Records Retention Schedules: When Will Your Data Expire?

January 21, 2021 at 8:00 am by Amanda Canale

In the growing age of Big Media, it is imperative now more than ever that companies and organizations develop and maintain a Records Retention Policy, otherwise known as RRP. An RRP is a policy that defines a company or organization’s legal and compliance bookkeeping requirements. An RRP ensures that corporate documents are managed and destroyed in a way that is lawful, effective, and efficient.

When establishing an RRP, there are several key questions to keep in mind. Who is responsible for overseeing the RRP? How long should records be retained? What type of records should be retained? What should we do with those records after the required retention period has passed?

Within any type of business, there are a multitude of records you’ll need to keep track of, from accounting and bank records to corporate and employee information, just to name a few. Just as the type of record may vary, so does the retention period. Let’s break down some of the more important record types and retention periods.

Accounting Records

It is a good rule of thumb to keep the majority of accounting records permanently. These types of records can range from income taxes, asset records, training manuals, general ledgers, and more. Patents and related papers, insurance claim documents, legal correspondence, capital stock and bond documents require permanent retention, along with real property records, such as deeds, bills of sale, and appraisals.

While the majority of accounting records should be kept permanently, there are some types that you can safely destroy after a period of seven years. These types of records can be in the form of electronic payment records, employee expense records, inventory listings, and timecards. These records are still crucial to your accounting team but are not necessary to harbor forever.

Employee Benefit and Personnel Records

When it comes to employee benefit and personnel records, the retention period can vary. Any financial statements, documents from the Internal Revenue Service (IRS) and Department of Labor Correspondence, and plan and trust agreements should all be kept permanently.

Normal employee personnel files, employment applications, individual employee contracts, and employment applications should be kept on file for two to three years from the date of termination. Other personnel records, such as worker’s compensation and employment eligibility forms can be kept for three to five years.

Insurance and Legal Records

Insurance records, such as accident reports and settled claims, fire inspection and safety reports, and expired insurance policies should all be kept for seven years. It’s important to note that any accident reports and settled claims should be kept for seven years from the date of the settlement, not when the accident occurred. When it comes to legal documents, the retention period can vary. Records of expired contracts and leases and employment agreements can be kept for seven years, but other documents, such as effective contracts and leases, meeting minutes, partnership agreements, and legal correspondences should be kept permanently.

It is also important to keep in mind that records are not just paper documents but can consist of electronic documents and data as well. This includes, but is not limited to, word processing, emails, databases, spreadsheets, and so forth. Any device on which files are stored, optical media, flash drives, and HDDs or SSDs are considered to be electronic documents and must follow the same RRP guidelines the corporation sets forth for paper documents retention and disposal.

The disposal of these records is just as important as retaining them. Having an appropriate shredder is crucial to ensuring that your data is not falling into the wrong hands.

Although the non-permanent records are no longer required to be kept in your possession, this does not mean that the information on those records has necessarily expired or become any less important. If records are disposed of in an unsecured manner and important corporate or employee information falls into dishonest hands, the results can be catastrophic for both the corporation and the employee. (You can read about the monetary consequences of data breaches here.)

In conclusion, establishing an RRP is a crucial step in ensuring that corporate documents are managed and destroyed in a way that is lawful, effective, and efficient. Management of these records include, but is not limited to, securing the information they contain, even upon disposal of those records. Records that no longer require retention should be destroyed by means of shredding, disintegration, or degaussing, whichever is appropriate depending on the storage method and applicable industry regulatory requirement. Although it is not necessary for a corporation to maintain the same destruction requirements as a government facility, the proper destruction should not be considered any less vital. With any company or organization policy, an RRP relies on its employees to maintain and enforce it.

Data Breach From End-of-Life IT Media: Not “If” But “When”

February 19, 2020 at 1:09 pm by Flora Knolton

A Reactionary Approach is Not Going to Cut it

While the age of Big Data has improved our lives in countless ways, there is seemingly an equal number of potential downsides. As we all know too well, the exponential rate at which data volume is growing has spawned nonstop cyber activity intent on using this data for illegal purposes. The danger couldn’t be more extreme—or more real: in today’s Internet-dominated world, someone seeking to steal sensitive, confidential, or proprietary data (e.g., personally identifiable information, or PII) no longer has to physically breach a facility.

It’s important to remember, however, that data theft isn’t limited to online, or cyber, activity. IT assets (i.e., electronic storage devices containing data) constitute physical hardware that is likewise vulnerable to theft. Consequently, it’s critical that companies safeguard IT assets throughout the entire lifecycle, including physical destruction to the point of irreversibility. End-of-life data destruction processes must be formalized and precisely followed; far too much is at stake should IT assets fall into the wrong hands.

A dedicated, internal security team is necessary to prevent breaches. A reactionary approach is unacceptable; the potentially catastrophic consequences of compromised or stolen data outright negate the luxury of taking a passive approach. The literal costs of stolen data can involve monetary fines in the millions of dollars—while the intangible costs associated with reputation damage, identity theft and disclosure of confidential/sensitive information can easily exceed all measurement.

Cases in point: Cyber-Related Data Breaches are Becoming More Destructive … and More Expensive

In mid-2019, the UK’s Information Commissioner’s Office (ICO) set a then-record by fining British Airways $230 million for violating the European Union’s General Data Protection Regulation (GDPR). The infamous Magecart group of cyber criminals hacked into the British Airways system and used just 22 lines of code to harvest personal and payment data for approximately 500,000 customers over a two-week period.

Only days later, the ICO slapped Marriott International with a $124 million fine after it experienced a breach that compromised over 339 million guest records worldwide during its acquisition of Starwood Hotels & Resorts Worldwide. Marriott reported the breach shortly after its discovery in November 2018—at which time the attackers had already been in the system for four years.

In 2015, U.S. health insurance giant Anthem, Inc., suffered a breach due to spear phishing emails that launched an attack on its system, thereby compromising nearly 79 million people. Data harvested by a still-unknown party included full names, birthdates, employment information, addresses, Social Security numbers and medical identification numbers. In 2017, a class-action lawsuit against Anthem cost the company $115 million, which was to pay for identity-theft protection for all affected individuals for two years. One year later, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) also fined Anthem a record $16 million for violations of the Health Insurance Portability and Accountability Act (HIPAA).

Perhaps the largest cyber-related theft thus far occurred in 2017, when an unpatched bit of framework in one of Equifax’s databases allowed data associated with approximately 147 million people to be stolen. After discovering the breach, Equifax waited more than a month to report it. The company’s negligence will cost it a penalty in the range of $575 million to $700 million, after a record settlement in July 2019 with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and all U.S. states and territories.

Waiting for the Inevitable: Physical IT Assets and the Failure to Destroy End-of-Life Data

Given the carelessness with which many organizations, governments, individuals and third-party companies discard IT assets, it’s amazing that catastrophic end-of-life data breaches have not yet occurred. We have previously discussed why a comprehensive in-house destruction plan for end-of-life data is essential, since you simply do not know what happens to data unless your organization has supervised firsthand the entire data life cycle.

Ensuring chain of command for all IT hardware involved in the infrastructure of an organization that stores personal, sensitive or classified data from beginning to end of its life cycle will go a long way to preventing a costly breach. Just ask the U.S. Department of Defense (DoD), which banned all USB thumb drives after a 2008 incident in which a thumb drive found in the parking lot of a Mid-East military installation was inserted into a DoD computer network and launched a worm into the system that took 14 months to eradicate.

There have been several studies conducted over the last several years that highlight how often personal and classified information is found on used hard drives and USB drives—such as this 2019 study from Ontrack and Blancco Technology Group that estimates sensitive data is left on about 42% of used hard drives sold on eBay. Earlier in 2019, researchers at the University of Hertfordshire purchased 100 used USB flash drives in the U.K. and 100 in the U.S. from eBay; sixty-eight percent in the U.S. and 67% in the U.K. contained recoverable data from their previous owners—and more than half of those drives contained sensitive business and personal data.

In 2017, the Channel NewsAsia documentary The Trash Trail tracked the purchase of nine hard drives from various shops at Sim Lim Square in Singapore. The buyers were assured by the shop owners that all drives had been wiped clean and reformatted. The reality was that five of those drives contained sensitive personal information—and one of them contained complete medical records and passport details. Two additional hard drives contained sensitive corporate information.

Also in 2009, University of British Columbia journalism students shooting a documentary about e-waste in Ghana purchased seven hard drives from a market in Tema. One of the hard drives contained sensitive information regarding multi-million-dollar U.S. defense contracts between the Pentagon, Department of Homeland Security and contractor Northrop Grumman. The contractor believes the hard drive was stolen from a third-party asset-disposal company.

Also in 2009, a study conducted by British Telecommunications’ Security Research Centre, the University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the U.S. examined 300 secondhand hard drives. On those drives was a variety of sensitive information, including trading performance and budget documents of a fashion company, corporate data from a motor-manufacturing company and—incredibly—test launch procedures for the U.S. Terminals High Altitude Area Defense (THAAD) ground-to-air missile system.In all these examples, imagine what could have happened if that data had fallen into the hands of criminals rather than those of individuals conducting investigative studies. Catastrophic end-of-life data breaches will happen—it’s just a matter of time—so no one handling sensitive data should become complacent or take a lax approach to the security of sensitive data.

Bottom line: Any used IT storage device that has not been directly in your organization’s chain of custody for its entire life or has reached its end-of-life should be thoroughly destroyed in-house—to the point of irreversibility— with equipment that meets or exceeds industry standards. Companies like SEM provide a variety of equipment capable of completely and securely destroying data contained on any IT hardware, including the industry’s only equipment capable of destroying enterprise-class drives.