Initially, the first goal of document retention policies was to make sure employees retained  all company emails, texts, chats, and voice messages. The new goal is to make sure your policy includes a plan for getting rid of all that same information in a timely manner.

Bob Dibert, an attorney at Frost Brown Todd, recommended that companies put a new emphasis on data minimization when developing or updating a retention policy. (The California Consumer Privacy Act  and other new privacy laws have added financial penalties to these “secure disposal laws.”) 

“The FTC Consent Order requires the business to make such an inventory and deletion at least annually,” Dibert said. 

Last fall, the Federal Trade Commission sanctioned a data warehousing and management business for keeping–and then losing through a data breach–consumer data that should have been deleted because it was no longer needed.

To balance data minimization with requirements to preserve legally significant information, Dibert suggested that companies establish both a retention and secure disposal schedule for each communication channel and make sure that each schedule complies with applicable statutory or regulatory requirements.

The challenge with that requirement, according to Alaap B. Shah, a member of the Epstein Becker Green law firm, is understanding which federal, state, and industry-specific rules apply to which documents. He recommended starting with a robust data mapping and classification exercise to identify what kind of information is subject to what rules. 

“Then companies can start to think critically about how to categorize those data, what rules or business needs may apply, and set retention and destruction schedules,” he said.

Justin Harvey, global incident response lead at Accenture Security, said that storage systems should have the same levels of security as the rest of the corporate network, including a robust “encrypted at rest” scheme.

“Backup/retention systems are not as closely scrutinized as the real operational systems, and this creates opportunity for adversaries (both external and insiders) to view or illegally copy these records,” he said.
Harvey added that it’s easy to forget to purge records that are out of the retention period, which can lead to inadvertent data exposure.

The following policies from TechRepublic Premium can help you establish new policies or update procedures already in place.

Email/Instant Message/Voicemail Retention policy

The purpose of this policy is to establish requirements for the retention and destruction of company electronic communications. Specifically, this policy establishes and describes how the company will manage the retention and destruction of electronic mail, instant messages, and voice messages and classifies such corresponding retention periods. These guidelines cover content types as well as appropriate retention time for each one.

Internet and Email Usage policy

This policy sets forth guidelines for the use of the internet, as well as related communication services, including email, proprietary group messaging services (e.g., Slack), and social networking services (e.g., Facebook, Twitter) in business contexts. It also covers Internet of Things (IoT) use, and bring-your-own-device (BYOD) practices.