Start Your FREE Membership NOW
 Discover Proven Ways to Be a Better Law Office Manager
 Get Our Weekly eNewsletter, Law Office Manager Bulletin,
    and MUCH MORE
 Absolutely NO Risk or Obligation on Your Part -- It's FREE!

Upgrade to Premium Membership NOW for Just $90!
Get 3 Months of Full Premium Membership Access
Includes Our Monthly Newsletter, Office Toolbox, Policy Center, and Archives

Keeping the records long enough . . . but not too long

Do you know how long you are required to keep the firm’s tax records? How about any reports of on-the-job injuries? And what about e-mails? Here’s a summary of what you need to keep and for how long.

Record retention raises questions in almost all offices. And because of the uncertainty, offices tend to hang onto records far too long, says attorney and record management expert Donald S. Skupsky, JD, CRM.

Skupsky is president and CEO of Information Requirements Clearinghouse in Denver, which provides consulting services as well as software and publications on the legal requirements of recordkeeping. Here he outlines what to keep and for how long and why.

The business

Tax records

What are tax records? Skupsky defines them as everything that supports the return, such as records of income, expenses, property, and investments.

The old opinion was that those records had to be kept for seven years. But there was never such a rule, he says. “Somebody made that up and passed the rumor around.”

The IRS doesn’t say how long to keep tax records, and neither do most states. Instead, they say how long they can audit a taxpayer after the return is filed.

For the IRS, that’s three years after the date of filing or the due date, whichever is later. So if the office filed a return in February 2013 that was due in March 2013, the government has until March 2016 to audit it—no more.

To make it easy, his advice is to track the years instead of the months. Treat the records as if they were created on the last day of the year. And count the filing year as a full year. That essentially gives a very safe four-year retention period—if a return was filed any time in 2013, consider it subject to an IRS audit until January 2018.

Most states also follow the three-year rule. But not all. Arkansas, Maine, Michigan, and Arizona, for example, can audit for as long as six years after the end of the fiscal year of filing, so firms doing business in those states need to keep their records for six years from the end of the fiscal year, not from the time the return is filed.

The same is true for any firm that operates in all 50 states. Keep them for six years from the end of the fiscal year.

One more item to consider is state audits following IRS audits.

If there is an IRS audit, hold on to the record for a year after it’s completed. Once the federal audit is done, the state can resolve its own tax issues—whether to collect more money or give a refund. And most states have a year to do that.

He adds that with tax records, people are guilty until proved innocent. The IRS usually knows their incomes but not their deductions. So if there’s no documentation to support the deductions, they lose.

Corporate records

Keep the articles of incorporation and the minutes only as long as the corporation is active.

After that, keep them for a few years. There’s no law requiring that, but a corporation needs to be able to refer to its official position on any issue.

Keep the correspondence and administrative records for no more than one year. And chronological correspondence files have no use at all and should be destroyed.

Internal records

Internal records such as budget projections and revenue analyses don’t need to be kept at all. Hold on to them only as long as the firm needs them.

For many years, businesses kept them forever, Skupsky says. But as the paper mounted up, companies came to realize there’s no requirement to keep them, and after about three years, they’re useless.

Like any records with no legal retention requirement, “they are candidates for short retention or immediate destruction.”


The governing factor here is the state’s statute of limitations for suing on a contract.

Though it has been longer in the past, “the longest statute of limitations on contracts is now 15 years,” he says. That means the firm can get sued 15 years after a violation of the contract terms.

Even so, only a few states carry it out that long. Some have 10-year limits. But most limit it to six years or less.

So depending on state law, keep contracts while they are active plus the amount of time set out by the state statute of limitations.

An exception: government contracts such as grants follow a slightly different schedule. The government has three years after the final payment to audit what was done and verify that the costs were calculated correctly. So keep those contracts plus the accounting records for three years after the final payment.

The employees

Employment records

Records on hiring, firing, reviews, promotions, and demotions have to be kept for six years at most.

The firm will have to produce them if there’s a discrimination suit, and in most states, the limit for filing that type of suit is three years.

In large organizations, however, paper files can stymie that. The records become voluminous to the point that it’s usually not practical to get into them and destroy what’s unnecessary. Neither is it practical to have staff purge them, because there’s too great a risk of mistake. Thus, many employers “end up keeping those records indefinitely.”

But where it’s possible, get rid of them after six years.

Retirement plan records

There’s misconception here, Skupsky says. Employers tend to think that because a retirement plan pays the employee for life, the records have to be maintained for the same amount of time. But that’s not correct.

In a defined contribution plan such as a 401k where employer and employee contribute, the record can be kept for a shorter time. That’s because the Employee Retirement Income Security Act, or ERISA, gives an employee only three years to sue and get the contribution amounts corrected. Some other laws extend the retention requirement, but only to six years.

Old-style pension plans, where someone works a certain number of years and then is paid a certain amount for life, follow a different schedule, albeit not a long one.

Those plans have defined benefits as opposed to defined contributions, and the normal practice is to keep the records for six years after the employment ends. At that point, the employment information is irrelevant for determining the value of the payout.

Regardless of the type of plan, the employer has a fiduciary responsibility to protect the money and therefore has to be able to show the contribution amounts and how the money has been invested. But even there, the limit is six years. With both federal and state law, an employee has no more than six years to sue for losses in a retirement plan.

A caution, however: the office needs to keep a summary of the information indefinitely. That includes the amount contributed and the accumulated value, but not how the money was invested.

Social Security

Social Security often brings a surprise. Most employers don’t realize that those records only have to be kept for three years.

If there’s a mistake and contributions are not credited, the employee has just three years to correct it. No more. So there’s no need to keep the records longer than that.

And to make sure employees get the correct amount, he recommends telling them to check their benefit amounts each year with the Social Security Administration.

Worker’s Compensation

Keep the records of on-the-job injuries indefinitely.

A Worker’s Comp claim can appear at any time, because the effects of an injury may not show up for many years. Or an injury might be treated and considered a finished matter only to recur years later.

OSHA requires keeping the medical records for 30 years after the employment ends, but even that’s not long enough, he says, because a disease may not manifest until after that. Asbestos exposure is an example. Destroy injury records only in a batch and not until there’s no conceivable need for them, perhaps records prior to 1965.

The technology

The Cloud

With the Cloud, Skupsky’s advice is don’t use it as a back-up.

Once information is in the Cloud, the firm “has no idea what’s going on with it.” Neither does it have any control over who accesses it.

Yes, the contract may say the Cloud vendor will not voluntarily give up the information. But if the vendor’s records get subpoenaed by the government, the government will have access to all that information, and the firm will have no say in the matter.

By contrast, if the records are in the firm’s hands, there’s some amount of control. It can at least appeal the subpoena.


E-mail poses four points to be aware of, Skupsky says.

First, an e-mail “is not a record unto itself.” More, an e-mail system “is not a record management system or a filing system, though it’s been treated that way for the last decade.”

Record retention doesn’t apply at all to individual e-mails or to the e-mail system. What counts is the records within the system. Those need to be taken out and put into the retention system.

Second, be watchful of the creation of e-mail contracts.

Anything agreed to by e-mail “is a written contract.” For example, an e-mailed offer of “I’ll paint your fence for $50” with a response agreeing to it is a contract.

And that applies even when an employee agrees to something with a vendor that the administrator doesn’t know about. It’s a contract. And the entire sequence of messages needs to be moved to the purchasing file.

Third, don’t let any information that needs to be saved languish in somebody’s personal e-mail. Sitting there, “nobody else knows it exists,” and it’s all but lost. What’s more, if the e-mail user quits, there’s no way anybody can find it.

And fourth, destroy any e-mail message (minus its attachments) within 30 days, “and 60 days at the longest.”

One reason is to save back-up space. Most e-mails are no more than “let’s do lunch” or “here’s a comment on that.” And those little messages mount up.

But the key reason is litigation.

If an organization gets involved in litigation, all its e-mails can be subpoenaed. And because they are often written quickly and informally, “a skillful attorney can interpret them to mean almost anything.”

That happens often in discrimination claims, he says. A record subpoena comes in, the employer has e-mails that aren’t actual records and that should have been destroyed long ago, and they make the office look bad.

Personal computers

Then there’s the work information people put on their personal computers and smartphones.

That’s the firm’s information, and the firm can set rules on how it has to be managed.

Any office that does allow people to use work-related information on PCs or smartphones needs to set a policy that it can seize those computers and phones at any time. Also be aware that in litigation, they can be subpoenaed by the other side.

Even better, make it a rule that employees working offsite cannot put any office information at all on their PCs and phones but instead have to log onto the central system and do the work there.

And for people who telecommute, use dumb terminals, or terminals that connect only to the central system and have no intelligence themselves.

Airlines and banks use dumb terminals for most data input he says. It’s the only way to keep control of the information.

Social media and the website

Another issue technology has brought about is information people send out on social media such as Facebook, LinkedIn, and Twitter.

And the main issue is contracts.

Any marketing or advertising information that gets sent out “creates a bond with the viewer,” Skupsky says. And if the viewer relies on that information to make a decision, “it’s a quasi-contract.”

For that reason, the content needs to be treated as contractual and retained for six years or whatever state law requires.

Do what very few companies have done and set up controls on what web and social media information has to be stored and for how long, he says. Otherwise, what happens if the firm is required to produce information on the content that appeared on the site Feb. 5, 2012? “A lot of companies don’t know how to call that up.”

Whether social media or website, marketing and advertising “make representations that entice people to do business,” he explains. True, nobody actually signs anything, but the information has the effect of bringing two parties together.

If someone relies on a representation the firm puts out and is damaged as a result, the firm is wide open to a law suit. And it will likely lose. “If it made a representation, how can it say it’s not true?”

Backup tapes

Finally, there are the backups.

For years, IT people “have been proud of themselves for backing up everything just in case,” Skupsky says. “They could report that an executive was looking for a memo and they had it on a backup tape and saved the day.”

But from a record-keeping and legal standpoint, backing up absolutely everything creates problems.

On the administrative side are the time and money required. He cites one company where the content was so voluminous that it took 27 hours to do a backup of each 24-hour period.

On the legal side, blind back-ups can be disastrous. In one case, a company’s backup tapes were subpoenaed, and it turned out that the company had backed up its e-mail server for the past 18 months, and there were more than 400 tapes.

The company had to pay nearly $250,000 to restore the information and produce it.

The sole purpose of backups is to get the office operational the next day following a disaster. And to do that, the most any office needs to keep is a month’s worth.

Related reading:
How long should you keep client and practice records?
8 signs your firm needs an operations analysis
The ethics of refusing business and parting company with a client









Try Premium Membership