July 11, 2016

Document Retention Policy: Know What to Keep and What to Shred

"I think we need to change the fundamental design of the way each and every document is created and managed," commented Bill Anderson of cyber security company OptioLabs, in a cnet.com story about the Panama Papers.

Panama Papers

The Panama Papers is the latest mega data breach where millions of confidential documents from a Panamanian law firm were leaked, exposing offshore bank accounts – and possibly tax havens – for wealthy clients.

While there are many aspects to information security, a sound document retention policy is one of the most important.  Knowing what confidential documents to keep and which ones to permanently destroy should be of concern to everyone, particularly at times when information thieves are in high gear such as the end of the tax year.

Guidelines to secure your sensitive information

Here are some document retention policy guidelines to help keep your information secure:

  • Information audits: Use audits to identify the types of documents the business produces, and to create an inventory and keep it updated.
  • How long to keep tax records? There are two parts to data retention: how long documents will be useful to the business, and how long they must be retained based on government and industry requirements. Every business must evaluate laws that are applicable.
  • Fines – either way: While it’s law to keep certain documents, if you retain a record for too long you might also expose yourself to litigation risks and fines. 
  • Emails: Records are paper files, digital documents, and correspondence including emails. According to wired.com, the Panama Papers leak included more than 4.8 million emails (as well as 3 million database files and 2.1 million PDF’s). If emails aren’t part of an important business or legal use or not subject to regulatory compliance, delete them within the appropriate time frame.
  • Easy retrieval: Index all documents for easy retrieval. Store in a secure, locked location and/or in a password protected file. Control access so only those employees that need the information to do their jobs can do so. Storing unneeded information increases the risk of a security breach, takes up space, and costs money.
  • Secure disposal: The only acceptable way to discard paper or digital documents when they are no longer needed is to completely destroy them. Shredding is a legal requirement for many documents, and outsourcing eliminates risk. Partner with a reputable shredding company that has secure chain of custody processes for information destruction. A Certificate of Destruction will document compliance and should be issued after every shred.