Comply Or Die: Data Disposition Must Be A Priority
IT groups rethinking the "save everything forever" approach find deletion and retention policies and tools must be razor sharp to cut through a morass of regulations.
TEAR IT UP
Getting rid of data generally goes against the corporate grain. Much time and effort is devoted to producing, protecting, and preserving information, and now you want to shred it?
But if there's one thing that can focus executive attention, it's litigation. An evolving legal landscape is encouraging enterprises to reconsider this preservation instinct. In December 2006, the Federal Rules of Civil Procedure, which set litigation guidelines at the federal level, were updated to include electronically stored information in discovery requests, in which one party asks the opposition for records relevant to a lawsuit. This means parties in litigation can request both physical documents and electronic information, and organizations have a legal obligation to produce all relevant material. Most discovery requests focus on e-mail, but the scope of the rule is broad enough to include Office documents, instant messages, text messages, .wav files, and so on.
Companies spend jaw-dropping amounts of money on e-discovery. Fiona Schrader, principal product manager of EMC's compliance division, says DuPont estimates that one legal discovery bill came to $11 million. Let's be clear: DuPont didn't spend $11 million total on a lawsuit; it spent that amount on the discovery portion. In that same discovery effort, DuPont found that $4 million to $6 million worth of records had already met their retention deadlines and should have been destroyed.
"Companies aren't getting the connection between what they are keeping and what it means for time and expense when litigation hits and you have to pay lawyers to look through everything," says Michael Sands, a partner at law firm Fenwick & West and chairman of the firm's electronic information management group. Schrader agrees and estimates that less than 10% of her customers have active, automated disposition practices.
There are three main reasons for this foot dragging. First, some companies aren't sure it's legal to get rid of data. It is. The Supreme Court has ruled that it's permissible--though usually under very specific circumstances. A large constellation of rules and regulations governs how long various types of information must be stored: 17 years for patient health records, six years for dealer/broker records, the lifetime of a building for construction and architectural documents, and indefinitely for certain kinds of environmental records and reports. But once mandated compliance periods are met, information should be destroyed.
Companies also must be aware of another stipulation to legal data destruction: the litigation hold. This is a procedure in which information that may be relevant to a case is preserved, even if it's nearing or has reached the end of its retention period.
"Litigation hold and disposition are intimately related," says Sands. "Any automatic system to purge is fine, as long as there's a way to turn it off so you aren't destroying documents you have an obligation to preserve."
Companies also are reluctant to dispose of data because they think they'll find information to help them prove their case during litigation. They probably won't. "As a litigator," says Sands, "the number of instances we find a document we wished wasn't there far outweighs the times we find something where we say 'Whew! Glad we saved this!'"
It's no coincidence that companies that have been through litigation at least once are more amenable to implementing data disposition policies, Sands says.
The third reason organizations are slow to get rid of data is technological. Before information can be destroyed, IT has to know where it is, what it is, and which retention rules must be followed. Records management, content management, and e-mail archiving systems play a role in retention and disposition. But they're often deployed tactically rather than as part of an enterprise-wide strategy. These products also have limits, which we'll discuss.
Google in the Enterprise SurveyThere's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity products, and 69 percent cite Google Apps' good or excellent mobility. But progress could still stall: 59 percent of nonusers distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?