By Phil Karter
In a recent TaxBlawg post, my colleague Jonathan Prokup discussed the IRS’ intention to begin requesting electronic files as part of taxpayer examinations so that it can analyze the “metadata” contained in those files. One of the concerns raised in the post, as announced in Chief Counsel Advice 201146017, was the possibility that such data in the hands of the IRS may be insecure and therefore potentially susceptible to theft by third-party hackers (which, by the way, could conceivably expose the IRS to damages for disclosure of taxpayer information under IRC § 6103). Concerns about metadata security, as highlighted in the post, are but one of a number of provocative issues arising from the explosive growth in electronic data (commonly referred to as “electronically stored information” or “ESI” in the parlance of the Federal Rules of Civil Procedure). Aldous Huxley’s Brave New Worldis upon us, and if your legal and IT departments are not already addressing these issues, tax executives should not be deterred from doing so. Among the issues implicated
- Does your company have a comprehensive records retention policy in place and, even assuming that it does, can the company adequately prove its compliance with such policies if ever challenged?
- Is that policy consistent with the requirements of IRC § 6001 and Treas. Reg. § 1.6001-1 to maintain and retain books and records “so long as the contents thereof may become material in the administration of any internal revenue law.” See Reg. § 1.6001-1(e).
- Should your company attempt to negotiate a records retention limitation agreement with the IRS?
- As part of its records retention policy, can and should your company institute a corporate policy of routine metadata scrubbing for certain types of corporate documents, and would such a policy be consistent with the requirements of Sarbanes-Oxley?
A full exposition of these issues is beyond the scope of this discussion, but at least a few points are worth noting from a high-level perspective:
Effective Records Retention Policies Require Compliance Within The Organization
The passage of Sarbanes-Oxley in 2002, Pub.L. 107-204, and the e-discovery amendment of the Federal Rules of Civil Procedure in December 2006 undoubtedly have sensitized companies to the need for adequate storage and retrievability of electronic records. However, some companies’ solution to these requirements is to retain everything, which can unnecessarily add significant expenses for data storage and retrieval. Moreover, even companies that have a records retention policy providing for the controlled deletion of electronic records after a specified period of time may not implement disciplined rules that prevent individual employees from perpetuating such information on their individual computers or other forms of media. This is particularly a problem with email and email attachments because of the ease of transmittal to multiple recipients, including persons outside the organization, which can compromise privileged matters. The bottom line is that records retention policies are only as valuable as they are enforceable within the organization.
What Are IRS Records Retention Requirements For Electronically Stored Data?
For most companies, the vast majority of records (typically estimated at greater than 90%) are computer-generated. A sizable portion of such electronically generated records are never converted to paper. IRS record-keeping requirements under § 6001 permit data to be stored electronically. Under Reg. § 1.6001-1(e), records must be stored as long as they are “material,” which is generally considered to be at least as long as the statute of limitations remains open for the year to which the records apply, but may be longer in certain instances (e.g., establishing the basis of a capital asset or substantiating a LIFO inventory accounting method). Specific requirements for electronically-based recordkeeping are set forth in Rev. Proc. 97-22, 1997-1 CB 652. Assuming adequate testing has established that original paper or electronic documents can be accurately reproduced, destruction of the originals is permitted. One should note, however, that the Revenue Procedure does not address the issue about access to metadata that may reside in various versions of original electronic files (particularly in document drafts), but not always in otherwise permitted backups and archives.
The Pros and Cons of Records Retention Limitation Agreements
A taxpayer may request to enter into a Record Retention Limitation Agreement, which provides for the establishment and maintenance of records as agreed upon by the District Director and the taxpayer. See generally Rev. Proc. 98-25, 1998-1 CB 689. To do so, the taxpayer must identify and describe the records the taxpayer intends not to retain and explain why they will not become material to the administration of any internal revenue law. The benefits of such agreements are that they remove the uncertainty about how long a company must maintain its records to fulfill the § 6001 requirement. The burdens are that they may precipitate an intrusive review of past records retention practices, with no assurances an agreement can be reached with the IRS. Even if a comprehensive agreement is undesirable or unattainable, agreements relating to specific areas of the company’s affairs may provide a useful alternative. For example, an Advance Pricing Agreement (“APA”) may spell out a retention policy for documents particular to the transfer pricing issues covered under the agreement. Overall, however, the trend in recent years has been away from entry into comprehensive records retention agreements, and they are generally viewed disfavorably by the IRS.
Is Metadata Scrubbing Consistent With IRS Records Retention Requirements?
Thus far, no judicial or administrative authority has addressed this question in the context of tax recordkeeping requirements. The best that can be said is that the issue is certain to attract new attention based on the policy announced in CCA 201146017. More generally, companies need to be mindful of the legal requirements to preserve ESI in native format (which includes metadata) when there exists a reasonable possibility that such data may be material to a potential litigation matter. Short of potential litigation, however, the question of whether and when to scrub metadata in the normal course of your company’s records retention policy should be a consideration for every company reviewing that policy. However, in any such review, the preservation requirements imposed on your company under Sarbanes-Oxley should always be kept in mind, particularly given that those requirements can hold company personnel liable for the nonretention of unaltered information.