You are the President and Chief Executive Officer of the Great Outdoors, a business specializing in the sale of men’s and women’s jackets, hats, gloves and camping equipment. When you originally founded the business it was a small operation with little money to invest in data security protection. In recent years, however, your company has expanded and now has stores in California, Pennsylvania, Florida, North Carolina, New Jersey, Virginia, North Dakota and Massachusetts.
Although your stores already accept all major credit cards, you recently decided to institute your own private label credit card (“Credit Program”) for use in your stores. In order for a customer to obtain one of these cards, they are required to complete a credit application which requests, among other things, their name, address, Social Security number as well as financial account and credit card information.
You have been charged with the task of drafting a document retention and destruction policy for your company. What would you include in the policy? Please explain why? Please draft a detailed policy for your company.
In additional, given the areas where you company does business, are there any particular data security safeguards your company should implement? If so, what safeguards should be implemented. Please explain why these should be implemented.
Assume your system has been hacked, exposing the last name, first name, addresses and Social Security numbers of approximately 125,000 customers. The minority owners in the company look to you for guidance. How do you respond?
Please include any relevant citations to case law or statutory authority in each of your answers.
I. Purpose
In accordance with the Sarbanes-Oxley Act, which makes it a crime to alter, cover up, falsify, or destroy any document with the intent of impeding or obstructing any official proceeding, this policy provides for the systematic review, retention, and destruction of documents received or created by The Great Outdoors in connection with the transaction of organization business. This policy covers all records and documents, regardless of physical form, contains guidelines for how long certain documents should be kept, and how records should be destroyed. The policy is designed to ensure compliance with federal and state laws and regulations, to eliminate accidental or innocent destruction of records, and to facilitate The Great Outdoors operations by promoting efficiency and freeing up valuable storage space.
II. Document Retention
The Great Outdoors follows the document retention procedures outlined below. Documents that are not listed, but are substantially similar to those listed in the schedule will be retained for the appropriate length of time.
Annual Audits & Financial Statements
Depreciation Schedules
General Ledgers
Business Expense Records
Invoices
Sales Records
Credit Card Receipts
Bank Records
Bank Deposit Slips
Permanent
Permanent
Permanent
7 Years
7 Years
5 Years
3 Years
Permanent
7 Years
V. Payroll and Employment Tax Records
State Unemployment Records
Earnings Records
Payroll Tax Returns
W-2 Statements
Permanent
Permanent
7 Years
7 Years
VI. Employee Records
Employment & Termination Agreements
Accident reports
Salary Schedules
Employment Applications
I-9 Forms
Permanent
4 Years
5 Years
3 Years
2 Years after completion
VII. Customer Information
Customer Application
Customer Account Number
Customer Personal Information
7 Years after account close
7 Years after account close
7 Years after account close
VIII. Electronic Documents and Records
Electronic documents will be retained as if they were paper documents.