There is no doubt that the costs associated with preserving information that is potentially relevant to litigation or regulatory investigations, particularly in cases where the allegations are vague or where the party making the allegations takes the position the responding party must preserve all its documents, can be enormous and, in some cases, crippling. The costs associated with storing such information, as significant as they can be, often pale in comparison to the costs associated with analyzing and reviewing the information to determine whether it is, in fact, relevant to the litigation or investigation. The lack of uniform guidance from state and federal courts regarding the scope of the duty to preserve relevant information and the penalties for failing to do so further exacerbates the problem, leaving parties to weigh the costs of preserving vast amounts of data against the risks of being accused of spoliation – accusations which, even if unproven, can cause significant damage to organizations such as publicly traded companies. This weighing effort often results in a conservative decision to preserve broadly – an expensive course of action that seldom benefits either the parties to the litigation, the investigation or ultimately, the civil justice system. In fact, it can be argued that the current preservation rubric fails to follow one of the fundamental tenets of the Federal Rules of Civil Procedure, which states that the Rules "should be construed and administered to secure the just, speedy, and inexpensive determination of every action and proceeding.” Fed. R. Civ. Pro. 1 (emphasis added).
While proposed amendments to federal and state procedure rules as well as proposals to radically change the common law preservation rubric through legislation will undoubtedly improve the current situation, it will take a significant amount of time before the benefits of such changes are felt. However, there are steps that organizations can take today to mitigate the costs and risks associated with the retention and preservation of information.
Data Mapping
The first, and a predicate, step to any attempt to reduce the costs and risks associated with the preservation of electronically stored information is for companies to gain a thorough understanding of the information stored within the organization and to keep it up to date. An understanding of the organization’s information can be obtained through what has come to be known as a data map. "Data mapping identifies the types of information that are generated by organizations, the technology used to generate it, the people who create it, the people and processes that are responsible for moving and monitoring it, and the technology used to store and retrieve it." B. Sullivan, "Data Maps: An IT Necessity for Efficient, Cost-Effective Information Management", Digital Discovery & E-Evidence 10, no. 4 (April 2010). A complete and up-to-date map of its information will allow the organization to make more informed decisions regarding what data it needs to preserve when faced with litigation or an investigation and can also serve as the foundation of a process to dispose of information that has no business value and that is not subject to retention or preservation obligations.
The disposition of legacy data that has no business value and is not subject to retention or preservation requirements can significantly reduce day-to-day storage costs, the costs of complying with preservation obligations and the risk posed by maintaining historical information. While mapping an organization’s data and analyzing its legacy data will, no doubt, require hard work and cost money, a return on the investment can be quickly achieved and demonstrated.
Is It OK For Organizations To Dispose Of Legacy Data?
Organizations seeking to dispose of legacy data should take comfort from the fact that the United States Supreme Court has held that it is appropriate for companies to dispose of information that is not subject to preservation obligations in the normal course of business. "'Document retention policies, which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business.' It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances." Arthur Andersen LLP v. United States, 544 U.S. 696, 704 (2005)(citation omitted).
While defining what constitutes “ordinary circumstances” will require analysis of the case law in the company’s particular jurisdiction as well as the regulatory framework that the company operates under, as an example, the Eighth Circuit in Lewy v. Remington Arms, 836 F.2d 1104 (8th Cir. 1988) set forth a three-prong test to determine whether the destruction of documents in the ordinary course of business constitutes spoliation:
- Is the retention policy under which the documents are to be destroyed “reasonable”?
- Are the documents subject to destruction under the policy relevant to past litigation/investigations and if so, with what frequency?
- Was the retention policy adopted in bad faith? Id.
Framework For The Remediation Of Legacy Data
The authors believe that the disposition of legacy data that has no business utility and that is not subject to retention or preservation obligations presents an opportunity for cost savings and risk mitigation with minimal impact on the day-to-day operations of the business and believe that the framework discussed below will enable organizations to dispose of legacy data while minimizing the risks of being accused of, or sanctioned for, spoliation. The process involves an interdisciplinary blend of skills including legal, records management, information technology, audit and data analytics, and in some cases, IT archeology – a discipline that blends knowledge of historical technology and investigatory skills. While many companies have the resources required to conduct legacy data remediation in-house, it is often difficult for these resources to devote the time required to complete the project in a timely manner. We have found that a blended team of in-house resources and outside consultants can alleviate the bottlenecks associated with having a team for whom the project is a second or third job and can help to keep the project on track.
What Is Legacy Data?
Before discussing the framework, an explanation of what “legacy data” means is in order. The Sedona Conference Glossary (Second Edition) defines legacy data as electronically stored information “in which an organization may have invested significant resources, but [which] has been created or stored by the use of software and/or hardware that has become obsolete or [has been] replaced (“legacy systems”). Legacy data may be costly to restore or reconstruct when required for investigation or litigation analysis or discovery.” Another way to think of legacy data is as information that is “inactive” – data that is stored in physical or electronic format and is not currently understood, used or managed. Legacy data collections typically include large volumes of data accumulated in files and data stores originally saved for a specific reason – whether for disaster recovery purposes, for business needs or because of retention or preservation obligations – that no longer exists. Legacy data may be contained in paper documents stored in boxes placed in an offsite warehouse years or decades ago, collections of disaster recovery backup tapes that have long since passed their rotation period or on mothballed computer systems that are sitting in a storage closet because no one has gotten around to disposing of them. The framework described in this article is media neutral and works, with minor changes to the information-gathering process, regardless of what medium the legacy data is stored on.
The process used by the authors to assist clients in analyzing and disposing of legacy data is by necessity flexible and is adapted to suit the particular requirements and circumstances of each project. It is based upon five fundamental steps:
- Catalog and understand the organization’s retention needs and preservation obligations;
- Create an inventory of information that must be retained or preserved – the “obligations matrix”;
- Inventory and categorize legacy data;
- Filter legacy data through the obligations matrix;
- Dispose of data that has no business value and that is not subject to retention or preservation obligations.
While the process is straightforward and each step is simple on its face, it can seem daunting, particularly to companies that have large collections of legacy data. When the circumstances permit, we try to implement the process in a manner that chips away at the easy challenges first. This way the more difficult challenges can be dealt with once the team has more background information and the overall project strategy is more mature. This approach can also serve as a proof of concept and be used to demonstrate the return on investment for the overall project.
One of the primary objectives of the process is to learn only as much information about a category of data as is required to make informed and defensible decisions regarding its disposition. While overly simplistic, the following example demonstrates this point. Company A has 5,000 boxes of backup tapes from one of its manufacturing facilities in an offsite third-party warehouse. An analysis of Company A's retention and preservation obligations reveals that it only has to keep manufacturing documents for five years. Based on these facts, it would be appropriate and pose little if any risk to the company to dispose of backup tapes in this set that are more than five years old. So if the company can establish, based upon its storage and IT records, that 4,500 of the 5,000 boxes came from one of its manufacturing facilities; that the only systems running at that facility that were backed up to tape were manufacturing batch systems; and that the boxes were sent to the warehouse more than five years ago and have not been retrieved since then, it would seem that disposing of these 4,500 boxes would be appropriate so long as the decision-making process is documented. If, on the other hand, the storage records for the 4,500 boxes indicated that the boxes might also contain backup tapes from a research and development facility or that the boxes had been retrieved within the last five years and then sent back to the storage facility, additional information would be necessary before a disposition decision could be made.
Conclusion
It is the authors’ firm belief that organizations can and should dispose of information that has no business value and that is not subject to regulatory retention or preservation obligations in the ordinary course of business. Doing so under a reasonable policy following a rational, documented and objectively verifiable process will significantly reduce not only the costs and risks associated with retaining information that has no ongoing business value to the organization, but, will also reduce the risk of being accused of, or sanctioned for, spoliation.
Published January 19, 2012.
