Transportation services providers are increasingly facing new technology-oriented threats in day-to-day business. Recent cyberattacks and the potential for serious disruption from threat actors have drawn the attention of the Transportation Security Administration (TSA) and the Cybersecurity and Infrastructure Security Agency (CISA) in recent rulemakings and informal guidance. Data privacy, information security, and cybersecurity are top of mind for Chief Technology Officers and Chief Information Officers.
Technology drives safety, operational performance, and customer experience across the industry. This raises strategic risk management decision points beyond merely having a Document Retention Policy and following it closely. Savvy enterprises will focus on broader impacts including regulatory compliance, legal exposure based upon records held or destroyed in the event of litigation, as well as the security awareness and assessed risks essential to information technology best practices. At the core of this exercise is a key question: What information do we hold, what do we need to hold, how long should we keep it, and when should it be destroyed?
The “Schedule of Records and Periods of Retention” at Appendix A of Part 379 often serves as the basis for a company’s Document Retention Policy in the space which, in turn, structures all that a company may be deploying for information technology and security purposes. At a very high level, this “Schedule” includes the following categories and minimum preservation requirements:
- Corporate and General Records – Transportation operating authorities must be held until expiration or cancellation. Annual reports and service contracts must be held for three (3) years, except that transportation service agreements are to be held until expiration. Real estate-related documents must be held until disposition of the property. Most other corporate records such as documents of formation and minutes may be held for as long as necessary under broader best practices, such as may be required by other federal or state agencies.
- Treasury Records – Stock records and other securities, was well as their ledgers, may be generally held for as long as necessary similar to general corporate records. There are some exceptions to this rule including for long-term debt records, which must be held until redemption plus three (3) years.
- Financial and Accounting Records – General ledgers, balance sheets, cash books, vouchers, accounts receivable, and records of accounting codes or instruction must generally be held until discontinuance of use plus three (3) years. Lesser documents such as authorizations to write off receivables or aging reports may be held only one (1) year.
- Property and Equipment Records – Property records that address valuation, improvements, and depreciation must generally be held for three (3) years after disposition of the property.
- Personnel and Payroll Records – Personnel and payroll records must be held for one (1) year.
- Insurance and Claims Records – Insurance records that include policies, their schedules, and records of losses or claims must be held until expiration and then for one (1) year afterward. An exception to this general rule is for records related to specific transportation-related claims such as details of authorities issued to others for participation in claims, reports of personal injury or property damage not necessary to support a claim, or authorities for disposal of unclaimed, damaged, and refused freight. Those items must be held for three (3) years.
- Tax Records – Tax records are scheduled but not with specific time periods for preservation. These must be held for as long as necessary under broader best practices including as may be required by the Internal Revenue Service.
- Purchases and Stores Records – Most day-to-day shipping documents including bills of lading, shippers instructions, waybills, freight bills, agency records, and other core transportation documents must generally be held for one (1) year.
- Certain Other Transportation Records – Specialized transportation services or unique circumstances must observe certain other requirements in addition to the general rule of one (1) year. For example, any import and export records including those bonded freight must be held for at least two (2) years. Records of diversion or reconsignment must also be held for two (2) years. Weight tickets, their records and reports, must be held for three (3) years.
- Supporting Data for Reports and Statistics – Basic supporting data for periodic reporting of accidents, inspections, tests, hours of service, and repairs must be maintained for six (6) months. All other statistical reporting data used by the FMCSA, the STB, and the BTS must be held for three (3) years. Those items include financial, operational, and statistical items that are reported to those agencies in the ordinary course of business.
- Other Miscellaneous Records – Finally, companies are expected to produce an index of all records (such as a Document Retention Policy) that is maintained until it is updated with a new structure. Any records prematurely destroyed or lost should also be identified and that record is to be maintained for the same period as required that would otherwise apply.
The key to managing a company’s information and data is to plot a clear path forward and, fortunately for our industry, that roadmap exists – but the inquiry does not end there. These basic rules get a little more complex when you read Appendix A closely or when you recognize the other recordkeeping requirements found throughout Title 49 of the regulations. Additional targeted recordkeeping requirements also exist for specific functions and services of motor carriers. For example, 49 CFR Section 395.11 contains a list of certain “supporting documents” that a motor carrier must retain on a 24-hour basis to verify a driver’s on-duty not driving time. Similarly, drug and alcohol records must be maintained under 49 CFR Section 40.333 for periods ranging from one (1) to five (5) years, depending on the record, although electronic record storage is expressly permitted. Probably the most well-known example of another requirement outside of Appendix A are the broker-specific requirements at 49 CFR Section 371.3 which set out a three (3) year preservation rule.