JohnPBeavers.com -- Sarbanes-Oxley Requires Public and Private Companies to Rethink Document Retention

Sarbanes-Oxley Requires Public and Private Companies to Rethink Document Retention

John P. Beavers
June 2003

The Sarbanes-Oxley Act of 2002 will have companies and their boards and executives rethinking their document retention, as one of its provisions provides for criminal penalties of up to 20 years imprisonment and fines up to $10 million for anyone who:

. . . knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under [Bankruptcy Code], or in relation to or contemplation of any such matter or case. §802 of SOX which added §1519 to 18 USC.

These criminal penalties apply to everyone: Privately held businesses and public reporting companies; directors, officers, employees and other representatives of these businesses; and accountants, lawyers and other professionals providing services to these businesses. The penalties apply to individual persons with respect to their own records as well as their lawyers, accountants and other representatives.

The provision is a direct result of Arthur Andersen’s shredding of Enron documents. In October 2001, Arthur Andersen’s in-house legal counsel composed the following memorandum, which was forwarded to Arthur Anderson’s partner in charge of the Enron audit team, David Duncan:

It might be useful to consider reminding the engagement team of our documentation and retention policy. It will be helpful to make sure that we have complied with the policy. Let me know if you have any questions.

Knowing that the SEC had begun investigating Enron, Duncan ordered destruction of Enron related documents on October 21, 2001. The destruction of documents continued until the day after Arthur Andersen received a subpoena requesting it to produce those and other documents. The result was Arthur Andersen’s criminal conviction for obstruction of justice in June 2002 and its corporate demise shortly thereafter.

Arthur Andersen’s fatal mistakes

Arthur Andersen made two fatal mistakes. First, although it had a document retention and destruction policy, it did not regularly and consistently carryout that policy. The in-house legal counsel's email is evidence, at best, of an inconsistent execution of the policy and, at worst, a knowing directive to destroy documents contrary to customary practice.

Second, David Duncan allowed the destruction of documents to continue even after learning of the SEC’s investigation. Arthur Andersen’s destruction of documents was so massive until the subpoena was issued that it was found to be obstructing justice.

Congressional response

In the new criminal penalty provisions, Congress has made it easier to prosecute the next Arthur Andersen because prosecutors will not need to go through the cumbersome process of establishing a nexus between the document destruction and an obstruction of justice. The document destruction itself will be sufficient when there is a known investigation.

Necessity to suspend changes and deletions of documents

Every business enterprise needs to review how it implements its document retention and destruction policy. The implementation needs to be carried out regularly and consistently for the policy to withstand later scrutiny. But more important, as a result of Sarbanes-Oxley, implementation needs to be suspended immediately and effectively when legal claims arise or, perhaps even earlier, when such claims are reasonably foreseeable.

But, suspending document destruction is easier said than done. The criminal penalties apply to destruction of any “record, document, or tangible object.” Because “record” and “tangible object” are disjunctive, the implication is that the penalties apply to destruction of documents in almost any medium, including electronic files such as email and voice mail in digital form and computer or electronic documents.

Review of the information technology system and its structure

Suspending destruction of electronic documents, especially within a large business enterprise, is difficult. Most enterprises have some form of a distributive system where users have their own hard drives or other electronic write or storage devices or, even if there are central servers, where users have the right to change or delete their own files.

Accordingly, avoiding criminal penalties for document destruction must involve review of the document retention policy and its implementation and, more importantly, review of the information technology system and its structure. Enterprises should consider eliminating distributive systems where individual users have access to hard drives and other write or storage devices that are not backed up or stored centrally. The information technology officers of enterprises need to determine either how to suspend distributive rights to change or delete files or how to create a cumulative backup of those files (gathering all files saved on at least a daily basis without deleting any of those files).

Recommendations

Define documents. The policy of an enterprise must cover all documents or data that are (1) property of the enterprise, (2) in the possession of any director, partner, officer, employee or other representative, and (3) in any medium containing documents or data, including both paper and electronic. Electronic media must include not only document and other data files, but also electronic mail and voice mail in digital form. It also must include all categories of electronic storage devices, including floppy discs, hard drives, CD ROM, and magnetic tape as well as non-electronic storage forms such as microfilm or microfiche that are used by the enterprise or any of its employees or agents to develop, maintain, or transmit documents or data that are property of the enterprise.
Review the IT system. The IT system should be reviewed along with the document retention policy. The IT system evaluation must include review of all distributive rights of individual users to change or delete documents or data that are property of the enterprise. The IT officers of the enterprise should determine whether it is more practical to eliminate or reduce those distributive rights or to create a cumulative backup, without deletions, of document and data files belonging to the enterprise. At the very least, it may be necessary to eliminate individual user’s access to hard drives, floppy disks and other write or storage devices.
Define when destruction must be suspended. The policy should clearly define when document destruction is to be suspended. Because the statutory or judicial law of most states, including federal courts, creates a duty in a litigant to preserve documents relevant to the litigation or reasonably likely to constitute, or lead to, discoverable evidence, suspending destruction of documents can begin at several different points in time.

With respect to claims against the enterprise, suspension of destruction should start:

When legal process is served or commencement of such process is overtly threatened by any person asserting a claim against the enterprise, or
When legal process is served or commencement of such process is overly threatened by any adjudicative tribunal or governmental agency investigating any possible claim against the enterprise or against any person to which the enterprise may be a party.

With respect to claims by the enterprise, suspension of destruction should start:
- When legal process is considered likely or commencement of such process is threatened by the enterprise asserting a claim against another, or
- When legal process is served or commencement of such process is overtly threatened by any adjudicative tribunal or governmental agency investigating any possible claim against the enterprise.
With respect to claims involving other persons, suspension of destruction should start:
- When legal process is served or commencement of such process is overtly threatened requiring the production of testimony, documents or other evidence by the enterprise before any court or other adjudicative tribunal or governmental agency of competent jurisdiction. (The starting point for lawyers, accountants and other professionals having a duty to protect documents or other property begins when the professional learns that legal process has been served or commencement of such process has been overtly threatened asserting a claim by or against such other person or investigating any such possible claim by any adjudicative tribunal or governmental agency.)

The new criminal penalties enacted by Sarbanes-Oxley, in addition to the existing federal and state judicial and statutory penalties for document destruction, are so severe that both management and governing bodies of all enterprises should direct responsible officers or other representatives to review document retention policies and IT systems.