By Bill Tolson, Vice President of Marketing, Archive360
There are a number reasons organizations devote time and resource to internal governance standards around information management policies, especially in terms of the retention and disposition of data. The most compelling reason is to ensure regulatory compliance and legal preparedness. The next is budgetary — that is, making sure data that is deemed as not possessing long term value is disposed of so that IT resources are not consumed with "junk."
Regulatory Compliance And Information Retention
If you are involved with content management in your organization, be it from a business, legal or IT perspective, you likely already know that there are literally tens of thousands of governmental regulations requiring "records" be captured, managed, retained for specific periods of time, and made available to the governmental agency when asked. Records are documents (hard copy and digital) that are required by a regulation to show the business is functioning according to accepted principles and regulations. These records can include hard copy or electronic content, email, voicemail, instant messages, and social media. The regulatory requirement usually lays out the specific content that must be retained and for how long, for example IRS or SOX regulations. Some regulatory retention requirements go further and define more prescriptive requirements such as the kind of storage used, SEC Rule 17 a-3/a-4 and MiFID, and security requirements such as with HIPAA. And, since content and the way we conduct business is changing on a regular basis, so too do the regulations.
Corporate Business Records Retention
Corporate records can be subject to regulatory retention, but the C-suite may have their own motives for wanting to save this information. These reasons can range from simply wanting to maintain a corporate history, to demonstrating and ensuring good business practice. And, I think those of us in and around the content management space may have encountered an information “pack-rat” during our careers as well – i.e., those that view all information as potentially valuable on some level, and not willing to get rid of any of it.
Litigation And eDiscovery
A very common business belief is that even organizations that are not subject to regulatory compliance must have documented and practiced information retention and disposition policies to be “legal” in case they are involved in litigation, discovery/eDiscovery. This has in fact become a hotly debated subject in legal circles and the subject of countless articles devoted to this one single topic. First, let me clarify that I am not an attorney, so my advice is always that you should first check with internal/external counsel before making decisions in this area that could have significant results for your organization. Having said that, I have spent more years than I care to admit in this space. Many of those years have been spent helping organizations to prepare for and navigate the legal process. During this time, I have spoken with countless lawyers that are consistent in saying that the only absolute is that there are no absolutes. Judges can and do whatever they see fit in their courtroom. Typically, a judge will not expect or penalize an organization for not having a documented and followed retention/disposition schedule – but they could. There is a caveat to this statement however. Most judges and opposing counsel will notice if, in anticipation of a lawsuit (or after the lawsuit has begun), a company creates or changes an existing retention schedule to obviously protect against "smoking guns" showing up in discovery. So, my advice here... Seek professional legal advice in terms of data retention/disposition, set a policy, document it, and follow it.
Shred Days Are Not Good Days
When you say it out loud, it seems like common sense. But, it continues to confound me just how many organizations flagrantly destroy documents when faced with litigation. There are those that have a documented retention/disposition policy, which has or has not been adhered to in the past, that suddenly direct employees to delete files (in the hopes of course that potentially “inconvenient” documents will be destroyed as/before discovery commences).
A notable example of this was when a former Arthur Andersen accountant, David B. Duncan, testified that he had orchestrated a campaign to destroy Enron Corp. audit documents and knew at the time that he was breaking the law.
"I obstructed justice,” said Duncan, testifying for the first time in Andersen's criminal trial in federal court. "I instructed people on the [audit] team to follow the document-retention policy, which I knew would result in the destruction of documents."
Another example was in a 2009 New York high tech spoliation case. In 1998, this high tech company held high-level litigation strategy meetings where they discussed preparing trial graphics and claims; retaining experts; gathering critical documents and implementing a document retention policy.
Later in 1998, employees were instructed to conduct a “shred day,” pursuant to the company's new document retention policy. This shred day caused the destruction of 400 bankers boxes of documents. The employees did not keep track of what they destroyed however. Later, evidence indicated that the destroyed materials included documents relating to contract and licensing negotiations, patent prosecution, industry meetings, board meetings and finances. A second shred day took place a year later, this time involving 300 bankers boxes. And a third took place in late 2000 “due to an office move.” The company's outside counsel was never informed of these shred days. Later in 2000, the company filed suit against another high tech company for patent infringement.
The Judge in the case found that the company's actions (shred days) amounted to spoliation because parties in the case are under a duty to preserve evidence whenever litigation is pending or imminent, or where the party has a reasonable belief that litigation is foreseeable. Specifically, once a party reasonably anticipates litigation, it “must suspend its routine document retention/destruction policy and put in place a ‘litigation hold’ to ensure the preservation of relevant documents.”
In this case, the judge concluded that in December of 1998 a duty arose to preserve any evidence potentially relevant to its litigation strategy, meaning they should have paused their new retention/disposition policy and avoid any shred days. Because they didn’t do this, they had knowingly destroyed evidence.
In yet another well-known case, Apple v. Samsung Electronics Co., Ltd., the court ruled that Samsung failed to employ a defensible preservation process once the duty to preserve was triggered. The bottom line in this case was Samsung's unwillingness to modify the company's email document retention policy. Samsung had refused to suspend the auto-deletion of emails after the beginning of litigation.
Retention Policies Are Not Mandated By Law
Retention policies are not required by law. However, if you have regulatory retention requirements, which most companies have, or are anticipating, or are actually involved in litigation, you must protect potentially responsive documents under a litigation hold - including suspending disposition policies to ensure relevant content is not inadvertently deleted.
This is not to say that retention/disposition policies are a bad thing. Again, every company should create and follow retention/disposition policies for all information, not just records. This practice will enable you to better control your data which benefits corporate knowledge sharing, end-user productivity, and eDiscovery.
For those involved with content management for their organization this is an extremely important subject. For more details on this topic, please read: The Link Between Information Management and Data Value and Part 2 - The Link Between Information Management and Data Value.
Information Retention/Disposition In The Cloud
Data continues to grow. And, as organizations struggle to manage it – especially, to meet internal governance, external regulations and legal mandates, more and more are turning to the cloud as it presents an ideal platform in terms of management ease, low cost, and flexible yet highly secure access.
Whether your organization is already in the cloud, or exploring how best to leverage it, it is critical that you not only carefully chose the public cloud that best meets your organization’s business and budgetary requirements, but also the technology that will enhance and improve your experience. For instance, if you are considering a foray into the Microsoft cloud (smart decision, by the way), it is critical that you seek a cloud-managed solution for compliance and long-term data management, that has been specifically designed for the Microsoft cloud (or whichever advanced cloud platform you choose) from the ground-up to ensures a highly secure and low cost, compliance archive (such as Archive2Azure). Keep in mind, you don’t want a solution that forces you to hand over your data to a third party – you want your sensitive data held within your own subscription, using your own encryption keys, with your data stored in its native format, to avoid having to pay a ransom to get it back (another critical consideration in and of itself).
The data retention/disposition strategy homework you do beforehand will pay off in spades down the road for your organization (and for your career). I believe I mentioned, “Shred days are not good days.”
About The Author
Bill Tolson has more than 25 years of experience with multinational corporations and technology start-ups, including 15-plus years in the archiving, ECM, information governance, regulations compliance, and legal eDiscovery markets. Prior to joining Archive360, Bill held leadership positions at Actiance, Recommind, Hewlett Packard, Iron Mountain, Mimosa Systems, and StorageTek. Bill is a much sought and frequent speaker at legal, regulatory compliance, and information governance industry events and has authored numerous articles and blogs. Bill is the author of two eBooks: The Know IT All’s Guide to eDiscovery and The Bartenders Guide to eDiscovery. He is also the author of the book Cloud Archiving for Dummies and co-author of the book Email Archiving for Dummies. Bill holds a Bachelor of Science degree in Business Management from California State University Dominguez Hills.