Record Retention and Sarbanes-Oxley
Sarbanes-Oxley is not just for public companies, as the law states that all entities must have a records-retention policy in place. Read this article on why avoiding Sarbanes-Oxley is a risk you just might not want to take.
Chances are, if you work for a private company, you don’t think about the Sarbanes-Oxley Act of 2002 very often. It applies to publicly traded companies, right? Well, yes — the provisions that evoke the most comment and criticism apply to public companies. But there are other sections that apply across the board, according to a National Law Journal article published at law.com.
Robert D. Brownstone, Catherine Kevane and J. Carlos Orellana say any organization - public, private, large, small - that ignores sections 802 and 1102 of Sarbanes-Oxley does so at its own risk. Here’s why:
These provisions impose substantial criminal penalties on any individual or entity — public or private — for destruction of evidence or obstruction of justice regarding any actual or “contemplated” federal investigation, matter or official proceeding.
If you’ll recall, we covered this issue in passing a little more than a year ago when a Greenwich attormey was charged under Sarbanes-Oxley with destroying evidence in a child pornography case. I wasn't sure then how these provisions were relevant or that they were intended to be applied in this way, but as Brownstone, et al., point out, the fact is the courts have allowed them to be applied that way and now there's precedent.
Between these provisions, the case law and amendments to the Federal Rules of Civil Procedure concerning discovery of electronic records, the writers say, it is imperative that companies ensure that their record-retention policies and processes incorporate litigation holds.
So what should a litigation hold policy look like?
A litigation hold on records should be imposed when you know of or can reasonably anticipate a legal proceeding in which the records might be necessary or when you know or reasonably anticipate that the government will assert the right to access the information. In ideal situations, a single person from legal will make decisions about when litigation holds should be imposed. When that is not possible, the decision should be made by a very small group of people.
Brownstone, Kevane and Orellana also suggest the policy should provide for:
Source: Free Articles from ArticlesFactory.com
ABOUT THE AUTHOR
Lora is an attorney and journalist who covers regulatory and legislative issues for IT Business Edge's Managing Compliance Standards weekly report. Read her Sarbox Survival Guide blog discussing audit and governance steps to manage the compliance maze and actually improve the business.