Property managers and landlords often ask, "How long should I keep the files of my former commercial tenants?"
As most questions go in law, the answer is "it depends." More specifically, the length of time that a document should be kept is dependent upon the respective statute of limitations for any type of case that might be brought for a potential cause of action. Aside from any business considerations that might be independent of law, document retention is a matter of risk management. This article provides a thumbnail sketch for property managers and landlords and addresses only common documents found in a commercial tenant's file and recommendations concerning how long to keep the documents. As such, circumstances that could be considered unusual for the commercial tenant-landlord relationship might fall outside of the scope of this article.
Lease and rental application
In California, the statute of limitations on a written contract is four years. The statute of limitations on an oral contract is two years. These statutes run from the date of the breach. Since almost all rental agreements or leases are reduced to writing, landlords should keep leases and rental applications (or documentary evidence of the terms of the agreement) for four years from the date of move-out or breach.
Real estate transaction documents
A real estate broker must retain copies of all listings, deposit receipts, canceled checks, trust records and other documents in connection with real property transactions for which a real estate license is required for three years. The time period begins to run from the date of closing, or if the transaction is not consummated, from the date of listing.
In addition, a real estate broker must maintain records of funds solicited or accepted for a purchase or loan transaction where the broker obtains use or benefit of funds other than for commissions, fees, costs and expenses.
Safeguarding sensitive information
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions, defined below, to have measures in place to maintain the confidentiality and security of sensitive customer information, such as personal credit information. Financial institutions may be defined as businesses, regardless of size, that are significantly engaged in providing financial products or services, which may include landlords and or property management companies. To determine whether a property manager or landlord falls within the scope of a financial institution is a fact-specific exercise to be determined on a case-by-case basis.
The Safeguards Rule requires companies to develop a written information security program that describes their program to protect customer information. The plan must be appropriate to the company's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue. As part of its program, each company must: 1. Designate one or more employees to coordinate its information security program. 2. Identify and assess reasonable foreseeable risks to the security, confidentiality and integrity of customer information in each relevant area of the company's operation. 3. Design and implement a safeguards program, and regularly monitor and test it. 4. Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards and oversee their handling of customer information. 5. And evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business or operations, or the results of security testing and monitoring.
Violating the Safeguards Rule could lead to an administrative enforcement action initiated by the Federal Trade Commission. The GLBA does not provide consumers with a private right of action. However, since a violation of the GLBA may give rise to a claim under a state's unfair business practices law, consumers may be able to enforce the GLBA utilizing this mechanism.
California specifically requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification or disclosure. Personal information includes any information that is capable of being associated with a particular individual using a name, signature, social security number, driver's license or state identification card number, credit card numbers or any other financial information. A violation of the California specific provision may lead to civil liability for damages and or civil penalties.
In 2003, the Fair Credit Reporting Act was amended with the creation of the Fair and Accurate Credit Transactions Act (FACTA). Under the umbrella of the FACTA, the Disposal Rule was implemented and became effective June 1, 2005.
Any business, large or small, that uses consumer reports (that is, a credit report) for a business purpose must properly dispose of sensitive information to prevent "unauthorized access to or use of the information." Disposal includes shredding, burning, destroying and/or pulverizing. Sensitive information is defined as data that is identifiable to an individual person and has the potential to be used, such as Social Security, driver's license, credit card and account numbers, passwords, judgments in civil cases, medical information and financial data such as credit ratings.
The Disposal Rule applies to information in paper, computer or any other format. It requires reasonable disposal measures to protect against unauthorized access to or use of the information, so that the personal information cannot be read or is incapable of being reconstructed. Discarding consumer reports in a trashcan is no longer just an irresponsible business practice -- it is now illegal.
Although the Disposal Rule applies to consumer reports and the information derived from consumer reports, the FTC encourages those who dispose of any records containing a consumer's personal or financial information to take similar protective measures.
Businesses should also conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the rule. Due diligence could include: 1. Reviewing an independent audit of a disposal company's operations and/or its compliance with this rule. 2. Obtaining information about the disposal company from several references. 3. Requiring that the disposal company be certified by a recognized trade association. 4. Or reviewing and evaluating the disposal company's information security policies or procedures. The statute indicates these suggestions are examples and are not exclusive or exhaustive methods for compliance.
It is prudent to immediately cease destruction of all potentially relevant or discoverable documents when a lawsuit or government investigation is pending or even threatened.
The two-year statute of limitations period dates from the consumer's discovery of the violation, not the date of the violation itself. However, the consumer must bring the action within five years of the date of the violation, regardless of the discovery date.
Noncompliance with the Disposal Rule may result in an action initiated by the FTC or a private cause of action, where damages may include but are not limited to actual damages, punitive damages, statutory damages up to $1,000 per violation, civil penalties, costs and attorney fees.
The statute of limitations for some IRS actions is up to seven years and, in some circumstances, there is no statute of limitations for IRS purposes. In construction defect litigation, the statute of limitations is ten years for latent defects. Please bear in mind that extensions of the limitations can occur in cases where an injured party is delayed in discovering injury, in cases of injury to persons younger than 18 years of age, and in cases of cross-complaints and indemnity claims.
Keeping the files of a former commercial tenant for a five-year period following move-out should protect a landlord or property manager in most circumstances. However, if maintaining the records for a longer period is not cost prohibitive, it is recommended that the records are kept as long as possible. For issues that fall outside of this discussion, please consult your lawyer.
Rubin, Esq., is an associate and O'Laughlin, Esq., is a managing partner and risk-liability manager for Kimball, Tirey & St. John LLP.