Records retention raises questions in almost all offices. And as a result, offices tend to hang onto records far too long, says attorney and records management expert Donald S. Skupsky, JD, CRM.
Skupsky is president and CEO of Information Requirements Clearinghouse in Denver, which provides consulting services as well as software and publications on the legal requirements of record keeping. Here he outlines what to keep and for how long and why.
The employees
• Employment records
Records on hiring, firing, reviews, promotions, and demotions have to be kept for six years at most.
The office will have to produce them if there’s a discrimination suit, and in most states, the limit for filing that type of suit is three years.
In large organizations, however, paper files can stymie that. The records become voluminous to the point that it’s usually not practical to get into them and destroy what’s unnecessary. Neither is it practical to have staff purge them, because there’s too great a risk of mistake. Thus, many employers end up keeping those records indefinitely.
But where it’s possible, get rid of them after six years.
|
The business
What are tax records? Skupsky defines them as everything that supports the return, such as records of income, expenses, property, and investments. The old opinion was that those records had to be kept for seven years. But there was never such a rule, according to Skupsky. “Somebody made that up and passed the rumor around,” he says. The IRS doesn’t say how long to keep tax records, and neither do most states. Instead, they say how long they can audit a taxpayer after the return is filed. For the IRS, that’s three years after the date of filing or the due date, whichever is later. So if the office filed a return in February 2013 that was due in March 2013, the government has until March 2016 to audit it– no more. To make it easy, his advice is to track the years instead of the months. Treat the records as if they were created on the last day of the year. And count the filing year as a full year. That essentially gives a very safe four-year retention period – if a return is filed any time in 2013, consider it subject to an IRS audit until January 2018. Most states also follow the three-year rule. But not all. Arkansas, Maine, Michigan, and Arizona, for example, can audit for as long as six years after the end of the fiscal year of filing, so offices doing business in those states need to keep their records for six years from the end of the fiscal year, not from the time the return is filed. The same is true for any business that operates in all 50 states. Keep them for six years from the end of the fiscal year. One more item to consider is state audits following IRS audits. If there is an IRS audit, hold on to the record for a year after it’s completed. Once the federal audit is done, the state can resolve its own tax issues – whether to collect more money or give a refund. And most states have a year to do that. He adds that with tax records, people are guilty until proved innocent. The IRS usually knows their incomes but not their deductions. So if there’s no documentation to support the deductions, they lose. • Corporate records Keep the articles of incorporation and the minutes only as long as the corporation is active. After that, keep them for a few years. There’s no law requiring that, but a corporation needs to be able to refer to its official position on any issue. Keep the correspondence and administrative records for no more than one year. And chronological correspondence files have no use at all and should be destroyed. • Internal records Internal records such as budget projections and revenue analyses don’t need to be kept at all. Hold on to them only as long as the doctors need them. For many years, businesses kept them forever, Skupsky says. But as the paper mounted up, companies came to realize there’s no requirement to keep them, and after about three years, they’re useless. Like any records with no legal retention requirement, “they are candidates for short retention or immediate destruction,” he says. • Contracts The governing factor here is the state’s statute of limitations for suing on a contract. Though it has been longer in the past, “the longest statue of limitations on contracts is now 15 years,” Skupsky says. That means the office can get sued 15 years after a violation of the contract terms. Even so, only a few states carry it out that long. Some have 10-year limits. But most limit it to six years or less. So depending on state law, keep contracts while they are active plus the amount of time set out by the state statute of limitations. An exception: government contracts such as grants follow a slightly different schedule. The government has three years after the final payment to audit what was done and verify that the costs were calculated correctly. So keep those contracts plus the accounting records for three years after the final payment. |
• Retirement plan records
There’s misconception here, Skupsky says. Employers tend to think that because a retirement plan pays the employee for life, the records have to be maintained for the same amount of time. But that’s not correct.
In a defined contribution plan such as a 401k where employer and employee contribute, the record can be kept for a shorter time. That’s because the Employee Retirement Income Security Act, or ERISA, gives an employee only three years to sue and get the contribution amounts corrected. Some other laws extend the retention requirement, but only to six years.
Old-style pension plans, where someone works a certain number of years and then is paid a certain amount for life, follow a different schedule, albeit not a long one.
Those plans have defined benefits as opposed to defined contributions, and the normal practice is to keep the records for six years after the employment ends. At that point, the employment information is irrelevant for determining the value of the payout.
Regardless of the type of plan, the employer has a fiduciary responsibility to protect the money and therefore has to be able to show the contribution amounts and how the money has been invested. But even there, the limit is six years. With both federal and state law, an employee has no more than six years to sue for losses in a retirement plan.
A caution, however: the office needs to keep a summary of the information indefinitely. That includes the amount contributed and the accumulated value, but not how the money was invested.
• Social Security
Social Security often brings a surprise. Most employers don’t realize that those records only have to be kept for three years.
If there’s a mistake and contributions are not credited, the employee has just three years to correct it. No more. So there’s no need to keep the records longer than that.
And to make sure employees get the correct amount, he recommends telling them to check their benefit amounts each year with the Social Security Administration.
• Worker’s Compensation
Keep the records of on-the-job injuries indefinitely.
A Worker’s Comp claim can appear at any time, because the effects of an injury may not show up for many years. Or an injury might be treated and considered a finished matter only to recur years later.
OSHA requires keeping the medical records for 30 years after the employment ends, but even that’s not long enough, he says, because a disease may not manifest until after that. Asbestos exposure is an example.
Destroy injury records only in a batch and not until there’s no conceivable need for them, perhaps records prior to 1965.
The technology
• The Cloud
With the Cloud, Skupsky’s advice is don’t use it as a backup.
Once information is in the Cloud, the office “has no idea what’s going on with it,” he says. Neither does the office have any control over who accesses the information.
Yes, the contract may say the Cloud vendor will not voluntarily give up the information. But if the vendor’s records get subpoenaed by the government, the government will have access to all that information, and the office will have no say in the matter.
By contrast, if the records are in the office’s hands, there’s some amount of control. It can at least appeal the subpoena.
Email poses four points that managers need to be aware of, Skupsky says.
First, an email “is not a record unto itself,”he explains. More, he points out that an email system “is not a record management system or a filing system, though it’s been treated that way for the last decade.”
Records retention doesn’t apply at all to individual emails or to the email system. What counts is the records within the system. Those need to be taken out and put into the retention system.
Second, be watchful of the creation of email contracts.
Anything agreed to by email is a written contract. For example, an emailed offer of “I’ll paint your fence for $50” with a response agreeing to it is a contract.
And that applies if an employee agrees to something with a vendor that the manager doesn’t know about. It’s a contract. And the entire sequence of messages needs to be moved to a purchasing file.
Third, don’t let any information that needs to be saved languish in somebody’s personal email. Sitting there, “nobody else knows it exists,” and it’s all but lost, Skupsky says. What’s more, if the e-mail user quits, there’s no way anybody can find it.
And fourth, destroy any email message (minus its attachments) within 30 days, “and 60 days at the longest.”
One reason is to save back-up space. Most emails are no more than “let’s do lunch” or “here’s a comment on that.” And those little messages mount up.
But the key reason is litigation.
If an organization gets involved in litigation, all its emails can be subpoenaed. And because they are often written quickly and informally, a skillful attorney can interpret them to mean almost anything.
That happens often in discrimination claims, Skupsky says. A record subpoena comes in, the employer has emails that aren’t actual records and that should have been destroyed long ago, and they make the office look bad.
• Personal computers
Then there’s the work information people put on their personal computers and smartphones.
That’s the office’s information, and the office can set rules on how it has to be managed.
Any office that does allow people to use work-related information on PCs or smartphones needs to set a policy that it can seize those computers and phones at any time. Also be aware that in litigation, they can be subpoenaed by the other side.
Even better, make it a rule that employees working offsite cannot put any office information at all on their PCs and phones but instead have to log onto the central system and do the work there.
And for people who telecommute, use dumb terminals, or terminals that connect only to the central system and have no intelligence themselves.
Airlines and banks use dumb terminals for most data inputs he says. It’s the only way to keep control of the information.
• Social media and the office’s website
Another issue technology has brought about is information people send out on social media such as Facebook, LinkedIn, and Twitter.
And the main issue is contracts.
Any marketing or advertising information that gets sent out “creates a bond with the viewer,” Skupsky says. And if the viewer relies on that information to make a decision, “it’s a quasi-contract.”
For that reason, the content needs to be treated as contractual and retained for six years or whatever state law requires.
Do what very few companies have done and set up controls on what Web and social media information has to be stored and for how long, he says. Otherwise, what happens if the office is required to produce information on the content on the site Feb. 5, 2012? “A lot of companies don’t know how to call that up,” he says.
It doesn’t matter whether social media or website marketing and advertising “make representations that entice people to do business,” he explains. True, nobody actually signs anything, but the information has the effect of bringing two parties together.
If someone relies on a representation the office puts out and is damaged as a result, the office is wide open to a lawsuit. And it will likely lose. “If it made a representation, how can it say it’s not true?” Skupsky points out.
• Back-up tapes
Finally, there are the backups.
For years, IT people “have been proud of themselves for backing up everything just in case,” Skupsky says. “They could report that an executive was looking for a memo and they had it on a back-up tape and saved the day.”
But from a record-keeping and legal standpoint, backing up absolutely everything creates problems. On the administrative side are the time and money required. He cites one company where the content was so voluminous that it took 27 hours to do a back up of each 24-hour period.
On the legal side, blind backups can be disastrous. In one case, a company’s back-up tapes were subpoenaed, and it turned out that the company had backed up its e-mail server for the past 18 months, and there were more than 400 tapes.
The company had to pay nearly $250,000 to restore the information and produce it.
The sole purpose of backups is to get the office operational the next day following a disaster. And to do that, the most any office needs to keep is a month’s worth.
