Information governance is the topic du jour in many circles of the electronic discovery world, yet defining information governance (IG) is not so simple.
The Sedona Conference defines IG as "an organization’s coordinated, interdisciplinary approach to satisfying information legal and compliance requirements and managing information risks while optimizing information value." Specifically, Principles 6 and 10 of the Sedona Commentary on Information Governance are of special relevance to this discussion. Principle 6 states: "The effective, timely and consistent disposal of physical and electronic information that no longer needs to be retained should be a core component of any Information Governance program." Principle 10 states: "An organization should consider leveraging the power of new technologies in its Information Governance program."
However one defines it, at the intersection of IG and electronic discovery is the ability to leverage the former for the benefit of the latter. The more organized a company is regarding management of its data repositories, the less its discovery spend will be. This article focuses on one specific aspect of IG – defensible data disposition.
Why embrace IG? Ninety percent of the world's data was created in the last two years, and we've reached a tipping point where the growth rate of information far exceeds IT budgets and processes for governing that information. See Information Lifecycle Governance Leader Reference Guide, A Model for Improving Information and eDiscovery Economics with Information Lifecycle Governance (2012), by CGOC.
Many terms have been applied to the process of deleting data no longer having any business value. For this discussion, we will call it “defensible data disposition.”
One of the most effective IG house-cleaning tasks is undertaking a defensible disposition of legacy data. Organizations that fail to control their increasing volume of data face increases in business risk, the burden in managing it, and the challenges in finding what they need. By removing information that no longer has business value, companies will take a significant IG first step.
This paper provides a practical approach to undertaking the defensible disposition of data, defined as the process by which corporate content is systematically deleted with a defensible audit trail.
Strategic Advantages to a Defensible Disposition Program
- Lowering storage and operating costs.
- Gaining business process efficiency by optimizing end user access to corporate information, thus easing the burden of data management.
- Optimizing discovery response time and lowering overall discovery costs in the process. The more organized a company is on the front end with data repositories, the less its discovery spend will be.
- Providing greater protection of sensitive intellectual property.
- Mitigating the risk of unauthorized destruction of business records and spoliation during discovery.
- Mitigating the risk of non-compliance and increasing internal audit efficiency.
Pre-planning Considerations and Best Practices
Obtain an expert's sign-off. Because there are both legal and compliance risks anytime corporate information is intentionally removed, you should obtain an expert's input, via an internal legal/compliance officer giving appropriate approval, or an external expert opinion before the start of a disposition project. Two components are key for the internal or external expert to focus on: an identification of the types of target data subject to disposition, and documentation of the disposition process itself.
Start with a pilot project. Start small via a pilot to work out any gaps or technology issues and develop internal champions. The pilot should be directed at categories of documents where an easy win is assured. The process should center on: "Can you put a 'box' around a specific business unit/group/team's data?"
Easy wins. Examples of data without any obvious business value include duplicates, documents exceeding retention schedules, outdated legacy documents, and orphaned, mislabeled or misplaced ESI.
Document the process. An important part of data disposition is properly documenting the process, similar to a legal hold except the reverse is occurring – data is being disposed of instead of preserved. The log should include dates of when the categories of documents were destroyed, data locations, deletion process used and name of the project manager.
Use a certificate of destruction. Upon deletion of a class or category of data, a certificate of destruction should be executed and added to the disposition record, providing evidence of when the documents were deleted.
Understand the infrastructure. Being able to quickly identify where different categories of data are located within the corporate enterprise will make it easier to prioritize the project and isolate data subject to deletion.
Categorizing documents subject to deletion. This is necessary to identify the data and prioritize the project, and requires an in-depth review of data held by various departments subject to the disposition process. The categories will vary depending on the type of business. Categories that are common to most businesses include:
- Data that should be deleted pursuant to retention schedules – i.e., outdated legacy data;
- Duplicates on a network;
- Misplaced, mislabeled or orphaned data with different file types;
- Legacy software systems holding outdated data;
- Old versions/drafts since updated.
Leveraging existing technology. Executing a defensible disposition project doesn't require an investment in new technology. However, all available technology used should be evaluated for possible use in the disposition program (e.g., email archives/e-vaults, cloud-based tools).
Prioritizing and phasing the project. Disposing of ESI with no business value is a large task requiring phasing and categorization for optimal results. For example, the project can be broken down by department, shared drive, or classes of documents to delete – e.g., duplicates and documents with creation dates beyond data retention schedules.
Executing a Defensible Data Disposition Plan
The individual steps recommended below can be challenging, and we're not necessarily advocating a linear, document-by-document analysis. Rather, this is a multi-layered, process-driven approach that's determined by the data set and organizational structure. The methodology and order will depend on the technology used and the data at issue. The following steps should all be considered:
- Identify the categories/class of documents to search
- Identify the target drive
- Create final search criteria
- Run search criteria on a small subset
- Sample results for responsive and non-responsive documents and approve criteria or modify
- Initiate search and move all responsive documents to an archive
- Sample results for false positives
- Delete all documents in the archive after a designated period of time
- Execute certificate of destruction
Once the process for identifying data to be disposed of has been completed, you should consider migrating the remaining business data to an appropriate centralized location.
Below is a short list of examples of potential challenges and remediation tactics to consider.
1. Data/documents that were created by former employees.
Issue: It is challenging to know the history or context of these documents, and therefore to determine if they must be maintained.
Remediation: The following questions can be extremely helpful in creating an action plan:
- What was the former employee's role?
- Was it common for someone in that role to create or store documents with a specific retention period?
- What business unit did that person work in?
- Is the unit head/lead still with the company? Are colleagues still in that unit?
- Are the former employee’s data/documents in a structured folder? If so, that should help to segregate clearly irrelevant docs from others.
- Are there documents that are redundant, such as loose files known to exist in a database? Is email data maintained in a separate repository?
2. Data resides on media of unknown origin, or the media content is unknown.
Issue: This is a category where data is generally known to exist, but there's a lack of knowledge of how to know what's on said media (hard drive, backup tape, thumb drive, encryption issues, etc.)
Remediation: Same analysis as above – identify tangential information about the data set. Also, consider employing a forensic expert, which is significantly less costly than formally collecting, processing and reviewing documents.
3. Delays in effectuating the project? How to keep it on track?
Issue: Projects cost time and money; how do you avoid falling behind?
- Assign a project manager. Make the project a "need to do" and not a "nice to have."
- Assign short-term goals as milestones for the project.
Micron Technology, Inc. v. Rambus, Inc., 645 F.3d 1311, 2020 (2011) provides insight into key considerations in the development of a document retention policy.
… there is the innocent purpose of simply limiting the volume of a party’s files and retaining only that which is of continuing value. One might call it the “good housekeeping” purpose. Thus, where a party has a long-standing policy of destruction of documents on a regular schedule, with that policy motivated by general business needs, which may include a general concern for the possibility of litigation, destruction that occurs in line with the policy is relatively unlikely to be seen as spoliation.
The Rambus case highlights two key notions: that a document retention policy must be followed consistently, and that even under less-than-ideal circumstances, data disposition is recognized as a key component of a document retention policy. As companies continue to engage in IG disposition projects, the process will be refined through execution and repetition and ultimately will play a pivotal role in increasing efficiencies and overcoming obstacles. The result will be a meaningful reduction in business risk, e-discovery costs, and data/document storage costs and an increase in data collection efficiency and accuracy, further reducing litigation risk and cost.
Disposing of Digital Debris: Information Governance Strategy and Practice in Action, EDRM Information Governance Reference Model (IGRM) CGOC (Compliance, Governance and Oversight Council) 2014.
The Sedona Conference® Commentary on Information Governance.
Defensible Deletion Topic Overview, "eDiscovery J.," by Barry Murphy, January 10, 2013.
Challenge to a Comprehensive Business Process (2014) by Andrea Wallack, CEO and Adam Rubinger, director of Discovery Management at NightOwl Discovery.
Published January 23, 2015.