With two thirds of retained information having no business value in most organisations, when is it safe to delete? Rich Turner outlines a defensible deletion strategy.
According to the Compliance Governance and Oversight Counsel’s 2012 survey, 69 per cent of information retained within companies has no business value, yet companies are hesitant to delete information. Whilst the benefits of deleting information may seem obvious, companies most often cite legal risks, which can have adverse results on legal cases and can engender spoliation sanctions when US courts are involved. Yet, without deleting this information, it adds undue burden and costs at all levels of the organisation.
Three cases for defensible deletion
The US judicial system has a pair of laws that govern general information retention. In the first, its Federal Rules of Civil Procedure (FRCP) define a “Safe Harbor” statute such that a court may not impose sanctions on a party who has lost information as a result of the routine, good-faith operation of an electronic information system. Conversely, US case law has loosely defined that the “Duty to Preserve” information relative to a case arises the moment litigation is “reasonably anticipated.”
The UK Civil Procedure Rules (CPR) contain no such provision ie a “duty to preserve” - but once CPR 31 has been invoked (eDisclosure), parties are expected to preserve and collect all relevant information, and the courts do take a dim view of any intentional or wilful destruction. Companies facing international litigation find they need to adhere to the stricter US definitions or risk specific sanctions.
In US courts, three specific cases have emerged that define what defensible deletion is. In the first of these cases, US Bancorp was sued by a former employee (Viramontes) claiming gender discrimination. At issue were emails the plaintiff wrote to US Bancorp several years before the lawsuit commenced, and that US Bancorp had routinely deleted as part of its automated Information Management program. The plaintiff sought sanctions, but they were denied, the courts feeling US Bancorp had operated within the appropriate guidelines.
A second case pitted AMC Technology against Cisco Systems - the former (AMC) had a contract with Cisco which went awry. An employee on the fringe of this case, and not named by either party, retired and Cisco followed its routine deletion policy 30 days after his departure. Some 12 plus months later, the employee was identified by AMC who sought sanctions claiming his emails were “critical” to their case. Again, sanctions were denied, as the employee was not considered part of the original suit and Cisco could not be expected to “keep everything forever.”
A third case looked at deletion in the Public Sector, long considered responsible for indefinite retention to satisfy Freedom of Information Act regulations. In this case, the City of Las Vegas Nevada was sued by a former employee, claiming gender discrimination. Because the employee had produced her own copy of an old email she claimed was material to her case, she sought both sanctions and prejudice because the City couldn’t produce the same document. Again, the court disagreed: her email was before any litigation was anticipated, its destruction was routine, and because the employee had produced the document herself, there was no basis for prejudice.
Mounting defensible deletion strategies - the 'What to Do'
Whilst case law supports the use of automated deletion strategies across these three diverse organisations, the devil is the detail. The key is obviously that data that is not under specific protection can be deleted, and the deletion needs to be neutral, systematic, and universally applied. Finally, it must be possible to suspend deletion as legally required.
Determination of what is, and what is not, under specific protection is where the expertise of Information Management and Governance consultancies is critical. First, an assessment of the organisation’s current data retention against GARP Principles is made, following implementation of information governance programs and procedures, which include data disposition and system remediation, under guidance by these consultants.
Mounting defensible deletion strategies - the 'How to Do It'
The third aspect with which organisations wrestle is how to deploy a defensible deletion strategy. This is where Information Management software vendors play a critical role. They provide the software platforms which can apply the appropriate procedures to manage organisations’ information.In the case of deletion, the significant aspects go beyond automating the deletion of information. These systems must also provide a means of audit, so organisations can demonstrate that any information which was deleted was unencumbered by other laws and regulations.
Finally these systems need sufficient flexibility to adopt new regulations, changes to existing rules and procedures, and the ability to be suspended once specific information must be preserved. Ideally, whatever rules engine drives the information management solution should use simple, language-based nomenclature so a non-technical person can modify them whenever required.
With two thirds of most organisations’ retained information having no business value, implementation of an effective deletion programme has tremendous merit, with benefits that reach across the whole organisation.