Building a solid document management foundation is critical to help your company react and adapt before an emergency or potential litigation occurs. Successfully collecting electronically stored information (ESI) begins with taking inventory of your data — the key building block of your document retention policy and collection plan.
This article presents how to create a document retention policy and what to include, as well as what to do when a litigation hold must be put in place.
Create a Document Management System
Construction projects have large amounts of ESI to keep track of, including:
- Contract documents
- Drawings in computer-aided design (CAD), PDF, and other formats
- Scheduling files
- Job cost control software files
- Formal correspondence
- Emails, text messages, and other forms of electronic communication
Less material is being retained in paper form, which can make it easier to access data from remote locations and allow for data collection to be a more streamlined process. However, since electronic files aren’t physically stored, a formal document management system is even more critical.
This is especially true when dealing with types of ESI that are not easily organized by keyword (including schedule files, photos, and videos). Creating a document management plan that can be followed from project to project can help a company ensure that documents are organized, providing a basic data map that makes it easy to access data and information.
Establish a Document Retention Policy
In addition to a system for organizing documents, it is also important to develop and implement a retention policy to manage risks and minimize costs.1 Scheduling document disposal can provide many benefits, including the reduction of labor, storage costs, and risks of a data breach. A robust document retention policy can lower both the risks and costs of e-discovery obligations when problems arise or litigation occurs.
To effectively manage these risks, a document retention policy must be written, consistently enforced, and adjustable in the event of potential litigation or other circumstances that include a duty to preserve data.2 Preparing document retention procedures that outline where data is stored, how long it is kept, who has access to it, etc., will also help when it comes time to implement a litigation hold and prepare for document collection.
Documented and enforced policies regarding the use of work-issued mobile devices as well as bring your own device (BYOD) policies are also important for identifying, retaining, and collecting data when employees leave a company. This is critical if mobile device collection is necessary, which is becoming increasingly likely as the ubiquity of smart devices and communications via text messages and messaging applications increases.
The following are some basic steps toward implementing a meaningful document retention policy.
Inventory Your Data
Survey the types of data or documents your organization creates or handles as well as the different locations where the data may reside. The types of data may include:
- Project documents — drawings, change orders, correspondence, subcontracts
- Tax and financial documents — sales tax returns, cancelled checks, payroll tax returns, deposit slips, annual financial statements
- Personnel information — personnel files, disability benefits statements, withholding statements
- Insurance records — policies, claim files, accident reports
Developing a clear picture of where documents are located is also important, whether that be within shared network servers, email servers, file-sharing storage solutions (such as SharePoint), or other cloud-based systems; laptops or tablets; other physical media such as flash drives and DVDs; or even actual paper documents in filing cabinets. This inventory should be included in the written document retention policy and should be updated periodically, as it will be a key resource when it comes time to perform a document collection or react to an emergency.
Review Laws & Rules Related to Retention of Documents
Different jurisdictions will have varying considerations for document retention. Regulatory or statutory rules dictate retention periods for some documents or businesses. For example, the U.S. Securities & Exchange Commission (SEC) requires that all SEC-regulated companies retain emails for at least seven years,3 and the IRS has certain requirements on the length of time that tax records and supporting documentation must be kept. Depending on a company’s home state, it may have adopted the Uniform Preservation of Private Business Records Act (currently Colorado, Georgia, Illinois, Maryland, New Hampshire, Oklahoma, and Texas), which includes a definition of business record. If so, make sure to include this defined term in your written document retention plan.
Contractors and designers should also be aware of the different statutes of repose that exist in states where they do business, as the lengths of time and language in those statutes can vary widely and may affect how long certain historic project documents should be retained.
Create a Retention Schedule
A retention schedule — which includes how and when the documents are organized, stored, retained, backed up, and destroyed — should be set for all types of documents that your company handles after researching the laws and rules that may apply. Courts have advised that companies (even those with frequent litigation) are not required to keep “every shred of paper, every email or electronic document, and every backup tape...Such a rule would cripple large corporations.”4 Therefore, outside of any laws or regulations and any impending litigation or related “litigation hold” exceptions, a company is free to develop its own retention policies. Of course, once a policy is established, a company must adhere to it in order to remain reasonable and robust.
Set Rules on Destroying Expired or Useless Data
As part of their document retention policy, many companies permanently delete emails and similar electronic data (chats, calendar appointments, etc.) on a consistent basis (e.g., after 90 or 120 days). From a litigation perspective, such a policy can be sustained if it is applied consistently and if it is suspended during a “litigation hold.” The policy must weigh the business needs of the company, IT considerations, and the balance between saving “important” emails and deleting extraneous ones.
This type of policy may not work well with long-term construction projects unless a robust document organization system is already in place. In that case, the use of software that can search for keywords, phrases, or numbers deemed sensitive by management to mark such emails for retention, in addition to emails manually saved by employees, could be necessary.
Automatically deleting emails on a schedule is one way to ensure that the document retention plan is consistently implemented. Deleting unneeded data regularly can save storage space, help reduce the risks in a potential data breach (less data to lose), and streamline future data requests. Whether or not an automatic email deletion schedule is used, the policy must specify procedures on how to destroy expired documents or data that is no longer of use to the company.
Your company should weigh the potential benefits of retaining data or documents for research or historical information against the costs and risks of retaining the data. The policy should also specify how the destruction of documents will be suspended under the policy when an exception, such as a litigation or other hold, is initiated.