For years, a large company has been effectively retaining the vast majority of all electronic data generated by its systems and employees. However, the company’s records retention policy was originally designed and implemented with an emphasis on hard copy records, so its electronic systems are not designed to automatically implement its record retention schedules. As a result, the company largely relies on individual employees to enforce its record retention schedules when it comes to electronic data. In addition, the company faces frequent litigation and has a large number of legal holds in effect at any given time, impacting thousands of employees. The company is now recognizing the significant risks and costs associated with retaining—and maintaining—all electronic data, but is unsure how to address the situation in a manner that is consistent with its legal and regulatory obligations and its business needs.
The Risks & Costs of Retaining All Electronic Data
In a time when fear of spoliation remains prevalent, conventional wisdom regarding electronic data and e-discovery says: “Storage is cheap. It is easier, cheaper and less risky to save all electronic data than it is to take on the challenge and risk of deleting any electronic data under any circumstances, even if you no longer need that data for business or legal purposes.” However, as many organizations are now realizing, conventional wisdom is proving to be incorrect. In fact, the risks and costs of the wholesale retention of all electronic data, in a time where the volume of electronic information is exploding, may be costlier and riskier to an organization than implementing a reasonable, defensible records retention program that encompasses electronic data—including the defensible deletion or expiration of electronic data—and may also interfere with the organization’s normal business operations. There are many arguments against such wholesale retention.
First, the reality is that data is being deleted in every organization every day, usually in an ad hoc, and not particularly defensible, manner. Individual employees are deleting and altering documents in the ordinary course of business; hard drives crash; emails are not properly archived due to normal error rates; systems are retired; and at least some data relating to departing employees is routinely lost. More importantly, deletions of data of this kind are done with no focus or prioritization related to legal, regulatory or business risk or value to the organization. Ignorance of this reality is not bliss—it is a ticking time bomb for legal and regulatory risks, and those risks grow as the vast amounts of data grow and become more unmanageable.
Second, contrary to popular opinion, storage is not necessarily cheap. “Storage” does not only encompass the server or drive on which the electronic data is stored: it encompasses all of the information technology infrastructure—both hardware and software—and all of the information technology personnel required to retain, manage, protect and backup that electronic information. Often, storage includes maintaining obsolete or legacy systems that are no longer used for normal business operations simply because those systems contain unique data. Over time, and with the rapidly increasing volumes of electronic information, storage can begin to occupy a significant portion of an organization’s operating expenses.
Third, the retention of electronic data that is no longer required for business or legal reasons can lead to significant unnecessary risks and costs, to wit, the more data that is retained, the more data that is available to be preserved, searched or collected in connection with any legal matter, and the more data that must be processed, reviewed and produced in connection with any legal matter. Considering that discovery costs can account for 75 percent or more of litigation expenses, the costs associated with retaining unnecessary data are apparent. And, in most cases, the percentage of an organization’s data that truly is needed for business, legal or regulatory purposes is relatively small in comparison to the volume of data that is being retained.
Fourth, data privacy concerns may make the routine deletion of data (at least personal data) not only desirable, but legally required. The concept that for certain types of personal data, an organization should only retain such data for as long as necessary is prevalent outside the United States. However, that concept is growing in importance even here in the United States, and it is likely that some requirements of routine disposal of personal data is likely on the near horizon. Of course, to meet such requirements, such personal data needs to be properly identified and maintained in a way where proper disposal or deletion is actually effective—a significant challenge for many organizations.
Fifth, information is valuable, unless you cannot find it. Organizations are increasingly recognizing that the data within their organization can be mined for value and, more importantly, revenue. Technology and data analytics, along with the more routine identification of valuable assets such as IP, are dependant on a value-based approach to data storage. In other words, by eliminating the information with little or no value (which, in most organizations, comprises of the vast majority of information stored), organizations can start taking advantage of the new opportunities that “big data” now offer.
Considering “Defensible Deletion”
The risks and costs of retaining all electronic data gives rise to questions such as: (i) what can an organization do to manage its electronic data on a going-forward basis and (ii) what can an organization do about the terabytes and petabytes of data currently retained by the organization that are no longer needed for business purposes? However, electronic data that is no longer needed for business, legal or regulatory purposes still may be necessary for managing an ongoing business operation.
For inquiries related to this Tip of the Month, please contact Anthony J. Diana at or Therese Craparo at .
Learn more about Mayer Brown’s Electronic Discovery & Records Management practice or contact Anthony J. Diana at , Michael E. Lackey at , or Ed Sautter at .
You have no pages selected. Please select pages to email then resubmit.