Data Retention, Meet Data Management

Heather Hubbard

Corporate Counsel

2012-09-01 00:00:00.0

You have a retention policy. You train your employees on the policy. You have annual audits. You can rest easy, right? Not necessarily, if your data retention policy is not squared with your IT department's data management system.

How could this be? You included your IT team in planning the retention policy, thinking that you were taking an interdisciplinary approach. If, however, you were speaking a different language, you may not be on the same page. Your IT department is concerned about storage, security, speed, and server space (that is, data management). You may also have a records management team concerned about storage, organization, and the ability to access information quickly (information management).

But Legal is concerned about establishing the use of a defensible policy to avoid litigation and regulatory sanctions if certain information is destroyed (data retention). Although each of these functions has some overlap, each has distinct goals and concerns. If the team uses the terms "data management" and "data retention" interchangeably, or interprets them as identical tasks, assuming both are addressing the same problems and goals, you may be at risk of undermining your retention policy.

A common trend in data storage solutions is the use of cloud-based email archiving. It reduces on-site storage requirements, decreases the overall burden on your systems, allows for faster machines and fewer disruptions, and offers a backup and disaster recovery solution. It is less taxing on employees than mailbox size limitations or auto-delete policies. Cloud email archiving allows employees to have endless mailbox sizes, allowing them to keep every sent and received email in perpetuity. Currently, the cost is very reasonable, so to many it's a no-brainer to just archive all emails at a low cost. Doing so can also eliminate any concerns of improper destruction. However, saving everything can undermine the benefits of your data retention policy.

There are risks associated with using email archiving as a way to save everything. Although most archiving systems are indexed and allow for relatively easy searching, the more data you have, the more difficult it is to find the proverbial needle in the haystack. And while you can search by date, custodian, and keywords, the more data you have stored, the more "hits" you will have, resulting in more time reviewing the results to determine what it is that you are actually looking for.

Any in-house counsel knows that review time is the most expensive part of e-discovery. The same holds true for employees looking for valuable business information as part of their job. If you are engaged in a lawsuit, in addition to the expensive review time, storage of unnecessary archives will likely result in older documents where the relevance and context may not be apparent and the author, even if employed, likely does not recall the specifics or reasoning behind the words chosen.

The Sedona Conference, widely accepted as the authority on best practices for e-discovery and information management, has encouraged companies to be pragmatic when developing retention policies, stating that the ability to save everything indefinitely does not justify doing so. Doing so completely undermines the purpose behind permissible data retention policies (more aptly called data destruction policies). It further devalues the critical information that should be saved.

In fact, email archiving in the cloud may invalidate your retention policy, obligating you to preserve more than you otherwise would be responsible for in a lawsuit or investigation. Contrary to what sometimes appears to be popular belief, merely having a written retention policy does not eliminate or reduce the risk of spoliation. A good retention policy must not just allow for deletion, but should require it. Having a retention policy that ultimately leaves it up to the end consumer to decide what to keep and what to delete, and having an IT email archiving system that backs up everything, completely undermines any retention policy you might have.

From a legal perspective, if you have a backup of all emails, you certainly won't be subject to sanctions or spoliation.

Courts have long recognized the legitimate business need to purge documents and information when no longer valuable to the company or legally required to be preserved. Automatically saving and preserving every single email is certainly a defensible if not iron-clad decision your company can make, if it is concerned with accusations of spoliation. Such a sweeping policy, however, is likely driven by irrational fears. Recent studies have shown that sanctions are rarer than one might think. The burden of proving spoliation that results in sanctions is relatively high, and companies that destroy information prior to the threat of litigation pursuant to a retention policy are protected under the law.

This does not mean that email archiving cannot be squared with your legal functions. It can, in fact, be a sensible solution to retaining data subject to litigation holds and compliance requirements without relying on individual custodians to properly preserve such data. Rarely is it necessary to implement a legal hold on all of the company's data. Taking the time to identify the affected custodians and document management system folders and implement the hold just for this data will allow you to take advantage of the benefits of your retention policy. For many companies, there is always some type of litigation hold in place. Allowing any single hold to affect your entire company's data and retention could be fatally disruptive to your business and is not required under the law.

So how do you properly balance Legal and IT's needs? Don't back up all data in perpetuity. If you're using it for backup or disaster recovery, use it only so long as necessary, the same way you would with backup tapes. If you're using it to comply with litigation and regulatory obligations, use it to temporarily hold only the data subject to those requirements and/or to audit whether your employees are complying with the company's retention policy. When the retention period for a particular set of data expires, it should be deleted. When a litigation matter is fully resolved for a particular set of data, it should be deleted. Otherwise, you are just backing up data indefinitely as opposed to using it to support and comply with your retention policy.

Of course, to be in a position to delete specific data, archived items must be clearly segregated and marked as such. Otherwise, your data is commingled, and it is almost impossible to determine what needs to be kept and what can be deleted. It is a laborious and difficult task. In practice, this often does not happen because employees tend to focus on their current work demands rather than spend the time to properly save and identify emails based on retention and records management policies.

The only way to solve this problem is by having buy-in from management and a corporate culture that demands just as much from a retention/records management perspective as it does in performance. Managing data is not easy, but neither is managing a business. Strategic plans, budgets, projections, acquisitions, lay-offs, and expansions are hard. Yet they are the lifeblood of staying competitive. The treatment of company data should be treated just as importantly.

While most companies believe that information is their most valuable asset, it is only as valuable as you treat it. If all emails are treated indiscriminately, you devalue those that are important and vital to your business. Be certain that your data management systems and data retention policies are in sync so that you can protect what is most valuable to your company.

Heather Hubbard, partner at Nashville-based law firm Waller, is deputy practice group leader of the firm's litigation and dispute resolution team. Her focus includes intellectual property, media and entertainment, information technology, and ­e-discovery.