Even if just 1,000 terabytes (a petabyte) could be disposed of, the unnecessary cost (or waste) is $2.5 million per year, it is important to consider what might have been sacrificed to maintain this unnecessary data. Many corporations have experienced staff reductions in the last few years. If an office worker costs a company an average of $120,000 per year ($100,000 salary and $20,000 in overhead for benefits, computer, etc.), an unfortunate equation emerges. For every worker laid off, the hypothetical corporation chose to store 24 terabytes of information with no value or obligation associated with it.
THE LAW
Many might think that surely there must be more complex risk elements that make this analysis too skewed to land such a cataclysmic blow. In some cases, this may well be true. For example, in highly regulated industries and businesses, there may be stringent legal requirements to retain certain types of data for specific time periods and in particular formats (e.g., SEC 17a-4 for broker dealers in the financial services industry). That being said, the analysis changes only as a matter of degree and not of direction.
The common law is similarly stark, yet perhaps counterintuitively in favor of proper disposal: "Document retention policies, which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business. It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under normal circumstances." Arthur Andersen LLP v. United States, 544 U.S. 696, 704 (2005).
In addition to the United States Supreme Court's dicta in Arthur Andersen, the issue has arisen several times in the lower courts with the same favorable treatment. While this law is well established, emerging law also applies similar pressure to this sensitive topic. It is often incorrectly said that "privacy" is something that must only be considered across the pond, and that corporate email and other information sources are considered corporate property in the U.S. — and the ability to do almost anything the organization wishes with email is plenary.
In reality, the only action that organizations tend to take on data is the power to retain it or "hoard" it forever. This flies in the face of European and other states' privacy directives that typically contain a "purpose of use" limitation. Translated, this means that an organization may keep information that may be private or confidential only for the time period that matches its purpose of use. For example, a credit application or human resources-related email may be retained only for the time period that the corporation needs it, and then it must be disposed of, according to the law in many European states.
The truth of the matter is that the U.S. may be leaning, albeit slowly, towards a European privacy perspective. For example, the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act, and scores of other regulations carry privacy limitations similar to EU member states. In February 2012, the White House released the controversial "Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy." The White House used familiar language: "Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise."
Hoarding of information indefinitely causes a direct or indirect conflict with these principles. Indirectly, it can be said that the risk of a breach or violation can be reduced by disposing of information once it is no longer needed.
THE CURE
If the math is so clear, and the law is so clear, why is this problem not solved? In Hoarders, the social workers and law enforcement personnel have a distinct advantage: they have but one person to convince. Large organizations have many constituencies that must work in concert to effect change. When the legal department, the records and information management or compliance teams, and the privacy and security units join forces, protocols can be established or updated.
Often, the CIO and/or COO, becomes a chief sponsor — articulating a sound business plan for an investment project aimed at transforming information economics. Put bluntly, there is no stakeholder in the corporation who will not benefit from defensible disposal. It is time to dispose of unnecessary data.
Attorney Jake Frazier is the Information Lifecycle Governance Product Strategy Manager at IBM and executive director of the Compliance Governance & Oversight Council. Anthony Diana is a partner at Mayer Brown and serves on the CGOC faculty. Thomas Strong, an associate at Mayer Brown, contributed to the article. Email: jake@cgoc.com, adiana@mayerbrown.com, and tstrong@mayerbrown.com.
This article originally appeared in Law Technology News.
Subscribe to Law Technology News
