For years, organizations have operated under the theory that storing much of their data was ultimately less risky than deleting it. While many organizations have records retention policies that call for regular data deletion, those policies are often circumvented by resourceful employees, lawsuits, or industry requirements.
The legal department has often led the way in creating exceptions to data deletion. Many attorneys worry that some data might be potentially responsive in lawsuits and investigations, so getting rid of it could negatively impact the matter and even lead to charges of spoliation.
There was also little compulsion to get rid of data, since storage has been relatively inexpensive and seemed to become more inexpensive all the time.
A False Economy.
Organizations are now beginning to understand that there is nothing cheap about holding on to the exploding amounts of data their staffs create. As more employees become attached to smartphones, tablets, and social media, the amount and types of electronically stored information (ESI) that organizations must confront grows exponentially.
From both a storage and an eDiscovery perspective, preserving, collecting, and reviewing all this data remains incredibly expensive and time-consuming.
necessary in order to manage growing
volumes of digital information.
Information Governance Pros Know Better.
Those involved in records management view the current “save-everything” approach as increasingly untenable. According to a recent eDJ Group Survey, more than 96 percent of Information Governance professionals believe that defensible deletion of information is necessary in order to manage growing volumes of digital information.
Yet creating a plan for deleting records and documents defensibly is neither simple nor straightforward. Business units, IT, legal, and records management generally have different priorities. Employees are often loath to eliminate their own files, either because they think they may need them again or because they are just too busy.
This leaves a wide gap between the growing recognition of the need to delete more data and an effective, technology-aided process for doing so.
In order to bridge that gap, companies need to understand the strategies, tools, and processes they can use to reduce the troves of unnecessary data residing on servers and backup tapes, in the cloud, and on other devices, while retaining data they need or want.
By understanding the risk and cost of retaining data, creating strategies for defensible deletion, developing a defensible process, and using the right technology to assist in the process, the legal department can help lead the way in whittling down data to manageable, useful levels.
The Risk and Cost of Retaining Data
The pendulum has swung to the point where keeping data has become more expensive and risky than defensibly deleting it. The explosion, over the last few years, in amounts and types of data only aggravates the situation and complicates the collection, processing, and management of the data, especially during the discovery process.
Once, the eDiscovery process may have primarily encompassed word processing documents, emails, and spreadsheets stored on employees’ PCs and servers.
Now, the process might have to address structured data, texts, voicemails, email archive files, and a host of other file types created on laptops, smartphones, and tablets. Those files may also exist on users’ personal devices or somewhere out in the cloud.
Simply adding more storage has ceased to be an inexpensive alternative. Data storage not only costs money, but overseeing storage methods and the data that resides there takes time. Someone must be responsible for the data, or at least responsible for overseeing third-party vendors who are responsible for storing the data.
and the more dangerous it can be.
Age Brings Risk.
Along with the increased expenses, a “save-nearly-everything” approach ratchets up risk as well, particularly from the legal department’s perspective. The older data is, the less value it has and the more dangerous it can be. Files or emails that originally meant one thing might be construed differently if they are reviewed years later. A flippant note or an amended document can assume a more sinister or negligent aspect when taken out of context.
Litigation Woes.
Cost and risk escalate even more during litigation.The more data that companies retain, the greater the potential it will be responsive to discovery.
All that data must be preserved, collected, and reviewed. The more time the legal team spends on irrelevant ESI, the less time it has to identify and focus on the information that is strategically useful, privileged, or confidential.
Organizations that believe they should store all of their information are also putting themselves at risk. Even when organizations may think they save virtually all of their files, no one truly does. Employees may proactively or accidently delete files, software systems can crash, and hardware can be physically damaged, destroying files along the way. This means that legal can never truly know what data exists within their organizations.
Too much useless data also obscures the value of the truly important information that companies create. With today’s emerging software and processes, companies can use business and data analytics and intelligence to mine the knowledge and information that their employees produce. But when all data is treated as equally important, none of it may truly stand out.
Strategies for Defensible Deletion
While many in the legal, records management, IT, and business units recognize the over-retention problem, surmounting it remains a challenge.
Those aware of the situation often struggle to convince senior leadership of its seriousness. Stakeholder departments tend to operate in silos and don’t understand the risks and priorities of their colleagues.
Consider how different constituencies within the same organization often view information management:
- Legal—The legal department has a duty to address legal obligations and reduce risk. Attorneys’ concerns generally revolve around improper or inconsistent data deletion that can leave the organization open to spoliation claims. They are often not as worried about the costs, risks, and priorities that other departments, particularly, IT, face.
- Records Management—Records management staff have a duty to ensure that data is preserved and destroyed according to schedule. They frequently fail to consider the different strategic value data has, or the different types of risk it may represent.
- IT—IT personnel know where the data resides but aren’t prioritizing it based on value and risk. They are busy trying to anticipate the changing needs and requests of legal and records management while keeping their budgets under control.
- Business—The business unit tends to only care about keeping the information they might need later. They generally view legal holds as a nuisance and don’t want to be bothered by new policies or storage limitations.
In order to align all these different priorities and concerns, organizations need a cross-functional approach to defensible deletion. They also need to make the business case for launching and maintaining a new program.
Resistance From Legal.
In-house counsel may find that some of the toughest people to convince are their colleagues in the legal department. For legal departments, retaining data has seemed the most logical way to avoid the threat of sanctions. However, several recent court cases provide some reassurance that deletion can work in the context of information governance programs that are carefully planned, thoroughly implemented, and have provisions for handling litigation holds and eDiscovery.
Some litigants have been able to prevail in eDiscovery disputes based on their ability to demonstrate a good-faith document retention and deletion policy, along with the ability to suspend those operations when litigation has commenced or can be reasonably anticipated.
Developing a Defensible Process
Once those in the organization have recognized the advantages of shifting to a defensible deletion mindset, they must secure commitment from the very top for the new approach. Then, the new emphasis must extend throughout all levels of the organization and to every location.
If departments and individual employees realize or believe that those in the C-suite are not truly behind the effort, they will not devote time, resources, and energy to the project. This is particularly true when a defensible deletion program represents a culture change or requires employees to take new actions.
Cross-Disciplinary Effort Required.
As soon as the commitment is in place, the organization needs to take concrete steps to review and revise current records retention processes, legal hold policies, privacy policies, and archive strategies, or implement more appropriate ones. This effort should be a cross-disciplinary one that involves legal, records management, compliance, IT, and the business units.
In addition to reviewing policy, the departments must work together to implement an actionable plan regarding how to identify specific information to keep or put on hold, what to destroy, and what legacy data and/or system decommissioning opportunities exist.
Exempt Data.
Companies must also make provisions in the defensible deletion plan for handling exempt data deletion based on strategic value, pending litigation, or regulatory compliance. This is an area where the business units must be closely involved and feel invested in the process. They are the ones who, in addition to retention based on regulatory requirements, understand what data might provide competitive advantages and what information is critical to maintain for the foreseeable future.
Customization.
When creating the plan, organizations should consider best practices of others, but they will need to customize their approach and policies based on their own particular needs, business goals, litigation concerns, regulatory requirements, and their employees’ habits. They should also consider the hardware and software the organization currently uses or that it could adopt in the near future.
Enlist a Lawyer.
When developing such a plan, organizations also need to work closely with knowledgeable legal counsel. That knowledge may exist within the legal department, or the company may need to turn to qualified outside counsel to provide the appropriate guidance.
Implementation.
Implementing the plan is the next step. Since it took time to create and store the data, taming it won’t be a quick, simple task. Organizations should plan for unexpected challenges and shifting priorities, and understand they may need to work to maintain momentum.
Increments.
Honing in on particular business areas, targeting specific systems, or tackling one server at a time often yields the most successful outcomes. A wildly ambitious approach, which requires an extreme shift in priorities or changes in behavior, might be doomed to failure. Attempting to tackle an enormous problem overnight can also be overwhelming and can quickly exhaust those in charge of implementing it.
Deletion.
In addition to making policy changes that will help address the organization’s ability to save less data in the future, those in charge of implementation will need to target specific data and prepare for deletion. Organizations might want to start with a system that presents a high level of risk from a reputational or eDiscovery perspective, or one that contains a great deal of potentially irrelevant data.
The email server or a legacy backup system may be one place to start. Emails tend to be particularly problematic in litigation. Their sheer numbers can quickly mushroom, as “cc’s,” drafts, and strings proliferate. Attachments and PST files only add to the headaches.
Emails also can represent significant reputational risk, since employees often write things that can be misconstrued or taken out of context. Through defensible email deletion policies, eDiscovery costs and stress can often be minimized significantly.
Legacy Systems.
Legacy systems also typically represent a significant records challenge. The data stored on these systems often has little value. Many of the employees who created the original files may no longer be with the organization.
Even locating data stored within legacy systems can be difficult. Once the information has been located, combing through it is often very expensive, technologically challenging, and time consuming. Focusing data deletion efforts on these types of systems can be another good starting point.
By creating a manageable, measurable plan with realistic deadlines, organizations can develop a logical plan for defensible deletion. Of course, the plan should be flexible and adaptable to changing circumstances and new technologies.
Technology to Assist in the Process
From the outset, technology should be a crucial part of a defensible deletion plan. Technology can be used in several ways, including in the identification of current data for deletion and to help manage data going forward so that unneeded information is not stored longer than required.
Manual processes will be misunderstood, overwhelmed and inconsistent. With this aspect of the program, legal must work particularly closely with Records Management and IT.
Adapt Existing Tools.
Proposing new, expensive, and untried software is often a difficult proposition. Fortunately, many organizations already have tools at their disposal that can help with defensible deletion, including eDiscovery and document review technology. Most eDiscovery platforms have built-in de-duping, reporting, and tracking features that can help locate important information and highlight useless or redundant files.
Recent advances in technology assisted review platforms can also be useful in efficiently identifying the relevant data that might be targeted under a defensible deletion plan.
Some tools can also automate much of the litigation hold process, ensuring that the data that needs to be removed from the records retention cycle is not deleted and existing legal holds are managed appropriately so that holds do not remain in place permanently.
Beyond standard eDiscovery and document review tools, organizations can also utilize structured and unstructured data file and email archives to organize, manage, and store data and facilitate the execution of data retention and other policies. With the appropriate classification tools and settings, organizations can keep the data that is strategically valuable or that they are required to maintain for legal, business, and regulatory reasons, while deleting the rest.
Advantages of Proactivity.
Through defensible deletion planning and execution, organizations can take a proactive approach to information lifecycle management, saving time and money and avoiding having to scramble every time there is a litigation or regulatory request. They can also keep and use the data they need, rather than lose valuable information that has been buried in an avalanche of irrelevant files. Defensible deletion also allows organizations to manage their handling and storage costs, freeing up resources that can be better spent elsewhere.
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.