Tom Cedoz

Framework · Cross-practice

Records Retention: A Schedule That Survives Litigation

A retention schedule does two jobs at once: it keeps what the law and the business require, and it routinely destroys the rest. The second job is what saves money and lowers risk — but only if the destruction is consistent, documented, and stops cold the moment a duty to preserve attaches.

Updated June 2026· 7 steps· Prints to 2 pages

Why a schedule, and why it has to be followed

Most organizations keep too much, in too many places, for too long. A records-retention schedule fixes that by setting, in advance, how long each category of record is kept and when it is routinely destroyed. Done well, it cuts storage cost, shrinks the data that has to be searched in every future case, and limits exposure to records that have outlived any business or legal purpose.

The catch is that a schedule earns its value only by being followed. Routine, documented destruction under a real policy is defensible. Destruction that is selective, ad hoc, or conveniently timed looks like spoliation — and the second a lawsuit becomes reasonably foreseeable, the schedule stops and a litigation hold takes over. The framework below builds a program that holds up on all three fronts.

  1. Inventory the record types — and the systems that hold them.

    You cannot retain or dispose of what you have not mapped. Catalog records by category and, critically, by where they live. A single record type often sits in several systems at once, and the forgotten copy is the one that surfaces in discovery.

    Walk the full landscape: email, shared and personal drives, the ERP and HR systems of record, finance and accounting platforms, chat and collaboration tools (Slack, Teams), text messages including those on personal phones, cloud SaaS apps adopted by individual departments, and structured databases. Note who owns each system and what its current auto-deletion settings are.

  2. Map the legal retention requirements onto each category.

    Retention periods are driven by statute, regulation, and limitations exposure — and they vary by jurisdiction and by record type, and change over time. Treat the table below as a prompt to confirm the current rule, not as a schedule to adopt. The categories that most often trip organizations up:

    • Tax and financial. Returns, supporting records, and ledgers, keyed to the applicable assessment and limitations periods.
    • Employment. I-9s, payroll and wage-hour records (FLSA), FMLA documentation, OSHA injury and illness logs, EEO and applicant data, and benefits/ERISA files — each carries its own clock, and several run from a triggering event rather than a calendar year.
    • Industry-specific. Healthcare records and HIPAA obligations; DOT driver-qualification, hours-of-service, and drug-and-alcohol-testing records in transportation; environmental, safety, and sector regulators elsewhere.
    • Corporate and contract. Formation and governance records, board minutes, and equity records (often permanent), plus contracts kept for the life of the agreement plus the limitations tail that follows performance.
  3. Set a retention period for every category — including a default.

    Assign each category a period tied to the longest applicable legal, regulatory, or limitations requirement, plus a defined business need where one genuinely exists. Give every record an owner. Anything that fits no category should fall to a stated default rather than living forever by accident; “keep everything” is not a policy, it is the absence of one, and it raises cost and risk in every future matter.

  4. Destroy on schedule — consistently, and on the record.

    This is the step that does the protective work. Run disposition on a routine cadence, apply it uniformly across like records, and document what was destroyed, when, and under what rule. A destruction log is not bureaucracy; it is the evidence that a given record vanished through normal operations rather than to bury something.

    The failure mode to avoid is the inconsistent purge — some records of a type destroyed, others kept, no documented basis for the difference. That pattern is what turns routine disposal into an argument for spoliation, regardless of intent.

  5. Wire the litigation hold directly into the schedule.

    The duty to preserve attaches when litigation is reasonably foreseeable — usually earlier than teams expect, and well before anything is filed. When it attaches, routine destruction of potentially relevant records must stop immediately for the affected custodians and systems, overriding the schedule until the matter resolves and the hold is released. Build the override in, so the question is never whether someone remembered to flip it off. (See the companion Litigation Hold: Trigger to Release for scoping, notice, and release.)

  6. Account for modern and ephemeral data.

    The hardest data to govern is the data that deletes itself or lives off your systems. Decide policy deliberately, in writing:

    • Ephemeral and auto-deleting messaging. Disappearing-message settings in chat and messaging apps can create preservation problems the moment a hold attaches; many organizations disable auto-delete for business communications by default.
    • Collaboration platforms. Slack, Teams, and similar tools have their own retention controls, and several purge messages after a short default window unless an administrator changes the setting — confirm the current configuration for each tool.
    • BYOD and text messages. If business is run by text on personal devices, those messages are likely subject to both retention obligations and preservation duties — awkward to capture, but not optional.
  7. Govern and audit the program.

    A schedule is a living document. Assign clear ownership across legal, IT/records, HR, and finance; train the people who actually create and delete records; and audit periodically — confirm that disposition is running as written, that hold overrides function, and that new systems and SaaS tools have been added to the inventory. Update the schedule when laws, systems, or the business change, and keep prior versions so you can show what rule was in force at any given time.

Record categories: a starting checklist

Use this to confirm you have a defined, owned retention period for each category. The periods are the most variable part of any schedule — confirm each against the current rule in your jurisdiction.

The three jobs, side by side

FunctionWhat it requires
Keep what’s requiredRetain each category for the longest applicable legal, regulatory, or limitations period, plus genuine business need. Confirm periods against current law.
Dispose of the restDestroy routinely, uniformly, and on a documented cadence. Default anything uncategorized rather than keeping it forever.
Preserve on triggerStop disposal for relevant custodians and systems the moment a duty to preserve attaches. The hold overrides the schedule until release.
The thing behind the thing

A retention policy’s entire value in litigation comes from being followed. Destroying records on a consistent, documented schedule is defensible — even helpful. Destroying them once you sense a lawsuit is coming is spoliation. The line between the two is not the deletion; it is the timing and the paper trail.