Tech, Organizational Factors
By Anne Kershaw
Virtually everyone is hoarding data they no longer need, and it’s costing employers significant sums of money and draining scarce resources to maintain and expand electronic data storage. Yet, when hard drives and file shares are analyzed, we find that 80 percent of these ostensibly “active” files and folders have not been accessed for three to five years. This results in unnecessary IT expenditures for infrastructure, disaster recovery, and data migration as old servers and systems are retired.
Some organizations also have tens of thousands of backup tapes in storage, all of which are essentially useless, yet they are generating storage fees and excess costs if included in discovery for litigation.
Most of the costs associated with unnecessary data hoarding are hidden, out of sight and out of mind. One example of such hidden costs is lost productivity when employees have to wade through unused and unwanted information to find what they need. Another example occurs when employees forgo the potential informational value of content management systems because there is too much clutter to wade through.
While specific operational costs are appreciable, the most visible costs can be legal expenses. Even if a company had not been obligated to keep unused data, if it still has that data when a legal matter arises and a legal hold is issued, there is an obligation to preserve and produce relevant or potentially relevant information during discovery in that litigation. In essence, the legal hold trumps the company’s right to dispose of information not needed for specific operational or regulatory requirements.
This can be extraordinarily expensive: The discovery process often involves having rooms full of attorneys examining records to determine their responsiveness to discovery requests or subpoenas and whether the records are confidential or privileged. Billing rates for all this work range from $60 per hour for contract attorneys to between $300 and $400 per hour for associates. Such legal review bills are often the largest single expense in litigation and can quickly mount to hundreds of thousands of dollars.
Average costs for collecting, processing and reviewing electronic data for legal matters can exceed $10,000 to $20,000 per gigabyte, depending on a number of factors. If the data had been disposed of when eligible for disposition, before the legal matter arose, none of those costs would have been incurred.
In other words, managers can do more than complain about the hemorrhaging of corporate funds during litigation: They can proactively and appropriately dispose of unnecessarily hoarded data.
Companies are also increasingly feeling the sting of state privacy legislation that requires notification of state officials and implicated state citizens if private information such as Social Security numbers or credit card numbers is breached or disclosed.
Massachusetts is at the forefront of this movement. Belmont Bank in Massachusetts, for example, recently discovered that a backup tape had been left on a table and disposed of by the cleaning crew. It appears the tape had been incinerated and not actually disclosed to third parties, but the bank nonetheless had to pay a $7,500 civil penalty.
Damages in individual incidents involving the actual loss of credit card information have exceeded $100 million, such as in the TJX credit card breach and the Heartland payment systems breach. And the reputational injury to a company can be even more damaging than the direct dollar damages, as few customers, employees or suppliers want to be told their private information has been compromised.
To state the obvious, hackers and thieves can’t take what you don’t have. The best protection against a privacy breach is to dispose of data as soon as it is no longer needed for business purposes or legal matters.
Tech, Organizational Factors
The massive accumulation of unnecessary data is a phenomenon that stems from several technical and organizational factors. From a technology standpoint, the growth of high-bandwidth Internet connections and the decrease in the price of drive storage have made it very easy to move and store large numbers of documents and files. Few managers were concerned about what was being stored when it seemed on the surface to be so cheap to just keep everything.
From an organizational standpoint, typically no one is actively involved in limiting the amount of data that is being stored. Records management is concerned with the retention of scheduled records: important business documents or other documents that have been identified as being official records of the company. IT provides and maintains the organization’s network infrastructure, but not the data within it.
Business unit managers don’t see a budget line item for all the costs associated with unused or unneeded data, so they don’t make it a management priority—at least, not until hundreds of gigabytes get swept up in a legal matter or government investigation, and the bill for legal review hits their desks or email inboxes. This is often the corporate coronary event that motivates companies to clean up their records.
So what should a company do if it decides it would like to reduce the risks and costs associated with data hoarding or over-retention?
The first thing is to understand that to the extent data preservation is driven by a concern about legal obligations, the touchstone for avoiding legal difficulties is to make good-faith, reasonable efforts to meet recordkeeping obligations and, ideally, to document those efforts. Perfection is not required.
Furthermore, the company normally is obligated to keep only “a” copy of relevant information, not “all” copies. For example, if data is on the active server, there’s little or no need to keep all backups. Recognizing this simple fact can sometimes enable corporations to dispose of tens of thousands of unneeded backup tapes at an enormous savings.
The second thing is to appreciate that having an experienced and properly insured outside consultant or expert who is willing to go on record as authorizing the final disposition of records can facilitate the process. No one inside the organization is comfortable saying “throw it out,” and many employees are fully engaged in their normal duties and cannot devote the time that an electronic data housecleaning project requires. They also may not be familiar with the legal standards governing disposition of information and would feel more comfortable having someone else assume the responsibility for directing the disposal of unneeded data and for being the one whose deposition may ultimately be taken, should anyone question the disposition decision.
When a housecleaning program is launched, the records retention and legal hold programs are reviewed to confirm that they include electronic information and are operating in a reasonable and defensible fashion. The basic inquiry here is whether it appears that the proper documents and information are being placed on hold when litigation arises, and that the holds are effective or followed.
As part of the process, a company can also identify those legal holds that have proved particularly burdensome to comply with, with an eye toward potentially narrowing the scope of the hold, renegotiating the hold with the adverse parties or seeking relief from the court. In fact, courts are becoming especially sensitive to the dollar and other costs associated with overly broad preservation efforts.
Categorize Transitory Data
The next step is to categorize the transitory electronic data that is not currently on records retention schedules. This involves different processes for different types of data. File shares should be reviewed to determine the dates of last use of the folders and files.
Physical data containers, such as drives, servers, tapes and other media, are inventoried, and reasonable efforts made to determine their source. If the data is required for business, regulatory or legal hold purposes, it should be placed on retention schedules; if not, it can be disposed of.
For maximum protection, an insured and experienced expert should draft an opinion letter explaining the process and directing the final disposition of unneeded data. If there is ever a challenge to the disposition of the data, the corporation can point to this process and its associated documentation as evidence of their good-faith effort to comply with its recordkeeping obligations.
Such e-housecleaning efforts have a tremendous ROI. Some clients have been able to take thousands of backup tapes off hold, and others have freed up significant percentages of their available file share space—all of this in addition to avoiding discovery and data breach costs.
It is important to be aware of, and prepared for, the executive or business unit that insists on holding onto unused data, claiming that they may someday need to access that data. The most effective way of dealing with just-in-case hoarders is to let the them keep their data, but with the understanding that they are now in fact the "owner" of the data with all the incidents of ownership.
That means they will be allocated all the costs of ownership, including data storage, backup and data breach responsibility, and all legal costs associated with the review and production of the data if it is ever swept into litigation discovery or governmental investigations. Once they understand the full costs associated with owning the data, executives or business units inevitably opt to dispose of unused and unneeded data.
Anne Kershaw in an attorney and legacy data management consultant who has guided many corporations through electronic records housecleaning efforts. She can be contacted at firstname.lastname@example.org.