Assuming "safe margins" — in that it is somewhat difficult to separate wheat from chaff even with the highest level of will and technology — let's round that up to 50 percent. If 50 percent of corporate data is of no value and carries no obligation, it represents tremendous opportunity for savings. In a company with 10 petabytes of data, 5,000terabytes are candidates for disposal. When the cost per terabyte is juxtaposed against the percentage of data that must be retained, stark conclusions appear.
Even if just 1,000 terabytes (a petabyte) could be disposed of, the unnecessary cost (or waste) is $2.5 million per year, it is important to consider what might have been sacrificed to maintain this unnecessary data. Many corporations have experienced staff reductions in the last few years. If an office worker costs a company an average of $120,000 per year ($100,000 salary and $20,000 in overhead for benefits, computer, etc.), an unfortunate equation emerges. For every worker laid off, the hypothetical corporation chose to store 24 terabytes of information with no value or obligation associated with it.
THE LAW
Many might think that surely there must be more complex risk elements that make this analysis too skewed to land such a cataclysmic blow. In some cases, this may well be true. For example, in highly regulated industries and businesses, there may be stringent legal requirements to retain certain types of data for specific time periods and in particular formats (e.g., SEC 17a-4 for broker dealers in the financial services industry). That being said, the analysis changes only as a matter of degree and not of direction.
The common law is similarly stark, yet perhaps counterintuitively in favor of proper disposal: "Document retention policies, which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business. It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under normal circumstances." Arthur Andersen LLP v. United States, 544 U.S. 696, 704 (2005).
In addition to the United States Supreme Court's dicta in Arthur Andersen, the issue has arisen several times in the lower courts with the same favorable treatment. While this law is well established, emerging law also applies similar pressure to this sensitive topic. It is often incorrectly said that "privacy" is something that must only be considered across the pond, and that corporate email and other information sources are considered corporate property in the U.S. — and the ability to do almost anything the organization wishes with email is plenary.
In reality, the only action that organizations tend to take on data is the power to retain it or "hoard" it forever. This flies in the face of European and other states' privacy directives that typically contain a "purpose of use" limitation. Translated, this means that an organization may keep information that may be private or confidential only for the time period that matches its purpose of use. For example, a credit application or human resources-related email may be retained only for the time period that the corporation needs it, and then it must be disposed of, according to the law in many European states.
The truth of the matter is that the U.S. may be leaning, albeit slowly, towards a European privacy perspective. For example, the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act, and scores of other regulations carry privacy limitations similar to EU member states. In February 2012, the White House released the controversial "Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy." The White House used familiar language: "Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise."
Hoarding of information indefinitely causes a direct or indirect conflict with these principles. Indirectly, it can be said that the risk of a breach or violation can be reduced by disposing of information once it is no longer needed.
THE CURE
If the math is so clear, and the law is so clear, why is this problem not solved? In Hoarders, the social workers and law enforcement personnel have a distinct advantage: they have but one person to convince. Large organizations have many constituencies that must work in concert to effect change. When the legal department, the records and information management or compliance teams, and the privacy and security units join forces, protocols can be established or updated.
Often, the CIO and/or COO, becomes a chief sponsor — articulating a sound business plan for an investment project aimed at transforming information economics. Put bluntly, there is no stakeholder in the corporation who will not benefit from defensible disposal. It is time to dispose of unnecessary data.
Attorney Jake Frazier is the Information Lifecycle Governance Product Strategy Manager at IBM and executive director of the Compliance Governance & Oversight Council. Anthony Diana is a partner at Mayer Brown and serves on the CGOC faculty. Thomas Strong, an associate at Mayer Brown, contributed to the article. Email: jake@cgoc.com, adiana@mayerbrown.com, and tstrong@mayerbrown.com.
Subscribe to Law Technology News
-
Dan Woodard
The author asserts that all stored data costs $5000 per terabyte-year to manage. If this were true Google would be bankrupt overnight, since Google charges less than $1000 per terabyte-year for secure, instantly-accessible, backed-up cloud storage ( https://developers.google.com/storage/docs/pricing-and-terms ).
Simply reviewing emails and deciding which ones to delete or keep costs a company about $.40 worth of loaded employee time per message, or about $1 cent per kilobyte. This adds up quickly, $10 per megabyte, $10,000 per gigabyte, $10 million per terabyte, pretty steep when a 1 terabyte drive costs less than $100. Then there is the cost of not having the data accessible securely, online, from any location. Copying emails to the desktop PC costs more than keeping it on the server since every copy of mass email must be separately stored by every user.
Users should be encouraged to delete emails they don't need when this makes it easier to keep information accessible and organized. But to require them to delete files to stay within arbitrarily small allocations of storage space wastes time and money.
Finally, if you were representing a client who made a legitimate request for information and it was denied with the claim that it had been deleted, would you accept that result without action? Surely it would appear improbable and make it appear that the organization had something to hide.
— Dan Woodard
-
Paul Robinson
I once pointed out to someone that when he said he didn't want to admit to his girlfriend, if he was collecting MP3s, that he'd be a data horder. I said it doesn't matter, an associate of mine had his collection of 500 CDs, (which would be between 500 and 10,000 songs depending on how many per disc) and it took racks the size of a couch. Today, we can store 50,000 songs on a box the size of a textbook and the cost is around $100. The cost is so low that a gigabyte, which could hold anywhere from 50 to 500 songs depending on compression, is about 10c worth of storage, and for individuals, until you get above a block of 9 figures of data (100 meg) it ain't even worth bothering to take the time to check because that's only 1c worth of storage.
If you've got, say, 4-5000 songs on storage, you're never going to listen to all of them at any time but you might listen to any of them at any time, and unless you can actually monitor usage, there's no real way to tell what you would or wouldn't listen to, so basically you have to keep everything. Same thing for corporate documents. You're never going to use all of it, but you'll use some of it, and in rare cases you might go through all of it, but absent usage monitoring you do not know what is or isn't going to be used, is being used, or how often.
With large corporations, all they're going to recognize is the cost per terabyte (now down to less than $75, 2 tb drives are $150, retail) and forget the cost of managing that storage. Not to mention, is it properly indexed, or are you simply keeping 50 copies of the same data, and some of it is not the same, and you may not know which is the most accurate or most definitive copy of the data. You might even grab the wrong data if it's a dataset of an entire database and you use an older backup or something not marked as not the latest copy.
-
David Obarowski
Thank you, Jake and Anthony, for a particularly insightful article. Thanks especially for the entertaining, but still revealing, comparison of individual and corporate "hoarders". Here's a follow-on thought with this regard:
The individual hoarder knows exactly what s/he owns, what's in the "boxes". The irrationality lies, not in ignorance of what s/he owns, but in the inability to apply distinctive values to the stuff in those boxes. It all is valuable and needed.
The corporate "hoarder" on the other does not completely know what's in its various data containers, the "boxes". The company then over-retains in the very rational context that the unknown contents of any given "box" MAY be valuable or needed.
Reality television shows invariably have happy endings...the irrational hoarder is "cured". The rational corporate hoarder however can never be so "cured" until it is enabled to know what is in those "boxes".
Comments are not moderated. To report offensive comments, click here.
Reader Comments