[Blogger: Trent Henry]
I attended a conference this week at which a speaker said, “In today’s complex regulatory landscape, every scrap of information is important—save it all.” This sounds vaguely familiar to words spoken by IT teams (and sometimes their counsel) who are worried about electronic discovery: Since we have to preserve evidence in case of litigation, we better be on the safe side and never get rid of anything.
Bad choice.
First of all, there’s no need to save information that isn’t germane to your business or doesn’t have a specific regulatory mandate. Auditors don’t expect it, regulators don’t expect it, and neither do judges. So, whether it’s log data, electronic mail, or documents in a content management repository, take a hard look at what you're keeping. If the business isn’t asking for it, chances are it should be on a tighter retention schedule.
Second, I’ve heard the mantra “storage is cheap,” but looking at some enterprise’s bills, I’m not convinced. Furthermore, there’s a growing market of storage management solutions whose goal is to drive up storage utilization and minimize hardware costs. Data de-duplication projects are popular with executives—no sense having 1,000 identical copies of that 2MB e-mail attachment—so why exacerbate the problem by trying to keep the wrong stuff in the first place?
Third, we all have skeletons in the closet. There’s no reason to air them unnecessarily. I’m not saying that if you consciously violate service-level-agreement terms you should destroy the logs that prove it; or that if you have evidence of wrongdoing at your company you should cover it up. But once a contract is complete, it’s unlikely you need to retain it long-term. And you certainly don’t need to keep sensitive metadata—like document comments describing negotiation tactics or alternative pricing.
So, rather than “log everything,” repeat after me: “Don’t oversave.”
Trent, I agree with you on this, as long as periodic data destruction is part of Information Lifecycle Management (ILM) at the organization. However, destroying data in the face of a e-discovery request is a BAD idea. e-discovery is serious business. Here are some guidelines:
1. An unprepared organization can be crippled with an e-discovery request. Advance planning early in the ILM can reduce or minimize e-Discovery pain.
2. Preserve all data (email, databases etc) that may be relevant, or which may lead to relevant evidence once you get a notice of e-discovery OR legal hold OR are aware of a pending litigation. Asking your lawyer for advice before taking any action is a good idea.
3. Don't wait to stop all automated relevant document deletion after an e-discovery notice has been received. Your duty to stop routine and systematic document destruction is triggered by the filing of a lawsuit (way in advance of discovery) and might under certain circumstances be triggered even in advance of a lawsuit.
4. Destroying evidence by mistake is like "killing your parents and then throwing yourself on the mercy of the court because you're an orphan" (Magistrate Facciola)
5. A digital record is no longer just a digital record, it is a potential evidence in a lawsuit.
6. Many companies tend to settle out of the court in fear of burdensome costs of litigation, now including e-discovery. However, Settlement is NOT Justice (Magistrate Facciola).
Knowing Disregard (i.e. purposely not learning (ignoring) about an unlawful activity) => is same as knowing and not disclosing.
Posted by: Saqib Ali | March 13, 2009 at 09:12 PM
Hi,
I agree with you that we should log every information and data related to our business so that we could keep a track of every thing going with in the company or out side the company. We should always keep our confidential data safe and secure to maintain the privacy of the company.
Data of any business plays a key role in success for that business, so it is required to keep it safe and secure.
Posted by: daniel | April 21, 2009 at 03:43 AM
Trent,
I could not agree with you more about not saving everything. Gone are the days when Information Security meant IT security. The name of the game now is Risk management. Having data kept forever not only increases chances of data leakage but is "asking" for added liability. Good guidelines on how long (and how) to store data are available and should be used by any thinking enterprise.
Posted by: Ariel Silverstone | April 30, 2009 at 08:58 AM
On the whole this is an excellent post and retention of all data should be considered in the context of the organisation's record retention policy.
There are, however, three drivers for retaining internal records: regulatory compliance (where the retention period is often mandated); litigation preparedness (the length of retention will be dictated by the type and length of contract); and as supporting evidence for internal disciplinary action.
With regards litigation preparedness this can be quite an issue. I've known organisations who've made the decision that email between a partner in a law firm and his personal assistant was not of regulatory importance. Later when the personal assistance was made redundant she picked three emails out of context out of the tens-of-thousands they had sent to each other and claimed for sexual harassment - the law firm in question could not produce the other emails to show the context of the conversation and were successfully sued suffering a both a financial loss and harm to their reputation. Your records retention policy simply cannot predict things like this in our increasingly litigious society and it is better to cast the net wide than thin.
Within the United Kingdom we do not have such strong legal requirements for destruction so we are in a slightly better position to do this, but under UK law an email between two parties can form a binding contract or represent a deviation on an existing contract. With some contracts in the UK lasting centuries (for instance leases which can last up to nearly a millennium and Public-Private Partnership - contracts here schools and hospitals are built by the private sector and leased back to the public sector) organisations can face not only large quantities of data to retain, but the pain of discovery against such a large record set and problems with information archeology (the ability to read out-of-date record types, think WordStar version 1.0).
One of the solutions to the problems you've highlighted is the use of a cloud-based service for archiving, if you choose the right partner the storage management headache is taken away and some (including the company I work for, although I won't pimp it here) offer a flat per-user fee with no charge for the amount of data retained. We do also offer policy-based destruction for those jurisdictions that need to adhere to mandated records retention.
The thing to remember about email in particular is that you're only ever going to have one copy of it - deleting a record is never helpful in preventing litigation as at least one other person will always have a copy! Having a good evidential quality archive lets you prove tampering of evidence presented against you; allows timely discovery to establish whether your organisation is culpable; and provide context to any evidence presented against you.
So while I agree that you need a good well enforced records retention policy, I caution organisations to consider all contexts that the archive could be used in and not be driven by the costs of storage - and this statement is not lead by commercial motives, my organisation gets the same fees from our customers whether they're archiving 10 terrabytes a month or 10 megabytes and in fact it costs us more to hold it on behalf of our customers.
Posted by: James Blake | May 09, 2009 at 07:33 AM