Keeping Records Forever (NOT)
Record retention is a question in almost all offices. And as a result, offices tend to hang onto records far too long, says attorney and records management expert DONALD S. SKUPSKY, JD, CRM, FAI.
Donald Skupsky is president and CEO of Information Requirements Clearinghouse in Denver, Colorado, which provides publications, software and consulting services focused on the legal requirements of record keeping. Here he outlines what to keep and for how long and why.
What are tax records? Skupsky defines them as everything that supports the tax return, such as records of income, expenses, property, and investments.
The old opinion was that those records had to be kept for seven years. But there was never such a rule, he says. “Somebody made that up and passed the rumor around.”
Most of us only need to keep tax records for three years after we file the tax return; those is a few states should keep them six years after the end of the fiscal year.
The IRS doesn’t say how long to keep tax records. And neither do most states. Instead, they say how long they can audit a taxpayer after the return is filed.
For the IRS, that’s three years. The IRS can audit the records three years after the date of filing or the due date, whichever is later. So if the office filed a return in February 2013 that was due in March 2013, the government has until March 2016 to begin an audit – no more.
For convenience, however, his advice is to treat records as though they were all created on the last day of the year and treat the year of filing as one year – thus a four year retention after the end of the year. If a return is filed any time in 2013, consider it subject to an IRS audit until January 2018.
Most states also follow the three-year rule. But not all. Arkansas, Maine, Michigan, and Arizona, for example, can audit for as long as six years after the end of the fiscal year of filing, so offices doing business in those states need to keep their records for six years from the end of the fiscal year, not from the time the return is filed.
The same is true for any business that operates business in all 50 states. Keep them for six years from the end of the fiscal year.
One more items is state audits following IRS audits.
If there is an IRS audit, hold on to the record for a year after it’s completed. Once the federal audit is done, the states reserve the right to resolve their own tax issues – whether to collect more money or give a refund. And most states have a year to do that.
He adds that with tax records, people are guilty until proven innocent. IRS typically knows your income, but not your deductions or expenses. If you don’t have documentation to support their deductions, you lose . . . and end up paying more tax.
Keep corporate minutes and articles of incorporation only as long as the corporation is active, and then maybe a few years afterwards.
There’s no law requiring that, but a corporation needs to be able to refer to its official position on any issue.
Keep the correspondence and administrative records for no more than one year. And chronological correspondence files have no use at all and should be destroyed.
Internal records such as budget projections and revenue analyses don’t need to be kept at all. Hold on to them only as long as the doctors need them.
For many years, businesses kept them forever, Skupsky says. But as the paper mounted up, companies came to realize there’s no legal requirement to keep them, and certainly after about three years, they’re useless.
Like any records with no legal retention requirement, “They are candidates for short retention or immediate destruction.”
The governing factor here is the state’s statute of limitations for suing on a contract.
Though it has been longer in the past, “the longest statute of limitations on contracts is now 15 years,” Skupsky says. That means the office can get sued 15 years after a violation of the contract terms.
Even so, only a few states carry it out that long. Some have 10-year limits. But most limit it to six years or less.
So depending on state law, the contracts while they are active plus the limit set out by the state statute of limitations.
An exception: government contracts such as grants follow a slightly different schedule. The government has three years after the final payment to audit what was done and verify that the costs were calculated correctly. So keep those contracts plus the contract accounting records for three years after the final payment.
Records on hiring, firing, reviews, promotions, and demotions have to be kept for six years at the most. Since most companies keep all records in a single folder and it’s hard to purge, instead they’ll keep the records while the employee is active plus six years.
Skupsky says, the office will have to produce them if there’s a discrimination suit, and in most states, the statute of limitations for filing that type of suit is three years.
In large organizations, however, paper files can stymie that. The records become voluminous to the point that it’s usually not practical to get into them and destroy what’s unnecessary. Neither is it practical to have staff purge them, because there’s too great a risk of mistake. Thus, many employers “end up keeping those records indefinitely.”
But where it’s possible, get rid of them after six years.
Retirement plan records
There’s misconception here, Skupsky says. Employers tend to think that because a retirement plan pays the employee for life, the records have to be maintained for the same amount of time. But that’s not correct.
In a defined contribution plan such as a 401k where employer and employee contribute, the record can be kept for a shorter period. That’s because under the Employee Retirement Income Security Act, or ERISA, the employee has only three years to sue and get the contribution amounts corrected, provide, the employee is given notice of the status of the account. Other laws would extended the retention requirement to only 6 years.
Old-style pension plans, where someone works a certain number of years and then is paid a certain amount for life, follow a different schedule, albeit not a long one.
Those plans have defined benefits as opposed to defined contributions, and the normal practice is to keep the records for six years after the employment ends. At that point, the employment information becomes irrelevant and the “value” of the pension payout is determined.
Regardless of the type of plan, the employer has a fiduciary responsibility to protect the money and therefore has to be able to show the contribution amounts and how the money has been invested. But even there, the limit is six years. With both federal and state law, an employee has no more than six years to sue for losses in a retirement plan.
A caution, however: the office needs to keep a summary of the information indefinitely. That includes the amount contributed and the accumulated value, but not how the money was invested.
Social Security often brings a surprise. Most employers don’t realize that those records only have to be kept for three years.
If there’s a mistake and contributions are not credited, the employee has just three years to correct it. No more. So there’s no need to keep the records longer than that. Alert your employees to check the information with the Social Security Administration each year.
Keep the records of on-the-job injuries indefinitely.
A Worker’s Comp claim can appear at any time, because the affects of an injury may not show up for many years. Or an injury might be treated and considered completed only to recur years later.
OSHA requires keeping medical records for 30 years after the employment ends, but even that’s not long enough, he says, because a disease may not manifest until after that. Asbestos exposure is an example.
Destroy injury records only in a batch and not until there’s no conceivable need for them, perhaps records prior to 1965.
With the Cloud, Skupsky’s advice is don’t use it as a back-up due to security and retention risks.
Once information is in the Cloud, the office “has no idea what’s going on with it.” Neither does it have any control over who accesses it.
Yes, the contract may say the Cloud vendor will not voluntarily give up the information. But if the vendor’s records get subpoenaed by the government, the government will have access to all that information, and the office will have no say in the matter. By contrast, if the records are in the office’s hands, there’s some amount of control. It firm can at least appeal the subpoena.
E-mail poses four points that managers need to be aware of, Skupsky says.
- First, an e-mail “is not a record unto itself,” and an e-mail system “is not a record management system or a filing system, though it’s been treated that way for the last decade.”
Record retention doesn’t apply at all to the e-mail system. What counts is the records within it. So take the records out and put them into the retention system.
- Second, be watchful of the creation of e-mail contracts.
Anything agreed to by e-mail “is a written contract.” For example, an e-mailed offer of “I’ll paint your fence for $50” with a response agreeing to it is a contract.
And that applies if an employee agrees to something with a vendor that the manager doesn’t know about. It’s a contract. And the entire sequence of messages needs to be moved to a purchasing file.
- Third, don’t let any information that needs to be saved languish in somebody’s personal e-mail. Sitting there, “nobody else knows it exists,” and it’s all but lost. What’s more, if the e-mail user quits, there’s no way anybody can find it.
- And fourth, destroy any e-mail message (minus its attachments) within 30 days, “or 60 days at the longest.”
One reason is to save back-up space. Most e-mails are no more than “let’s do lunch” or “here’s a comment on that.” And those little messages mount up. But the key reason is litigation.
If an organization gets involved in litigation, all its e-mails can be subpoenaed. And because they are often written quickly and informally, “a skillful attorney can interpret them to mean almost anything.” That often happens often in discrimination claims, he says. A record subpoena comes in, the employer has e-mails that should have been destroyed long ago, and they make the company look bad.
Then there’s the work information people put on their personal computers and smartphones.
That’s the office’s information, and the office can set rules for how it has to be managed.
Any office that does allow people to use work-related information on PCs or smartphones needs to set a policy that it can seize those computers and phones at any time. Of course, in litigation, the computers and phones can be subpoenaed by the other side..
Even better, however, is to make it a rule that employees working offsite cannot put any office information at all on their PCs and phones but instead have to log onto the central system and do the work there.
And for people who telecommute, use dumb terminals, or terminals that connect only to the central system and have no intelligence themselves.
Airlines and banks use dumb terminals for most data inputs he says. It’s the only way to keep control of the information.
Social media and the office website
Another issue technology has brought about is information people send out on social media such as Facebook, LinkedIn, and Twitter.
Any marketing or advertising information that gets sent out “creates a bond with the viewer,” Skupsky says. And if the viewer relies on that information to make a decision, “it’s a quasi-contract.”
For that reason, the content needs to be treated as contractual and retained for six years or whatever state law requires.
Do what very few companies have done and set up controls on what web and social media information has to be stored and for how long. Otherwise, what happens if the office is required to produce information about content on the website Feb. 5, 2012? “A lot of companies don’t know how to call that up.”
Whether social media or website, marketing and advertising “make representations that entice people to do business,” he explains. True, nobody actually signs anything, but the information has the effect of bringing two parties together.
If someone relies on a representation the office puts out and is damaged as a result, the office is wide open to a law suit. And it will likely lose. “If it made a representation, how can it say it’s not true?”
Finally, there are backups. For years, IT people “have been proud of themselves for backing up everything just in case,” Skupsky says. “They could report that an executive was looking for a memo and they had it on a back-up tape and saved the day.”
But from a record-keeping and legal standpoint, backing up absolutely everything creates problems.
On the administrative side are the time and money required. He cites one company where the content was so voluminous that it took 27 hours to do a back-up of each 24-hour period.
And on the legal side, blind back-ups can be disastrous. In one case a company’s back-up tapes were subpoenaed. It turned out that the company had backed up its e-mail server for the past 18 months, and there were more than 400 tapes.
The company had to pay nearly $250,000 to restore the information and produce it.
The sole purpose of back-ups is disaster recovery, he says. If there’s a disaster, they get the office operational the next day. But disaster recovery doesn’t call for years of back-up. Keep a month’s worth at most.