The Dangers of Uncontrolled Records & Old Electronics

This blog describes how squirreled-away or forgotten documents and electronic equipment 1) undermine an organization’s records retention policy, 2) constitute a security risk, 3) complicate legal discovery compliance, and 4) violate new privacy regulations.

__________

What are Uncontrolled Records and Old Electronics?

The legal definition of a “business record” is any and all information recorded on any media documenting any aspect of an organization’s operations, events, transactions, plans, or communications, regardless of the media on which it is recorded. For instance, a cocktail napkin on which a CEO outlines the terms of an acquisition is a business record. So is a Post-It® Note on which an employer conveys the intention of hiring a candidate. So is an electronic photo of either of them.

For purposes of this analysis, we’ll first define three categories of business records based on their retention expectations.

Incidental records are those whose useful life and retention expectations are momentary. These include handwritten phone messages, drafts of correspondence, a monthly sales report, memos and instant messages. They are generally disposable after they have served their purpose and they can be particularly sensitive, since they often contain information about real-time corporate activity and personal information.

Controlled records, on the other hand, are at the opposite end of the spectrum. They are those business records which organizations must retain for years, both as evidence of a transaction and to comply with regulatory retention requirements.

Which brings us to uncontrolled records, which may be duplicates of controlled records or accumulations of incidental records, and their defining common denominator is that they are being retained unnecessarily.

Some uncontrolled records are created intentionally by people who keep them around for quick reference or as a CYA. These include printed copies of emails, email attachments, printouts or electronic copies of sales activities, customer forms, official correspondence or other reports. They are in binders on bookshelves and in files in desk drawers, and, perhaps more troublesome, they also accumulate on computers and thumb drives.

Other uncontrolled records are created inadvertently, insofar as they accumulate for no reason other than lack of awareness or lack of discipline. They include, not only paper documents, but also obsolete electronic equipment stashed away in closets, outbuildings and storerooms.

It should also be noted that any stored record retained beyond its retention requirement can be counted as an uncontrolled record, since, 1) by definition they are being unnecessarily retained, and 2) the adverse consequences listed below apply to them as well.

How Uncontrolled Records and Old Electronics Pose a Threat

1. They undermine an organization’s records retention policy.

By allowing the existence of records outside the control of, or beyond the retention limits of, the established retention periods, an organization contradicts its own policy. This can come back to bite the organization in the future when it has to rely on the integrity of the retention schedule to validate final disposition during a legal or compliance matter.

2. They are a security risk.

It stands to reason that keeping records and electronics around longer than needed increases the likelihood of them falling into the wrong hands, and that the longer they are kept, the greater that risk.

Let’s say that one year after being put in the storeroom, an employee determines no one cares (or no one is looking) and takes an old laptop. Why not? Who will know? The answer is, no one, until the employee sells it on eBay and the information shows up later.

Of course, this risk applies to accumulations of unnecessarily retained paper records too. A well-intentioned custodian cleans out an old warehouse. A hospital forgets the 400 boxes it put in an old outbuilding 20 years ago. These examples are not idle conjecture. They happen in one way or another all the time.

3. Uncontrolled records and old electronics dangerously complicate legal discovery.

A legal discovery order requires an organization to produce all the information related to a criminal or civil lawsuit. Not a problem, right? It is when there are uncontrolled records (paper or electronic) squirreled away in offices, backrooms and self-storage. And, woe to the organization that says “discoverable” records were destroyed per a retention schedule, when it later surfaces during a deposition that there is the possibility that those records may still exist some other way.

And, when the opposition or judge discovers that there is a self-storage is full of long-forgotten records or electronic equipment that may be remotely relevant, not only is a lawyer soon culling through them to see what’s there, it also incites suspicion and could lead to meaningful reprisals, such as an Adverse Inference instruction to the jury.

You get the point. Accumulations of uncontrolled records or electronic equipment can make legal discovery a nightmare.

4. They potentially violate new privacy regulations and make data subject requests (DSRs) next to impossible.

As of the writing of this blog, there are 6 state privacy laws in the US modeled on the GDPR. There are three times that many similar state privacy laws on the way.

Under these new regulations, organizations may not retain personal information for longer than is necessary. Violation of this requirement is a virtual certainty when uncontrolled records and electronic equipment accumulate, or when records are retained beyond their retention limits.

And, those same privacy laws give individuals the right to 1) know how their information is retained, 2) access any and all information held by the data controller, and 3) have their information deleted after the transaction is completed.  These rights are accessed through what are called Data Subject Requests (DSRs). But, if the personal information of an individual making such requests ends in the netherworld of uncontrolled records, how would the organization comply? The answer is simple: It can’t.

What To Do About It

There are three concurrent strategies for minimizing the risk of uncontrolled records and old electronics.

The first is to avoid accumulating them in the first place. Upon hiring, and routinely afterward, training should advise employees on the nature of uncontrolled records and obsolete electronics, stressing why their unnecessary accumulation is so detrimental.

The second is to provide a system for disposal, through semi-annual purges aimed specifically at uncontrolled and accumulated electronics.

The third is to make it an organizational imperative that controlled records, by definition subject to retention, are destroyed when the established retention period is over.

In the case where an organization does not have staff appropriately trained in records management, it would be money well spent to retain a professional with the experience and acumen to make sure both policy and implementation are properly executed. There are nuances to minimizing the risks related too switching from inferior practices to best practices and a competent, experienced professional should know how to safely thread that needle.

____________

A Note on Emails:
Are emails Controlled, Incidental, or Uncontrolled Records? And what about their attachments? Good questions. And though I have some food for thought, any email management policy should be carefully and professionally determined based on the needs of the specific organization. Theoretically, every organization should have an electronic communications retention policy, designating retention requirements and classification of emails. This is true of attachments too, where the retention requirements will depend on the nature of the attachment itself, and the particular needs and responsibilities of the organization.