Here's a continuation of my postings about the Electronic Discovery Institute's online e-discovery certification program, that you can subscribe to for just $1. I last blogged about this program on August 19, 2017. Go to https://www.lawinstitute.org/ to sign up for it.
Tonight I took the course on data remediation. It's taught by Anthony Diana, a partner at Reed Smith specializing in electronic discovery; David Castro, counsel for the Hess Corporation, who is responsible for electronic discovery; and Jamie Brown, an attorney with board experience in data privacy and information technology law.
Maintaining Legacy Data
Cybersecurity and data privacy concerns have discouraged the practice of keeping vulnerable data indefinitely. The EU's data privacy regime makes this concern particularly important. Keeping data has its own costs.
Data on older database and file shares may not have proper meta data, making it difficult to determine what should be disposed of.
One of the costs of electronic discovery is liability. C-level is putting increased pressure on e-discovery staffs to discard email archives that they are no obligated to retain. Preservation itself can be expensive, particularly where encryption is in place. The goal is to meet regulatory requirements and follow best practices, and only take steps that are necessary for individual legal matters.
The explosive increase in data means that data storage is not cheap. There is often an incredible amount of redundancy in the data retained by a company. Searching through the data will not necessarily be inexpensive. Useless data that has no business value and is not subject to a legal hold should be remediated.
Deleting Legacy Data
A company should have a defensible process for data remediation. Large organizations often rely on preservation in place when responding to legal holds, according to Brown. Different steps should be taken to preserve data from different applications.
Different regulatory agencies impose different burdens. The SEC, FTC, and other agencies have very specific requirements that businesses must meet. Castro said that at Hess, their downstream organizations had very heavy regulatory obligations. Data had to be retained for a long time.
Diana said that in the US the risk calculus is different than in other countries, because the focus is on the risk from legal holds. In Europe, preservation is less of a concern. Data privacy rights are considered more important.
Brown said that there was no set retention requirement for any given country, but periods driven by individual regulatory agency requirements.
Castro said one's prime paradigm should be following a company's own retention policy, which the courts and agencies would hold a company responsible for following. The United States advocates wide open discovery at the expense of privacy.
Brown noted that many employees don't understand the difference between retention and preservation. Data subject to a legal hold should be preserved; records are kept subject to a retention policy.
Creating a Data Remediation Program
Senior management must agree to the disposal of data. This is the first step before one can obtain funding for an effective program. There should a return on investment (ROI) shown through the reduction in cybersecurity risk, compliance with privacy laws or regulatory obligations.
An analytics tool can provide some context for data, and show relationships between individuals.
IT should be consulted, since they often have the budget that will allow the remediation program to be implemented. A law firm or consultant may help drive the process.
Hard Copy Documents (Boxes)
There are a few players that dominant the area of hard copy storage, and they made the process more expensive than it used to be, according to Castro. Physical records under a company's custody and control may reside in many different locations and be managed by different companies which follow different practices. Physical records usually aren't organized by custodian.
Diana noted that undetailed indices often make the remediation of boxes in off-site storage very difficult. However it may useful to simply know when a box was sent off-site. Boxes that were stored off-site more than 20 years may be assumed to be full of stuff that is unneeded. Sampling may be performed on some boxes to draw some conclusions about the importance of the records. One should not sample only to confirm that an index is correct. It's necessary to really judge the importance of the contents of boxes.
For the implementation of legal holds, it's necessary to keep track of who used hard drives. There should be a policy in place for IT to re-purpose hard drives after checking to see if anything needs to preserved. Drives should be authenticated with unique ID numbers.
Castro uses a third party vendor to dispose of hard drives. Data must be truly destroyed.
Back-up tapes hold a lot of dispersed data - not data from just one custodian. It's hard to get rid of data stored on tapes. Data on back-up tapes may not be unique. Brown observed that back-ups are not always used just for disaster recovery. They may for instance be accessed to respond to legal holds. Back-up tapes will have snap shots from a particular point in time.
Castro said that Hess only uses back-up tapes for emergency purposes. It has not been required in a legal case to provide data from tapes - in part because it follows a consistent policy as to how they are used.
Financial institutions in particular rely on email archives as a general back-up. According to Diana it's very hard to remove data from email archives. The risk associated with getting rid of email archives is very high. It's common for a user to store their own records in email archives. Diana noted that he is working with many clients these days to remove data from email archives.
Email archives may have to be WORM compliant so that the data can't be altered. Journaling on the server level may lead to emails be retained even after users have deleted them.
Brown noted that there is concern that data migration in Office 365 may not meet regulatory requirements for the preservation of metadata.
Castro noted that Hess follows a policy of deleting emails automatically after a certain time period, and also has a policy against saving inappropriate emails in its systems.
Some cloud providers can't allow for data to be searched and exported very well. Before sending data to the cloud one should have a plan as to how data will be purged on a regular basis. The courts will not look favorably upon parties that can't extract discoverable data from the cloud.
2015 Amendments to FRCP
The amendments make it easier for companies to dispose of data. Under Rule 37, companies will still be subject to sanctions if they can't find data. Brown noted that most companies will reply on preservation in place, because doing otherwise is cost prohibitive.