For the Manager: Are your record retention guidelines complete?

A lot of insurance agents are helping enrich plaintiffs’ attorneys by maintaining poor record retention guidelines and catastrophe planning procedures. The E&O exposures related to these issues are significant and growing, although many agency owners simply ignore that they exist. These two risks are far removed from the excitement of sales, so some owners are bored by them–just like they’re bored by good IT management, which is another important key, as we’ll find out below. This willful ignorance can carry a steep price.

Record retentionGood record retention loss control is all about consistency. Unfortunately, more than 90 percent of agencies I visit are consistent in the wrong direction–consistently mistaken or lax about their record retention policies. Two of the most common errors are using different policies for paper and electronic records, and keeping records for the wrong length of time.Most often, agents keep paper records for a defined period, such as three, five or seven years. Meanwhile, electronic records are kept “forever.” Record retention policies must consistently address all records regardless of media, whether paper or electronic.

State and federal record retention laws say nothing about paper records being kept X years and electronic records being kept Y years. The exposure for an agent is being accused of destroying key evidence in the paper file while maintaining a sanitized electronic version. For example, suppose you’re in a deposition and the proceedings go something like this:Attorney: “So why do you keep electronic records forever, but paper records for only five years?”Agent: “Because electronic records don’t take up space.”Attorney: “Is the data in the paper records exactly the same as the data in the electronic records?”Agent: “Almost. We keep some data in the paper records that we may not scan.”Attorney: “So you’re saying you keep incriminating evidence in the paper files that you destroy, and only keep the sanitized version in your database, correct?”Doesn’t sound like a situation you’d like to be in, does it? Many agencies state they keep records for five years, period. That’s what their attorney advised, and as long as the attorney has his own E&O policy and the agency has that advice in writing, the agency may eventually recover its losses if something goes wrong. A better idea is to simply do it right the first time.The problem is that all records are not equal. By law, some records need to be kept much less time than others and then destroyed. Some company contracts dictate how long their records must be kept. Some federal laws apply even though insurance is supposedly state-regulated. For example, HIPAA and GLB are federal laws that apply to all insurance agents. Agents who keep all records at least five years carte blanche are likely violating these laws if they’re selling L&H.Catastrophe planningRecord retention is not simple. Additionally, every agency needs special retention guidelines specific to lawsuits and catastrophes. This complexity requires solid data management tools. For this reason, highly organized and effective automation management is critical.Most agents think of a catastrophe plan as dealing only with hurricanes, floods, fires and tornadoes, but strange as it may sound, these hazards can be minor compared to an IT disaster–and an IT disaster can strike in a myriad of ways at literally any moment.Consider a headline in the spring 2007 edition of Disaster Recovery Journal that read, “E-Mail is Down and You’re Out of Compliance!” Lack of e-mail can easily create a variety of exposures as people use alternative systems until the agency’s system is restored. For example, e-mails sent outside the agency’s system may not include the proper disclaimers. Those e-mails may also not be retained properly, which may lead to a crisis during legal discovery if the agency cannot properly and efficiently locate appropriate e-mails and documentation.A catastrophe plan should also deal with phone outages for the same reasons. The plan should consider a server being hijacked by spammers and even the physical loss of a server to thieves. (I’ve seen this happen!)A catastrophe can be triggered by data theft, too. Most agencies have attempted to address data security, but extremely few have a plan for what happens should their IT security fail. Few agencies have had their security tested or professionally evaluated. Major corporations, universities and government entities spend far more on IT security than almost any insurance agency, and yet their data is still sometimes compromised. If hackers can break the big boys, how can you be sure your agency’s data won’t be an easy target?Catastrophes lead to E&O claims and E&O claims lead to record retention issues. Attorneys today are winning suits not by proving the agency actually did anything wrong, but merely by showing it failed to maintain adequate record retention policies. Moreover, record keeping tends to falter during catastrophes, making a truly comprehensive catastrophe plan a necessity.Are your agency’s record retention policies correct and complete? How about your catastrophe plan? Unless you answered yes to both questions, I suggest making these issues a priority in your agency.Chris Burand is president of Burand & Associates LLC, an agency consulting firm. Readers may contact Chris at 719-485-3868 or by e-mail at [email protected].