Data is being deleted in every organization every day, usually in an ad hoc, and not particularly defensible, manner. Individual employees, with the utmost good faith, are deleting and altering documents in the ordinary course of business. Hard drives crash, emails are not properly archived due to normal error rates, systems are retired, and at least some data relating to departing employees is routinely lost. More importantly, deletion of data is done with no focus or prioritization related to legal, regulatory, or business risk or value to the organization. Ignorance of this reality is not bliss—it is a ticking time bomb for legal and regulatory risks.
Yet most large organizations remain hesitant to implement any process that is designed to systematically dispose of data that is no longer needed for business or legal purposes. Conventional wisdom, when it comes to the retention of electronic data, goes something like this: "Storage is cheap. It is easier, cheaper, and less risky to save all electronic data than to take on the challenge and risk of deleting any electronic data under any circumstances, even if you no longer need that data for business or legal purposes."
But as many organizations are now realizing, conventional wisdom is proving to be incorrect. In fact, wholesale retention of electronic data at a time when the volume of electronic information is exploding may be more costly and more risky than implementing a records retention program that includes the defensible deletion or expiration of electronic data. The failure to dispose of any electronic records is itself a decision that all data is of equal value, imposes the same risk on an organization, and is justified by the costs imposed. That simply is not the case.
Contrary to popular opinion, data retention is not necessarily cheap. It does not just encompass the server or drive on which electronic data is kept. Storage encompasses all of the information technology infrastructure—both hardware and software—and all of the information technology personnel required to retain, manage, protect, and back up that electronic information. Companies often maintain obsolete or legacy systems that are no longer used for normal business operations simply because those systems contain unique data. Over time, with the rapidly increasing volume of electronic information, this kind of over-retention will begin to eat up a significant, even inappropriately large, portion of an organization's operating budget.
Further, the retention of electronic data that is no longer required for business or legal reasons can lead to significant litigation risk and cost. The more data that is retained, the more data is available to be preserved, searched, collected, processed, reviewed, and produced in connection with any legal matter. Considering that discovery costs can account for 75 percent or more of litigation expenses, the costs associated with retaining unnecessary data are hardly trivial.
Data privacy concerns also may make the routine deletion of data (at least personal data) not only desirable, but legally required. The belief that an organization should retain certain types of personal data for only as long as necessary is prevalent outside the United States and is growing in acceptance here. Of course, to meet such requirements, personal data needs to be properly identified and maintained so that proper disposal or deletion is actually effective—a significant challenge for many organizations right now.
Finally, information is only valuable if you can find it. Organizations are increasingly recognizing that their internal data can be mined for value—and, more importantly, revenue. Technology and data analytics, along with the more routine identification of valuable information like IP, are dependent on a value-based approach to data storage. By eliminating information with little or no value, organizations can start taking advantage of the new opportunities that "big data" offers.
Some of the factors discussed above are little known, and may even seem counterintuitive to some managers, but clearly an updated approach to this area is now essential. You can't just stuff a bunch of data into a virtual closet and forget about it; there's simply too much of it. Going forward, proper management and operation of a business may require deleting (or allowing to expire) electronic data that is no longer needed for business, legal, or regulatory purposes. This gives rise to two broad categories of concern:
- What can an organization do about the petabytes of data it is currently retaining but that is no longer needed for business purposes?
- What can an organization do to manage its electronic data on a going-forward basis?
First, consider the risks and benefits associated with retaining data long after its useful life cycle in both business and legal terms. Most business activities involve some type of risk. It is important to recognize that a decision about whether and how to manage an organization's electronic data, including a decision to defensibly delete or expire data that is no longer needed, is as much a business decision as it is a legal one. It needs to be treated as such. The benefits of deleting or expiring data that is no longer needed may well be worth the risks involved.
Second, make sure to involve all of the relevant stakeholders. An effort to identify, categorize, and manage an organization's data, including an effort to defensibly delete or expire data that is no longer needed, cannot be accomplished by legal and IT personnel alone. Senior management, records management, compliance, privacy, and any other key stakeholders should be involved in the process.
Third, set reasonable goals and prioritize high-risk data sources or systems. Tackling those systems first can make what seems like an insurmountable problem manageable, and can establish a precedent for addressing other data sources or systems in a reasonable manner.
Fourth, bring your organization into the era of "big data" slowly. Reevaluate existing record retention policies and procedures, taking into account the organization's current business operations and the challenges associated with managing electronic data. This includes policies and procedures that allow for and facilitate the systematic disposal of electronic data that the organization no longer needs to retain. Make sure your organization has the technology and tools available to properly implement those updated record retention policies and procedures. Keep in mind that these changes may require a shift in the existing business culture of the organization, and educating employees about these changes is crucial to a successful implementation over the long term.
Finally, start to consider content-based decision making. One way to address data retention—whether in the context of defensible deletion or going-forward management strategies—is to take a hard look at the content of the data being retained, as opposed to just the technical source of the data. For example, an organization may decide to set standards for what types of email are considered official records and what types are considered transitory and need not be retained for business purposes. This type of evaluation can be helpful in assessing how much data must be retained, and what data can be disposed of on a regular basis.
The critical point to keep in mind is this: If the organization is not making the decisions about how to manage its data, then it is leaving that decision to its individual employees. Information is too valuable, and the risks are too high, to allow data to be managed in an ad hoc fashion. It is time for organizations—and their senior management—to take control of the organization's data in the same way that they control and manage other critical business matters.
Anthony Diana is a coleader of, and Therese Craparo is counsel in, Mayer Brown's electronic discovery and records management group in New York.