BEAR COGNITION, INC –
RECORD RETENTION AND DESTRUCTION POLICY
Date: May 2021
D. The purpose of this Policy is to ensure the Company Records of BEAR COGNITION, INC (“Company”) are correctly retained and discarded. This Policy will aid Users in understanding their obligations and timeframes in retaining Company Records - including e-mail, Web files, text files, sound and movie files, PDF documents, and Microsoft Office or other formatted files.
A. Company Record - A Company Record is one that memorializes and provides objective evidence of activities performed, events occurred, results achieved, or statements made. Records are created or received by Company in routine transaction of its business or in pursuance of its legal obligations. A record may be any media format, including electronic, paper, recordings, video, etc.
B. Systems Administrator (SysAdmin) – The SysAdmin is responsible for implementing the Company’s security and privacy controls and ensuring that the Company complies with applicable security and privacy laws, policies, and regulations as directed by management. The SysAdmin reports to the Director of Technology (DoT) on these issues and is delegated authority from the DoT to perform the tasks necessary to meet all applicable obligations. The SysAdmin must: (i) possess professional qualifications and certifications, including training and work experience, required to administer the cybersecurity functions; (ii) manage the Company’s security professionals, including the hiring and training of qualified security personnel; and (iii) assure that resources allocated to meeting security and privacy obligations are utilized in an efficient and productive manner. The SysAdmin may delegate implementation and execution of tasks referred to the SysAdmin herein to the Operations Engineer, but shall not delegate policy- or decision-making authority assigned herein.
C. Custodian – The Custodian is an operational role within a business unit, which involves certain responsibilities with regard to the safeguarding of information. To the extent that the role is defined relative to business units and information, there will likely be many individuals within the Company who assume the role of “Custodian.” In general, the Custodian of information is generally responsible for the processing and storage of the information. The Custodian is responsible for the administration of controls as specified by the Information Owner. Responsibilities may include:
1. Providing and/or recommending physical safeguards.
2. Providing and/or recommending procedural safeguards.
3. Administering access to information.
4. Releasing information as authorized by the Information Owner, the DoT, and/or the SysAdmin for use and disclosure in a manner consistent with Company policies and using procedures designed to protect the privacy of the information.
5. Evaluating the cost effectiveness of controls.
6. Maintaining information security policies, procedures and standards as appropriate and in consultation with the SysAdmin.
7. Promoting employee education and awareness by utilizing programs approved by the SysAdmin, where appropriate.
8. Reporting promptly to the SysAdmin the loss or misuse of Company information.
9. Identifying and responding to security incidents and initiating appropriate actions when problems are identified.
D. Information Owner – tThe Information Owner is an operational role within a business unit, which involves certain responsibilities with regard to defining the safeguards to be applied to information. To the extent that the role is defined relative to business units and information, there will likely be many individuals within the Company who assume the role of “Information Owner” with respect to specific sets of information. In general, the Information OwnerCustodian owner of a collection of information is usually the manager responsible for the creation of that information or the primary user of that information. This role often corresponds with the management of an organizational unit. In this context, ownership does not signify proprietary interest, and ownership may be shared. The owner may delegate ownership responsibilities to another individual within the Company. The Information Owner has the responsibility for:
1. Knowing the type of information for which they are responsible.
2. Determining a data retention period for the information, relying on advice from the DoT, senior management, and legal counsel.
3. Ensuring appropriate procedures are in effect to protect the integrity, confidentiality, and availability of the information used or created within the organizational unit.
4. Authorizing access and assigning custodianship.
5. Specifying controls and communicating the control requirements to the custodian and users of the information.
6. Reporting promptly to the SysAdmin the loss or misuse of Company information.
7. Initiating corrective actions when problems are identified.
8. Promoting employee education and awareness by utilizing programs approved by the DoT or SysAdmin, where appropriate.
9. Following existing approval processes within the respective organizational unit for the selection, budgeting, purchase, and implementation of any information system to manage information.
E. Litigation - a term to describe a court proceeding between two parties to resolve a dispute.
F. Litigation Hold - a period of time that the retention and destruction schedule for certain records has been suspended based on either actual or anticipated Litigation.
G. Non-Records - includes any documents made or acquired and preserved solely for reference or exhibition purposes, extra copies of documents preserved only for convenience of reference, stocks of publications and of processed documents, superseded manuals and other directives, materials documenting social and professional meetings, etc., work papers and drafts of reports or correspondence. Catalogs, trade journals and other publications or papers received from government agencies, commercial firms or private institutions that require no action and are not part of an action case record.
H. Retention Schedule - the period of time a Company Record should be kept before destruction.
I. Subpoena - a court order to produce either a person for questioning and/or to produce documents for review.
User – A User is any person who has been authorized by the Company to read, enter, or update information. A User of information is expected to:
Access information only in support of their authorized duties or job responsibilities.
Comply with the Company’s information security program policies and procedures and with all controls established by the owner and custodian.
Refer all disclosures of sensitive or confidential information to persons without authority to access said information.
Keep personal authentication devices (e.g. passwords, tokens, PINs, etc.) confidential.
Report promptly to the SysAdmin the loss or misuse of Company information.
Initiate corrective actions when problems are identified.
E. This Policy applies to all Users and to all Company Records generated in the course of Company's operation, including both original documents and copies.
IV. POLICY GUIDELINES
1. All Company Records are Company property and are not the personal property of Users. All Users who create and use records and information are responsible for retaining and disposing of Company Records according to this Policy. Company Records need to be managed throughout their life cycle, from creation to final disposal.
2. The Company's DoT is responsible for the overall Record Retention Policy development within the Company. The DoT is also responsible for any updates to the Policy. Each department of the Company is responsible for implementing the policies established by the DoT.
3. Every two years, or as requested by a department, the DoT will review and update the Retention Schedules with each department.
B. Records Content
1. Company is committed to creating and retaining complete, accurate, and trustworthy records of all its business activities. Deliberately creating false or misleading records regarding the Company's activities is strictly prohibited. All records, documents, and communications pertaining to the Company's business should be thoughtfully, appropriately, and accurately worded to reflect the Company's concern for safe and ethical business practices.
2. Records will not contain language that is misleading, incomplete, inaccurate, fraudulent, harassing, embarrassing, sexually explicit, profane, obscene, intimidating, abusive, libelous, defamatory, or that violates any laws or regulations. All Company Records will be created with the specific purpose of communicating or documenting business matters. The Company expects all individuals creating Company Records to act responsibly, lawfully, and professionally in connection with their creation of Company Records.
C. Suspension of Record Disposal in Event of Litigation or Claims - Litigation Hold
1. The Company’s legal counsel will issue Litigation Holds as necessary to respond to regulatory investigations, Litigation, or Subpoenas. If a User receives a Litigation Hold Memo, the User will gather all information in the Litigation Hold request as quickly as possible and will take all necessary steps to preserve all paper documents, electronic documents, emails, Word files, Excel files, etc. subject to the hold. The documents gathered should be kept in the User’s office space separate and distinct from other documents until they are requested by Company’s legal counsel.
2. Company’s legal counsel may also direct the IT department to preserve backup tapes and other electronic storage during the term of the Litigation Hold.
D. Separation from Company
1. It is the manager’s responsibility to review a separated User’s work station and email to verify that the User is in compliance with the current Record Retention Schedule.
E.Storage of Physical Records
1. Physical records will be stored either offsite, for long term storage, or onsite, for shorter term storage.
2. Each box should include a complete inventory of the records being retained in that box. The Retention Schedules list the maximum period of time documents should be retained. For physical records, the following information should be on each box:
a. The Information Owner's name and department.
b. A valid record code/description that corresponds to the Retention Schedule.
c. A valid date for which the retention period for those records begins.
d. A valid date for destruction, in accordance with the Retention Schedule.
e. A box number and bar code, QR code, or other scannable identifier.
3. The boxes sent for storage should be appropriately labeled and [entered into Company’s cloud storage management system , when available. If Company’s cloud storage management system is not available,] a written record of each box, its Information Owner, department, retention period and destruction date should be kept by the SysAdmin. The boxes will either be stored on or off-site depending on the Retention Schedule. If a box is set for destruction a notice will be sent to the Information Owner named on the box. The Information Owner should review the boxes contents, verify the retention period has been met and verify none of the files were placed on a Litigation Hold. If none of the files are on hold and the retention period has been met, the Information Owner shall send a response back that the box may be destroyed. If a file is on a Litigation Hold or the retention period has not been met, the Information Owner will notify Company’s legal counsel which files should be removed or update the retention period.
4. Boxes that are sent with “do not destroy” will be returned to the department to correct any information and to include the correct retention and destruction period. Any boxes without a box inventory will also be returned. If a box is to be kept permanently, the records must meet the specific retention schedule allowing for permanent retention.
F. Storage of Electronic Records
1. Electronic records will be stored and retained on each department’s shared drive, personal shared drive [or Company’s cloud storage management system in accordance with this policy. Documents stored in Company’s cloud storage management system will have the retention schedules applied automatically.] Users should immediately notify the Legal Department if documents that were retained are missing, so that corrective measures may be taken. Each department is responsible for requesting that IT destroy documents on their shared drive, in accordance with their Retention Schedule.
G. Destruction/Deletion of Records
1. Paper records will be destroyed by shredding or some other means that will render them unreadable.
2. All paper records older than the retention period listed in this policy will be destroyed. Electronic records will be deleted. Verification should be completed on deleted electronic records to ensure they did not get placed in the recycle bin or the deleted items folder in Outlook. The deleted files and the recycle bin should also be deleted at that time. Electronic records stored on physical media will be deleted/destroyed using electronic shredding methods.
H. User Responsibilities
F. Each User will be responsible for retaining and storing Company Records in accordance with this Record Retention Policy. Users will be provided an initial training course to acquaint them with the Record Retention Policy. Users will also be provided training on Company’s cloud storage management system, as necessary. Users will also be provided periodic updates to the policy and will be given refresher courses annually.
G.Users should not keep personal information, letters, photos, emails; documents, etc. on their Company provided computers, laptops, smart phones or other electronic devices. Work related documents, including training, seminars or educational materials may be kept on the Company computer. Users are encouraged to review general Company policies specifically in regards to the Data Governance and Classification Policy.
I. Line of Business or Department Responsibilities
1. All Information Owners and levels of management within the Company are responsible for assuring compliance with this Policy within their respective group, or function. They are responsible for ensuring that their Users know where to locate the current Records Retention Schedule; that such Schedule reflects all of their Company Records; and that hard copy and electronic files are kept, stored, or destroyed in compliance with this Policy.
V. RECORD RETENTION
A. Record Retention Schedules
1. The Company's Record Retention Schedule (the "Schedule"), attached as Exhibit A, has been created to ensure that records are kept as long as legally and operationally required and that obsolete records are disposed of in a consistent and controlled manner. The Schedule is intended to guide the Company's records management decisions and ensure that Users adhere to approved record keeping requirements. The Schedule sets forth the appropriate retention period for various types of records, based upon applicable retention obligations imposed by law as well as the operational needs and requirements of the Company.
2. The Company is committed to retaining and destroying its business records in compliance with the retention periods stated in the Schedule. The Schedule is the only official authority for the retention and destruction of Company Records.
3. The retention periods provided in the Schedule are intended to be as short as possible to minimize the volume of Company Records while still complying with legal, contractual, or operational requirements. Records should neither be kept longer than the period stated in the Schedule, nor should they be destroyed or discarded before the stated retention period expires.
4. Records must remain on the Company's premises or in other Company-approved secure storage locations. Employees will not remove records from Company premises, unless such records are being used for legitimate Company business purposes.
B. General Principle
1. Most Company Records, including correspondence, internal memoranda, pdfs, text and formatted files (Word and Excel, for example) should be retained for the same period as the document they pertain to or support. For instance, a letter pertaining to a particular contract would be retained as long as the contract (4 years after expiration). Records that support a particular project must be kept with the project and take on the retention time of that particular project file.
2. The individual who creates or originates the correspondence is considered the Information Owner and is responsible for retaining the document.
3. Company Records that do not have a specific Retention Schedule description will be discarded as follows:
a. Those pertaining to routine matters should be discarded within 6 months. Some examples include:
i. Routine letters and notes that require no acknowledgment or follow-up, such as notes of appreciation, congratulations, letters of transmittal, and plans for meetings.
ii.Letters of general inquiry and replies that complete a cycle of correspondence.
iii.Other letters of inconsequential subject matter or that definitely close correspondence to which no further reference will be necessary.
b. Please note that copies of interoffice correspondence and documents where a copy will be in the originating department file should be read and destroyed, unless that information provides reference to or direction to other documents and must be kept for project traceability.
c. All other records that do not have a specific Retention Schedule should be discarded after 2 years.
4. Voice mail: should be immediately deleted after you have listened to the message. All "old" voice mails will be deleted every two weeks. If a voice mail is threatening, it should be transcribed and a recording preserved, then sent to your supervisor or manager.
5. Instant Messages: will not be retained. Instant messages are to facilitate quick brief conversation. Users will not use Instant Messages to record business decisions, provide or share confidential information.
6. Electronic Calendars, Notes, or Tasks: will automatically be deleted after 12 months
7. Databases: Databases will be kept in accordance with the appropriate schedule.
8. Web Page Files and Internet Cookies: Internet Explorer should be scheduled to delete web page files and internet cookies once per month at a maximum, though a shorter period may be chosen by each User.
C. Conflicting Record Retention Requirements
J. When records with varying retention periods are held as a unit, the retention period for the entire unit is determined by the record having the longest requirement.
K. Whenever consideration is given to the replacement of existing systems with new computer software or hardware, the SysAdmin must be consulted beforehand regarding the migration of existing electronic records to the new system in order to ensure the continued retention and accessibility of the records. Deferring such consultations until after acquisition of the new systems can result in enormous costs to the Company.
1.Emails pose particular concerns in record management. When emails or instant messages are sent or forwarded a record is created. The sender can easily lose control over that record. Email can be forwarded by the initial recipient to an infinite number of other recipients, each of whom can then forward it.
2. Emailing to a number of people can create copies of the record on the email server, network server, local archives and the hard drive of the sender and each recipient. From there, more copies may be saved to PDAs and home computers. Frequently, replies to emails create additional copies of the original email by incorporating it in a reply. Long email threads are commonplace.
3. Emails that are sent to a recipient at another company may exist long after this policy requires disposal of such original email. While most companies usually back up electronic data on some set schedule, other companies do not always retain and then dispose backup media according to a retention plan; they may store back up media haphazardly or indefinitely. As a result, electronic records created by User may exist somewhere long after the retention period in the retention schedule.
4. Each User assumes personal responsibility for each email or similar message that is sent or forwarded. Users must exercise great care and use good judgment before clicking the send or forward button to assure the accuracy of the record's contents, the propriety of authoring and sending or forwarding it to the intended recipients and the likelihood of it being copied or forwarded without the User’s knowledge or consent. Always ask these questions before clicking the button:
-Are you authorized to send this message on behalf of the Company?
-Are you able to defend the statements made in the message (under oath, in court if necessary)?
-Do all of these particular recipients have a need to receive this message?
-How would you and the Company be affected if the message and your name appeared on the front page of tomorrow's newspaper?
5. Users should take care and use good judgment when creating a new record. Promptly "file" the (sender's) copy of that record in the proper manner and location, in accordance with the relevant procedures. With respect to emails, this means moving the copy from the "sent items" folder (or similar) to a more descriptive one based on the email's particular characteristics and in accordance with the rules established under the procedures. The same steps apply to received items, which should be moved out of the "inbox" folder. Communications left in the inbox or sent items folders may be subject to automated purging on a scheduled basis.
6. Users are to communicate about Company matters only by means that are approved by the Company. In the case of electronic messages, only Company email servers and networks may be used for such communications. Users are prohibited from using personal email accounts to communicate in any manner about the business.
F. Records Destruction/Disposal
1. Company Records will not be removed, destroyed, mutilated, damaged or disposed of, in whole or in part, unless they have met the retention requirements listed in the Company's Records Retention Schedule.
2. Company Records that have been authorized for disposal will be destroyed by means that guarantee secure and complete destruction.
3. Company units destroying Company Records will complete a Certification of Destruction signed by the appropriate manager. Copies of all Certifications of Destruction will be retained permanently by the DoT.
G. Annual Compliance Review
1. On an annual basis, via conference call with remote offices or in person, the DoT will coordinate a company-wide review of records that have not been sent to long-term storage, in order to determine whether any such documents or information should be sent to long-term storage or destroyed.
L. It is the responsibility of the DoT to report to executive management on the Company's records management practices.
M. Company Users are expected to regularly destroy convenience copies of records, drafts, duplicate copies of records, and transitory records, in order to minimize management of unnecessary records.
1.Any exceptions to the destruction of Company Records must be discussed with the DoT.
2.All exceptions will be documented and retained by the DoT and with the Company Records subject to the exception.
A. Policy ReviewCompliance: Audits and Updates
1. At least annually, the Company will review this Policy to determine whether legal, tax, or business requirements warrant any amendments. The Company may at any time amend, modify, waive, or revoke all or any portion of this Policy or adopt one or more new policies in lieu of this Policy.
B. Policy Compliance: Failure to Comply
1.Any User who becomes aware of a violation of this Policy or any other Company policy should promptly report any such violations to the SysAdmin or other appropriate personnel.
C.Request for Additional Information/Interpretation
1.Any questions regarding the application of this Policy should be referred to the DoT.
A. Company will delete electronic files retained beyond the dates specified in this Policy. It is the responsibility of all Users to adhere to the guidelines specified in this policy. Company will perform random audits of User's computers and laptops to determine compliance. If a User is out of compliance, the manager will review the Records Retention Policy with the User, request an acknowledgement be signed, and may require the User to pass the Records Retention Training. A User who is not in compliance will be re-audited within the three month period immediately following the non-compliance. If the User is not in compliance a second time, the User will be subject to discipline in accordance with the Company User Handbook.
A. I have read and understand the purpose of the Company's Record Retention Policy. I have had an opportunity to discuss any questions I may have with my manager. I understand strict adherence to this Policy is a condition of my employment. If I do not understand something in this policy, I will contact the DoT immediately for clarification. I agree to abide by the Company Record Retention Policy.
Sign: ______________________ Print Name: __________________
EXHIBIT A – Retention Periods by Document Type
Accounting & Finance
Customer data, files, and records: All media including but not limited to paper, images, audiotape, videotape, magnetic disk, optical, or any other data compilation, including new technology that may now exist or will be developed in the future.
Retention Period: Customer Data shall be retained for a period of ninety (90) days following termination of the applicable customer agreement. At the conclusion of the ninety (90) day retention period, any remaining Customer Data stored on Company’s systems that has not already been deleted by customer shall be deleted in compliance with this policy and the terms of the applicable customer agreement. However, Company may retain Customer Data which has been aggregated or anonymized to deidentify individual data subjects in Customer’s Data and in such a manner that the aggregated or anonymized data may not be readily reidentified to Customer.