With small businesses making up 99.7% of all U.S. businesses, it’s not surprising that 43% of cyber-attacks target SMBs. While large corporations often seem to rebound from breaches and cyber-attacks, small businesses aren’t always as fortunate. A recent Ponemon Institute report showed that 50% of the SMBs surveyed had experienced a breach within the last year, and 32% of those businesses were unaware of the root cause of the breach.

Records and information management is an evolving process, one that must continually adapt to new threats and security protocols. In the past, many companies’ document retention policies mandated keeping information indefinitely to ensure it was available in case of an audit, litigation, or other emergencies. However, outdated paperwork and data increase your risk of a potential breach. To protect their businesses, employees, clients, and vendors, SMBs should take a “less is more” approach when it comes to records and information management.

Document Retention: The Risk of Letting Your Documents Pile Up

Organizations that save documents past their retention end date not only increase the risk of a data breach but also risk non-compliance with government and industry regulations, potentially resulting in penalties, fines, and legal issues.

Starting with a strategic record and information management (RIM) policy can help small businesses create, manage and destroy documents more securely and efficiently. A records manager can establish document retention guidelines, helping you understand which documents you need to retain, and for how long, as well as set up a system that automatically sorts document types into the appropriate retention cycle. A digital RIM solution should notify you when a record’s retention period is over and the document is ready for destruction. Once a file is ready for disposal, a third-party document management partner can help you securely shred or destroy all sensitive documents and media to minimize risk.

The Essential SMB Document Retention and Destruction Policy

While there are some documents your small business may need to securely store for an indefinite period, there are others you may be holding on to for too long.

Old Tax Records

The IRS has set some standard retention recommendations for small business tax records. However, the exact length of time you’ll need to keep a document may vary from industry to industry, as well as from one record type to another. This can range anywhere from 2 to 7 years, and sometimes longer.

When defining your document retention buckets, be sure to consider the following record types:

  • Business income tax returns and supporting documents
  • Employee tax records
  • Business asset records

Make a habit of cleaning out expired paperwork before adding tax records from the current year. The key is developing a document retention and destruction policy that you can successfully implement. Not only will regular cleaning improve security, but you will also benefit from reclaimed usable space within your office.

Old Records of Employment

Records of employment contain sensitive data that you’re expected to protect, including social security numbers, email addresses, and health information. Companies that keep employee records past their retention date risk a breach of personally identifiable information (PII).

For most human resource files, employers should retain the records for as long as an employee is working at the company and up to seven years after they have left or are terminated. For individuals who applied for a job but were never hired, information should generally be kept for a minimum of three years. These records include:

  • Applications, resumes, and verification documents
  • Payroll and benefits selections
  • Performance management reports
  • Training and development records
  • Certifications, licenses, and credentials
  • Retirement and termination documents

If you have questions about any of your old employment documents, including any employee benefit plans, speak with your attorney or information governance professional. Laws may also differ from state to state. Once you have confirmed which files you need to keep, organize them before destroying the rest.

Old Emails, Texts, and Other Digital Communication

Digital communication tends to reign supreme these days. This means that employees, customers, managers, and even investors are communicating more often via email, social media, and even messaging apps. No sensitive information should be shared this way.

Taking a proactive approach helps you stop a security breach before it begins. Consider investing in secure, digital records and information management (RIM) platform that will allow you to share files with ease and greater peace of mind. Once you invest in a RIM platform, it’s important to convert all files that were once shared via email and securely destroy all irrelevant or outdated information.

How to Dispose of Expired Records Securely

Once you’ve identified all the documentation that your organization no longer needs, it’s time to dispose of the information. A RIM solution should be able to securely destroy all digital communication records that reach the end of their retention period. A RIM partner can help you securely shred your outdated physical records, computer hard drives, and electronic media while complying with government regulations, including HIPAA, FACTA, FERPA, GLBA, and the Federal Privacy Act.