive smaller amounts of critical files. Once the security of such service providers is validated, they often present a more cost-effective solution for financial institutions with a smaller geographic network or a more constrained retention budget. They will, however, require a higher degree of internal attention by the financial institution because all date of destruction cycles must be maintained solely by the employees of the financial institution. Make sure that a document destruction index is properly set up, indexed by box, and that it is reviewed monthly (or a least quarterly) so boxes that have reached their end of retention cycle can be promptly retrieved and destroyed.
Client-Site/Institutional Storage
This is often limited to institutions that have available physical space to house their storage internally. The same disciplines for Local public storage sites (above) should be considered. In addition, the institution should make sure that the area is highly secured and not generally accessible to employees without security clearance and never in an unescorted manner.
Hard Drive/IT Lockups
Establishing and Maintaining An Effective Policy
Here are some basic steps for establishing and maintaining a retention policy.
For more information, visit www.shredit.com/national-accounts/state-bankers-association-program.