How Long Should You Keep Business Records?

The Short Answer: It Depends

Every organization generates records, and every record has a lifecycle. The challenge is that no single rule governs how long you need to keep everything. Federal agencies, state governments, and industry regulators each impose their own retention requirements—and they don't always agree. Keeping records too long wastes money and increases liability. Destroying them too early can result in fines, failed audits, and legal exposure.

A well-designed records retention policy eliminates the guesswork. Below is a practical overview of the most common retention timelines to help you evaluate where your organization stands.

Tax and Financial Records

The IRS generally requires businesses to keep tax records for 3 years from the date the return was filed. However, there are important exceptions:

• 6 years — If you underreported income by more than 25%
• 7 years — If you claimed a loss from worthless securities or bad debt
• Indefinitely — If you filed a fraudulent return or failed to file

Supporting documents—receipts, invoices, bank statements, and canceled checks—should be kept for the same period as the return they support. Many organizations default to a 7-year retention period for all financial records to cover the longest standard IRS look-back window.

Employee and HR Records

Employment records carry some of the most complex retention requirements because they're governed by multiple federal agencies simultaneously:

• Payroll records: 3 years (Fair Labor Standards Act)
• Tax withholding records (W-4s): 4 years after the tax is due or paid
• Hiring records (applications, resumes, interview notes): 1 year from the date of hiring decision (EEOC)
• I-9 forms: 3 years after hire date or 1 year after termination, whichever is later
• OSHA injury/illness logs: 5 years following the year of the record
• FMLA records: 3 years
• Pension and benefit plan records: 6 years (ERISA)

Many employers retain the complete personnel file for 7 years after termination as a safe harbor that covers the majority of federal and state requirements. State laws can extend these periods further—always check your state's specific statutes.

Contracts and Legal Documents

Contracts should generally be retained for the duration of the agreement plus the applicable statute of limitations for breach of contract claims in your state. In most states, this means keeping contracts for 4 to 6 years after expiration or termination.

• Real estate records: Permanently (or at minimum, the life of the property ownership plus 6 years)
• Leases: 6 years after expiration
• Insurance policies: Permanently for occurrence-based policies; at least 3 years after expiration for claims-made policies
• Litigation files: 3–6 years after final resolution, depending on jurisdiction

Corporate Governance Records

Foundational corporate documents should be kept permanently:

• Articles of incorporation or organization
• Bylaws and amendments
• Board meeting minutes and resolutions
• Annual reports filed with the state
• Stock ledgers and ownership records
• Merger and acquisition documents

These records define your organization's legal existence and governance history. There is no point at which they become safe to destroy.

Industry-Specific Requirements

Certain industries face additional retention mandates on top of the general requirements above:

• Healthcare (HIPAA): Medical records retention varies by state but commonly ranges from 6 to 10 years. HIPAA policies and procedures must be retained for 6 years.
• Financial services (SEC/FINRA): Broker-dealer records under SEC Rule 17a-4 must be maintained for 3 to 6 years depending on the record type. Some must be kept in non-rewritable, non-erasable format.
• Municipal government: Retention schedules are set by each state's records management authority and can range from 1 year for routine correspondence to permanent retention for meeting minutes and vital records.
• Education (FERPA): Student records have varying retention requirements, with transcripts typically kept permanently.

The Danger of "Keep Everything Forever"

Many organizations, unsure of the rules, default to keeping everything indefinitely. This feels safe, but it's actually a liability. Over-retention means:

• Higher storage costs — You're paying to store records you're legally allowed to destroy
• Greater discovery exposure — In litigation, you may be required to produce any record you possess, including documents that would have been legitimately destroyed under a proper retention policy
• Audit complexity — More records means more surface area for auditors to examine

A defensible retention policy protects your organization in both directions: it ensures you keep what you must and destroy what you should—on schedule, with documentation.

Building a Retention Policy That Works

A retention schedule is only useful if it's documented, followed consistently, and reviewed regularly. The core steps are:

• Inventory — Identify every record type your organization creates or receives
• Research — Map each record type to its applicable federal, state, and industry retention requirements
• Assign — Set retention periods that meet or exceed the longest applicable requirement
• Implement — Track retention dates and automate disposition workflows
• Review — Update the policy annually or when regulations change

This is exactly what Legacy Retention Group does for our clients. We develop custom retention policies tailored to your industry and jurisdiction, then manage the ongoing tracking and disposition process through our LRG+ platform.