www.archive360.com
Open in
urlscan Pro
2606:2c40::c73c:671c
Public Scan
Submitted URL: https://www.archive360.com/blog/when-is-it-ok-to-delete-data#:~:text=It%20is%20legal%20to%20delete
Effective URL: https://www.archive360.com/blog/when-is-it-ok-to-delete-data
Submission: On June 29 via api from US — Scanned from DE
Effective URL: https://www.archive360.com/blog/when-is-it-ok-to-delete-data
Submission: On June 29 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
/hs-search-results
<form action="/hs-search-results">
<input type="text" class="hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="">
</form>Text Content
By continuing to use our website, you agree with our use of cookies in
accordance with our Cookie Policy. You can reject cookies by changing your
browser settings.
OK, Got it! Decline
support
GET A DEMO
CONTACT US
* Platform
* Open Archiving
* Archive Migration
* Pricing
* Solutions
* Office 365
* Enterprise Vault Migration
* PST Migration
* Slack Archiving
* Zoom Archiving
* Microsoft Teams Archiving
* Email Archiving
* Journal Archiving
* SharePoint Archiving
* Salesforce Data Archiving
* Information Management
* Regulatory Compliance
* Legal and eDiscovery
* Supervision & Surveillance
* Records Management
* Security Gateway
* Customers
* Federal Government
* Case Studies
* Customer Support
* Resources
* Resources
* Podcast
* Blog
* Newsletter
* CARES Act
* Company
* About Us
* Leadership
* Events
* News
* In the Media
* Careers
* Partners
* Become a Partner
* Microsoft
* Partner Portal Login
WHEN IS IT OK TO DELETE DATA: DEFENSIBLE DELETION AND RETENTION SCHEDULES
* By:
* Bill Tolson|
* January 26, 2021
*
* Legal/eDiscovery|
* Regulatory Compliance|
* Records Management|
* Data archiving|
* Legal|
* Compliance
Twenty years ago, the average corporate General Counsel's (GC) primary data
strategy was to delete all data that was not absolutely necessary to meet
regulatory compliance requirements or currently being used in litigation. Ten
years ago, that data deletion strategy had completely reversed to where most GCs
were hesitant to delete any data at all. I believe this 180-degree change was
due to the 2006 amended Federal Rules of Civil Procedure (FRCP) publication.
Specifically, Rule 37(e) of the 2005 FRCP stated:
If electronically stored information that should have been preserved in the
anticipation or conduct of litigation is lost because a party failed to take
reasonable steps to protect it, and it cannot be restored or replaced through
additional discovery, the court has several remedies, including the issuance of
an adverse inference instruction. The adverse inference instruction instructs
the jury that they can presume that the evidence (data) is unfavorable to the
party's case. [In many, but not all lawsuits, an adverse inference instruction
generally ends the case in favor of the opposing party.]
In reality, the adverse inference instruction informs the jury that (usually)
the defendant didn't want you to see the evidence because it could be
detrimental to their case, so destroyed it.
Because of the 2005 version of 37(e), many GCs changed their minds. They became
much more conservative on data deletion mainly because they didn't want to take
the chance of getting caught up in spoliation (destruction of evidence)
allegations. There are numerous cases where companies did not anticipate future
litigation correctly, and data was inadvertently destroyed, causing the issuance
of fines and loss of the case.
When litigation hold responsibilities arise, preservation obligations, including
the suspension of document retention and retention policies, could very well be
required, but only for data that can reasonably be tied to the case. In the
famous Zubulake eDiscovery case, the court noted that to comply with legal hold
obligations, a party is not required to preserve "every shred of paper, every
email or electronic document, and every backup tape."
The FRCP was amended again in 2015 - including Rule 37(e). The amended Rule
37(e) now includes a critical instruction that subtly changes the anticipation
description to: only upon finding that the party acted with the intent to
deprive another party of the information's use in the litigation may the judge
apply the most severe sanctions. In practice, inadvertent deletion of
potentially responsive information should not trigger harsher responses from a
Judge (usually).
Even with this important FRCP update to Rule 37(e), many GCs have not changed
their data deletion stance. I still run into corporate Compliance, Records, and
Legal professionals who say their standard data retention/disposition
instructions are still not to delete any data, ever.
In fact, the legal best practice is to delete records when expired and general
data as soon as the data is no longer has value for the company.
THE LEGAL SYSTEM DOES NOT MANDATE DATA RETENTION POLICIES
Unless your company has specific regulatory retention requirements or
anticipates legal action, data retention is strictly up to the organization.
There are no laws that instruct organizations to keep general (non-regulated)
data for any period of time. In the past, I have seen some large organizations
institute very compressed retention policies, including only two weeks on all
email where the email is automatically deleted from the system unless the
custodian or legal department has placed a legal hold on the email.
This very short retention policy is out of the ordinary and does contain some
risk. A judge could interpret this policy as an attempt to remove smoking guns
before they can be requested in eDiscovery. For example, in the Apple vs.
Samsung patent infringement case, Samsung's lack of digital evidence
preservation in part resulted in Apple being awarded over $1 billion because
digital evidence that the judge considered material to Apple's case was
automatically deleted.
No matter the industry or business your company is in, it's always a best
practice, even though it's not a legal requirement, for your company to create a
data retention/disposition schedule - and enforce it. Companies do this based on
regulatory requirements, sound business practices, and legal risk mitigation
reasons.
WITHOUT SCHEDULED RETENTION/DISPOSITION, DATA (AND RISK) PILES UP
In today's business environment, the amount of data being created/sent/received
has accelerated (the velocity of data) to the point where employees can no
longer keep up. Because of this, they fall back on the 5-second rule; if it
takes more than 5 seconds to decide what to do with a piece of
information/file/email, the employee will either delete it immediately or keep
it forever – and in my experience, the vast majority choose to keep it forever.
This is one reason very large companies spend millions of dollars every year to
employ consultants to cull through terabytes of data to delete files that are no
longer required or are required by law to be removed. For example, the CCPA and
GDPR privacy regulations require organizations to dispose of a data subject's
personal information when requested (right to be forgotten), or if the
organization no longer needs for the data, i.e., the original reason the data
was collected has been fulfilled or no longer exists, or does not have
regulatory or legal requirements (litigation/eDiscovery) to keep.
This process is known as defensible disposition – the deletion of data in a
legally defensible manner if there is no regulatory or legal reason to keep it.
This description refers to documenting the policy, process, and actions when a
defensible deletion is being executed.
READ MORE: Data Has Value, but also Risk – Get Rid of What You No Longer Need
WHEN CAN/SHOULD DATA BE DELETED?
Organizational data typically have some amount of value to a company for a
period of time. Some information value is very short-lived, while other data can
retain its value to the company for much longer periods of time.
The secret sauce in information management is to know when data value becomes
less than its potential risk to the organization. In fact, there is a direct
connection between the age of data, the cost to keep it, and its risk to the
organization (PII security, eDiscovery). In a great example of the cost of
maintaining data too long, Dupont conducted a study back in the late 90s looking
at nine key eDiscovery cases. They found that:
* The total number of pages reviewed were 75,450,000
* The total number of pages that were found responsive to be 11,040,000
* The total percentage of expired (beyond the retention period) pages to be 50%
* The total cost of unnecessary eDiscovery review processing was $11,961,000
(1998 costs).
(These findings did not take into consideration the non-litigation costs of data
over-retention, including increased costs of data storage and management,
backups, inclusion in other litigation, and privacy/security risks)
This study is still relevant today in that it highlights the cost of
over-preserved data in the eDiscovery process. Additionally, expired but still
preserved data can complicate eDiscovery due to the basic fact that if data
exists, even expired data is still discoverable and must be collected and
reviewed if potentially responsive to the given case.
READ MORE: Corporate Legal Budgets are getting Squeezed –
How to Reduce eDiscovery Costs (with Cloud Archiving)
DATA DELETION – "IT'S A GOOD THING"
Creating and enforcing data retention/disposition schedules for non-regulated
data is a great business practice in case a judge asks for the retention
disposition policy when responding to opposing counsel's inquiries. The key here
is disposing of valueless information regularly. This ensures aging data does
not stick around and impact storage and data management costs and cause
eDiscovery issues in the future.
Circling back to this blog's main topic, when is it legal to delete information?
It is legal to delete data regularly if not under regulatory retention
requirements or involved in current or anticipated future litigation. Data not
meeting these two requirements should be defensibly disposed of when legally
defensible.
DEFENSIBLE DELETION/DISPOSAL QUESTIONS CHECKLIST
1. Is there a current business need to keep the data in question?
2. Does the data to be disposed of have any regulatory compliance retention
requirements that require you to keep the data?
3. Is any data subject to an anticipated or current legal hold?
4. Has your Chief Regulatory Officer, Chief Records Officer, or General Counsel
approved your defensible deletion plan?
5. Does your organization have a published data retention/disposition schedule
that supports your defensible deletion activities?
6. Can your retention/disposition system produce an accurate report on the data
deletion for future chain of custody and regulatory reporting?
7. Do you regularly audit the retention/disposition system?
However, you should always get a written opinion from your corporate or outside
counsel.
Archive360 is the world's leader in intelligent information archiving and
management. The Archive2Azure solution is a complete cloud-based information
management and archiving solution for both structured and unstructured data,
which is installed in your company's own Azure Cloud tenancy for increased
security and functionality, ongoing customization, and complete control. Unlike
SaaS archiving platforms where you are forced into a one-size-fits-all
application and security configuration, the Archive2Azure PaaS solution is
architected so that you store your company's data in your own Azure tenancy with
complete control over the security, including the ability to encrypt data
on-premises before movement to your Azure tenancy – while keeping your
encryption keys locally.
BILL TOLSON
Bill is the Vice President of Global Compliance for Archive360. Bill brings more
than 29 years of experience with multinational corporations and technology
start-ups, including 19-plus years in the archiving, information governance, and
eDiscovery markets. Bill is a frequent speaker at legal and information
governance industry events and has authored numerous eBooks, articles and blogs.
RELATED POSTS
* January 27, 2022
SURVEY SAYS! IT'S FINALLY TIME FOR LEGACY APP DATA TO MOVE TO THE CLOUD
A new survey from Archive360 has revealed the top four barriers for tech
executives migrating legacy application data to the cloud.
Read More
* November 2, 2021
MODERN ATTACHMENTS – AN EDISCOVERY QUAGMIRE?
The modern attachment capability can be problematic for both regulatory data
retention requirements and in litigation hold/eDiscovery.
Read More
* April 7, 2021
WHY IN-PLACE ARCHIVING AND INFORMATION MANAGEMENT IS NOT A COMPLETE SOLUTION
Learn why in-place archiving and information management isn't a complete
solution for companies trying to keep up with constantly growing storage need...
Read More
* September 22, 2022
HAS "REASONABLE SECURITY" FINALLY BEEN DEFINED FOR DATA PROTECTION AND PRIVACY
LAWS?
Discover whether the Wawa data breach settlement helped to finally define
"reasonable security" for data protection and US privacy laws.
Read More
* June 30, 2021
US STATE DATA PRIVACY LAWS LEAVE MORE QUESTIONS THAN ANSWERS
Understand the complexities of US state data privacy laws and the concern behind
the "reasonable security" practices that they require.
Read More
* February 4, 2021
COMING SECURITY TRENDS IN 2021 – WHAT'S AHEAD
Organizations that don’t place data security as their top priority will find
themselves facing increasing fines and expensive litigation.
Read More
* July 27, 2022
DATA PRIVACY & SECURITY ARE NOW THE BIGGEST BUSINESS DRIVERS FOR INFOGOV
According to a recent 2022 survey published by the MER organization, the number
one business driver for information governance initiatives is data sec...
Read More
* April 20, 2023
WHAT YOU NEED TO KNOW ABOUT PST MIGRATION AND ELIMINATION
Find out how PST file migration and elimination can be an important process for
organizations that are concerned about data risk and compliance.
Read More
* January 25, 2023
THE "REASONABLE SECURITY" STANDARD FOR DATA PRIVACY REVISITED, AGAIN
Has Reasonable Security Finally Been Defined for Privacy Laws? My bottom line
remains that data privacy laws must become more prescriptive...
Read More
* January 19, 2023
WHY SHAREPOINT ONLINE IS BECOMING AN ESSENTIAL SOLUTION FOR SUCCESSFUL CLOUD
ADOPTION
The key to successful digital transformation - the move away from the complexity
and costs of individual corporate data centers to complete cloud adop...
Read More
* February 24, 2021
DATA HAS VALUE, BUT ALSO RISK – THE BASICS OF INFORMATION AND ROT RECORDS
MANAGEMENT
Data has value but also risk. Learn the basics of information management and why
it's important to delete valueless data on a regular basis.
Read More
CONTACT US TO LEARN MORE
Talk to an expert
+1 (212) 731-2438
info@archive360.com
PLATFORM
Open Archiving
Archive Migration
Zero Trust Security
SOLUTIONS
Enterprise Vault Migration
Journal Archiving
Microsoft Teams Archiving
SharePoint Archiving
Salesforce Data Archiving
Legal and eDiscovery
Records Management
Email Archiving
Supervision and Surveillance
RESOURCES
All Resources
Case Studies
Blog
Podcast
COMPANY
About
Leadership
News
In the Media
Become a Partner
Microsoft Partnership
Customer Support
Careers
© 2023 Archive360. All Rights Reserved | Terms & Conditions