Data Retention and Destruction Beyond Electronic Discovery

Written By

Brian Halpin

Attorneys faced with internal investigations and litigation are regularly confronted with the prospect of collecting electronic data. Often, what this process entails in terms of volume can be wildly underestimated.  Capsicum has been involved in cases where we were simply asked to go to a client site to image a “few” computers, collect network data, and smartphones, only to walk into a hornet’s nest of hundreds of thousands of backup tapes and/or rows and rows of network-attached storage (NAS) devices.  Our team has encountered this issue in both the public and private sector including such industries as healthcare, pharmaceutical, engineering, energy, banking and even organizations at the government level. 

The lack of proper data retention plans or implemented policies has meaning beyond the ediscovery world. While those involved in litigation will quickly think of their current or past cases involving electronically stored information (ESI) and the staggering accumulation of same on servers, personal PCs, backup tapes, and the cloud, others have concerns that go beyond the obvious; of lengthy, costly and cumbersome litigation efforts resulting from undefined data retention policies.

A data retention plan that lacks focus as to what specifically should be retained and for what period of time, can and will result in retaining data that will lead to unnecessary exposure, costs, and harm to a number of different corporate areas.  Security, IT infrastructure and legal departments can all be impacted.

How data is stored, accessed and transmitted is at the forefront of concern for those entrusted with its security.  Control over an ever-growing volume of data when there is no data retention or destruction policy in place becomes the paramount challenge.  Having well defined data volumes helps in protecting the data and  reducing the amount of data that is susceptible to a hacker, unauthorized use, or accidental disclosure because there is less of it.

Security measures put in place will only be as good as the IT infrastructure that supports them. As the amount of data to be stored continues to amass, the chances of system crashes, instability, and failures increase. The storage of old data on outdated computer technologies will only cause more uncertainty and delay in retrieval.  These issues will be directly related to increased costs for personnel tasked with troubleshooting the issues and the purchasing of more media. Unless necessary system updates are maintained, IT personnel will have a feeling of continuously chasing one’s tail.

The legal team has a significant role in defining the data retention and destruction policies and procedures, as well as compliance. There are as many challenges in drafting a policy as there are different types of data to address. Different data types likely means different lengths of time that the data actually has to be retained.  It is critical that the policy be properly explained and enforced. Failure to do so could cause the opposite effect, storing more data than necessary for fear of not understanding the compliance requirements.  Once the retention policy is clearly defined, instructions to archive and eventually destroy various data sets are to be articulated.  The policy will also need to address what to do if litigation is pending. If the entity is global, there will be an additional layer to consider; the privacy laws of other countries.

Now that we have demonstrated the impact that a lack of a data retention plan can have, here is one “feel good” story regarding a client of ours that actually had a plan in place. Our northeast banking client called seeking assistance with locating emails that were sent from an employee’s corporate email account to his own personal email account in violation of the bank’s email policy.   Prior to our investigation, the bank had undertaken the steps necessary to clearly define their data retention policy for their email, destroyed unneeded data, and went from having thousands of tapes to a single archiving solution. When we arrived there was only one repository to search at the bank. The email in question was quickly identified and remediated. We then addressed the personal email account and the assignment was essentially completed. There was no need to restore tapes or hope that the “offending” emails were not residing on other back-up media.  The cost was literally a fraction of what it would have been had the data retention/destruction policy not been implemented.

As illustrated above, security, IT infrastructure and legal departments are all intertwined when it comes to the handling and retention of data. Proactively addressing a potential storage dilemma by limiting the amount that is retained will reduce the pain and costs when the retrieval of data is required.  Should a plan not be in place and your organization is overwhelmed with a hornet’s nest of data, there are ways in which we can assist you whether you are implementing a new plan, require data recovery, or are faced with a legal hold and need to produce.