Kathy Parker, CP, has been a member of Humboldt County Legal Professionals Association for 18 years, holding numerous chair and board positions. She is the current Governor and Executive Advisor, most recently sitting as president in 2012-2013. She is a certified paralegal employed in civil litigation and insurance defense at the Law Offices of Mitchell, Brisso, Delaney & Vrieze, LLP, in Eureka, California.

To Shred or Not to Shred – That is the Question by Kathy Parker, CP — Submitted by Humboldt County LPA

e have an annual “cleaning day” at our office, where the staff vaguely become aware that the numerous W and/or voluminous files that have been closed and stored upstairs during the last year have filled storage to capacity and some must either be carted to off-site storage or destroyed. The basic understood principle that ments lose their value and become readily comes to mind has always been obsolete. Keeping them indefinitely “records must be retained for seven can expose your clients to unnecessary years . . . or is it ten?” -- a vague mis- risks that can be avoided with a docu- understanding that rises to the surface ment destruction strategy. Regulatory annually when contemplating ones compliance and increased emphasis own tax records (for clarification, see: on ethical conduct and accountabil- http://www.irs.gov/Businesses/How- ity demand that you safeguard your long-should-I-keep-records). But what clients’ privacy and administrative does “records retention” mean in the records. i law office and when can documents be The United States Supreme Court shredded? That answer is not as simple determined a case that helped define as it once was considered to be, and for privacy rights relating to material dis- the purpose of this article, will basically carded as trash. (California v. Greenwood, cover the background for requirements 486 U.S. 35 (1988).) In this case, the accessible to animals, children, scaven- pertaining to retention or shredding of Supreme Court held that the Fourth gers, snoops, and other members of the data. Amendment does not prohibit the war- public (including criminals, investiga- The procedures for preservation rantless search and seizure of garbage tors, journalists, garbage collection and non-preservation of information left for collection outside the curtilage agencies, law enforcement, etc.). have become more complex due to the of a home. ii Privacy protection is experiencing a electronic age and privacy issues. Of Greenwood had thrown out informa- rebirth in legislative activity. The run- course, different kinds of documents tion in his trash that incriminated him away crime of “identity theft” is causing require different handling or retention in a crime, and the information was a groundswell of interest in the elector- periods. (For example, a client’s estate used to gain a conviction. Greenwood ate; hence, also in our state and federal plan or corporate records should be claimed that he was the victim of an politicians. “Identity theft” also has a kept in perpetuity, pending death or unlawful search and that his privacy connection to national security issues. dissolution; but a paper file containing rights had been violated. In its ruling, The concept of protecting the a lawsuit that settled a number of years the Supreme Court stated that there privacy of ordinary citizens did not ago may not need to be kept, while its could be no expectation of privacy become significant until the beginning key electronic storage may be useful for in trash left accessible to the public. future or separate litigation purposes.) The Court further stated it is common However, eventually, even legal docu- knowledge that garbage is readily Continued on page 10

a u g u s t 2 0 1 3 | 9 To Shred or Not to Shred Continued from page 9 of the information age. Problems arose physical documents; erasure or destruc- sions to be delayed if a law enforce- from increased identity theft. The tion of all electronic media; and enter- ment agency determines that it would U.S. Congress responded with acts to ing into a contract with a third party impede a criminal investigation. The protect privacy: the Social Security Act engaged in the business of information bill would require an agency, person, or of 1934; Privacy Act of 1974; Right to destruction.iii business that maintains computerized Financial Privacy Act of 1978; Health The “Comprehensive Identity Theft data including personal information Insurance Portability and Account- Protection Act” was passed in 2006. owned by another to notify the owner ability Act of 1996 (HIPAA); Economic Almost every state is also passing laws or licensee of the information of any Espionage Act of 1996 (EEA); Gramm- to protect identity and privacy, and at breach of security of the data, as speci- Leach-Bliley Act (GLBA) of 1999; Fair the federal level additional new laws fied. The bill states the intent of the Credit Reporting Act of 2001 (FCRA); are being introduced. California and Legislature to preempt all local regula- Sarbanes-Oxley Act of 2002; and the Georgia are being particularly aggres- tion of the subject matter of the bill. Fair and Accurate Credit Transactions sive, where new laws even require “self- This bill would also make a statement Act of 2003 (FACTA). These legisla- reporting” of any security incident. The of legislative findings and declarations tive acts have reinforced the overall message is clear that private and con- regarding privacy and financial secu- need for organizations to take reason- fidential information should no longer rity. able measures to safeguard private be disposed of in the trash. Thus, if you Civil Code sections 1798.80-1798.84 documents. look up “shredding laws” on the Inter- provide details pertaining to require- The 2003 FACTA expanded several net, you will find numerous shredding ments, violation, rights, and remedies.iv FCRA provisions and provides pro- businesses that provide much more The consequences for failing to main- tection for victims of identity theft detailed information regarding the tain legislative compliance include (and includes one free credit report congressional acts (see sources listed at serious fines and penalties.v per year). The Federal Trade Commis- the end of this article, as well as local So it is clear that basic steps are sion (FTC) utilizes federal law and is advertisers in your area), and offers needed to create and implement an responsible for enforcement. FACTA for professional shredding services are effective document retention policy is a federal law designed to minimize prolific. (a whole separate magazine article in the risk of identity theft and consumer Existing law requires a business to itself). The reader here should utilize fraud by enforcing the proper destruc- take all reasonable steps to destroy a research tools available to effectu- tion of consumer information. The FTC customer’s records containing personal ate a well-designed policy that ceases developed the Disposal Rule in Novem- information when the business will document destruction upon notice of ber 2004 to further implement the poli- no longer retain those records. The a pending lawsuit or governmental cies set forth in FACTA. The Disposal existing laws provide civil remedies for investigation, as well as utilizing Gov- Rule applies to businesses that utilize violations of these provisions. Califor- ernment Code requirements for specific consumer information; however it nia Senate Bill 1386 was introduced in retention periods, depending upon the affects every person and business in July 2003 and was the first attempt by a type of entity, or department within the the United States. The Disposal Rule state legislature to address the prob- entity, for which the document reten- requires disposal practices that are lem of identity theft. In short, the bill tion policy is needed. reasonable and appropriate to prevent introduces stiff disclosure requirements While paper shredding can elicit the unauthorized access to – or use of – for businesses and government agencies information in a consumer report. images of obstruction of justice a lá that experience security breaches that Enron, with today’s technological The FACTA Disposal Rule, effective might contain the personal information advances and the information-sharing June 1, 2005, states that “any person of California residents. It is expected electronic age, the majority of informa- who maintains or otherwise possesses that many organizations in the United tion is now generated electronically, consumer information for a busi- States (and possibly worldwide) are and 60 to 70 percent of all documents ness purpose” is required to dispose now subject to these requirements. are never printed. Hence, discovery of discarded consumer information, SB 1386 comes with the biggest of electronic information is also criti- whether in electronic or paper form. recrimination, allowing for civil ligation cal in litigation today. The California The Disposal Rule further clarifies the against businesses that don’t comply. If state courts, as well as federal courts, definition of compliance as “taking you fail to disclose computer security allow discovery of information stored reasonable measures to protect against breaches, you become liable for civil electronically. Revisions to the Federal unauthorized access to or use of the damages and may face a class action Rules of Civil Procedure to incorpo- information in connection with its dis- lawsuit. However, the bill permits rate electronic discovery continue to posal.” “Reasonable measures” include notifications required by its provi- be updated. It is assumed that state burning, pulverizing, or shredding

1 0 | T H E L E g a L S ECRE TA RY court judges will utilize federal rules to ally be destroyed. By not adhering to a destruction of evidence may have sig- some degree for guidance when dealing program of routinely destroying stored nificant ramifications in litigation. with issues pertaining to discovery of records, a company exhibits suspi- Endnotes: electronic evidence. But, getting back cious disposal practices that could be i. http://www.shredit.com/Legal-shredding- to best practices for retention or shred- negatively construed in the event of service.aspx ding: Many businesses have adopted litigation or audit. Also, Federal Rule ii. http://en.wikipedia.org/wiki/California_v._ retention polices that require routine 26 regarding disclosure requires that, in Greenwood destruction of documents or informa- the event of a lawsuit, each party pro- iii. http://www.stopandshred.com/govern- tion after a certain lapse of time. Under vide all relevant records to the oppos- ment_regulations.php; Stop and Shred Document Shredding Service FRCP 37(f), absent exceptional cir- ing counsel on a deadline. If either of iv. http://www.goshredex.com/california- cumstances, a court may not impose the litigants does not fulfill this obliga- shredding-laws-senate-bill-1386.php sanctions under these rules on a party tion, it will result in a summary finding v. http://www.proshred.com/current-privacy- for failing to provide electronically against them. By destroying records legislation; ProShred Security stored information lost as a result of the according to a set schedule, a com- vi. http://www.shrednations.com/articles/ routine operation of such a procedure. pany appropriately limits the amount Shredding-Compliance.php; Shred Nations Because technology is changing of materials it must search through Other sources used: so quickly, new questions and issues to comply with this law. If a party 1.) Risk Management – Record Retention Poli- continue to arise. The best policy is makes a discovery request, the other cies – Electronic Data Changing the Way party has a duty to diligently search for the Game is Played; July 2012, by Mark C. to have a policy that protects identity Russell, GORDON & REES; and privacy while regularly monitoring documents in its custody responsive to http://www.gordonrees.com/publications/ the status of files and data, as well as the request. (Code of Civil Procedure viewPublication.cfm?contentID=2729. continuing to monitor how the courts §2031.280(a).) And fewer necessary 2.) Lexis Nexis notes re document retention: use their inherent power to manage documents mean less expensive time- http://www.lexisnexis.com/applieddiscov- consuming search and production. ery/lawlibrary/whitePapers/ADI_WP_Ele- discovery and address issues as they mentsOfAGoodDocRetentionPolicy.pdf; by come up. vi It is permissible to destroy docu- Timothy R. Sullivan of McLaughlin Sullivan Without a program to control it, the ments, including deleting computer LLP daily trash of every business contains files and shredding documents, unless 3.) http://www.fresnocountybar.org/files/ at the time of the destruction there SELF-TEST-NewElectronicDiscovery- information that could be harmful. Rules2.doc This information is especially useful was a duty to preserve them. A docu- LS to competitors because it contains the ment retention policy can be critical details of current activities. Discarded in positioning a business to effectively daily records include phone messages, and efficiently defend against future memos, misprinted forms, drafts of lawsuits, while allowing it to justifiably bids, and drafts of correspondence. dispose of unneeded documents while All businesses suffer potential expo- managing only necessary documents. sure due to the need to discard these Such a retention policy also holds down incidental business records. The only litigation costs. means of minimizing this exposure is to From a risk management perspec- make sure such information is securely tive, the acceptable method of dis- collected and destroyed. carding stored records is to destroy Again, while paper documents them by a method that ensures that remain the most visible and tangible the information is obliterated, and information that must be dealt with, documenting the exact date that a they are not the only format where record is destroyed is a prudent and your confidential information is stored. recommended legal precaution. For Keep in mind that data is contained on various important reasons, the choice all types of information storage: paper, of recycling as a means of information x-rays, checks, promotions, cardboard, destruction is undesirable from a risk signage, binders, files, photographs, management perspective. CDs, DVDs, hard drives and back-ups, Every business entity, not just a portable drives, computers, videotapes, law office, needs to have and enforce prototypes, and the list goes on. an appropriate document and data Once a business no longer needs retention or destruction policy. The a document and its retention is not nature of that policy, its enforcement, otherwise required, it should gener- and/or non-usage of the policy to avoid

a u g u s t 2 0 1 3 | 1 1