What to keep and when to chuck it

If there’s one takeaway from the almost-daily data leaks happening across the country, it’s this: Review your records-retention policy.

First, a quick quiz. Of the e-mails you currently have in your in-box:

• How many are absolutely vital?
• How far back do those e-mails go?
• How long do you need to hang onto them?

If you have the answers to all of these questions at your fingertips, you’re a step ahead of the game. But a survey of 400 U.S. and U.K. companies by the IT consulting company Knoll Ontrack shows many companies aren’t as prepared as they need to be when it comes to retaining or destroying records.

A shockingly low 25% of businesses were “up to speed” on Electronically Stored Information (ESI) case law or how compliant their own company’s policies were, and only 50% had a formal policy in place for the regular culling and destruction of unneeded records.

That means only half of surveyed companies regularly dispose of old e-mails, and one quarter of them wouldn’t know how to proceed if brought into court.

It’s not just a matter of deleting old records, either. SEC requires companies to hold onto certain files, so dumping everything once it crosses a certain threshold isn’t possible. But deleting only some records can be tricky as well — it can bring up questions as to why a company got rid of certain things but not others.

Damned if you do, damned if you don’t? Not exactly. The best course of action is to set up a records-retention routine as soon as possible. You’ll need to hang on to all legally-required documents, obviously, but beyond that, a company can set its own limits on what needs to stay, and for how long.

Routinely scheduling deletion procedures not only makes it easier for a company to spot any red flags raised by mischievous employee conduct, but it can also grant some leeway if a company ends up in court. If a company’s done all it can to monitor internal processes, a court’s more willing to let a few employees’ rogue actions fall squarely on their shoulders — not your company’s.