Sedona Commentary on Defensible Disposition
This month the Sedona Conference published the public comment version of its Principles and Commentary on Defensible Disposition. This guide is in effect a supplement to the Sedona commentary on information governance, and is intended to assist with the disposition of data that is no longer subject to a legal hold, or needed for legal, business, or regulatory reasons.
Sedona recommends disposing of data when the cost and risk of retaining it outweighs its likely business value. There are three core principles regarding the defensible disposition of information.
1. Absent a legal retention or preservation obligation, organizations may dispose of their information.
Information should be disposed of in the ordinary course of business. The Commentary quotes the Supreme Court decision in Arthur Andersen LLP v. United States, "‘Document retention policies’ which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business. It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances." 544 U.S. 696, 704 (2005). Sedona points out that some courts may question policies which select information for deletion before a duty to preserve arises if the removed information would be harmful in a potential legal case, while other helpful information is retained. A subpoena doesn't necessarily trigger a duty to preserve information, if the relevant data has been produced. The Commentary notes the HIPAA requirement to retain healthcare records for 6 years, and the differing retention schedules under Sarbanes-Oxley for publicly and privately held companies.
2. When designing and implementing an information disposition program,organizations should identify and manage the risks of over-retention.
Information has a lifecycle. It should only be retained while it has operational value. Operation value depends on four factors:
(1) business function and corporate governance (2) internal audit and compliance
(3) potential (but not yet “reasonably anticipated”) litigation (4) contract requirements
The risks and benefits of information disposal should be evaluated. The benefits include:
(1) increased productivity and efficiency
(2) reduced storage costs
(3) improved legal compliance (4) reduced discovery costs and risk
(5) enhanced data privacy and security benefits.
Good disposition practices can help reduce the cost of potential discovery by reducing the cost of tracking down relevant data; searching through legacy information systems; implementing preservation obligations; and conducting collection, processing, review and production.
The Commentary contrasts the decision in Solo v. United Parcel Service Co., 2017 WL 85832 (E.D. Mich. Jan. 17, 2017), in which the Court found a party's deletion of data to be valid and did not require the burdensome production of the information from back-up tapes, with United States ex rel. Guardiola v. Renown Health, No. 3:12–cv–00295–LRH–VPC, 2015 WL 5056726 (D. Nev. Aug. 25, 2015), in which it was ruled that deliberately using back-up tapes for preservation would not excuse the burden of reviewing the data for discovery.
3. Disposition should be based on Information Governance policies that reflect and harmonize with an organization’s information, technological capabilities, and objectives.
A good information disposition policy should classify the information; set retention periods for set for each class; confirm that the IT infrastructure allows for the disposition of data; and designate individuals to take ownership of the process.
Unstructured information; merges and acquisitions; the departure of employees; shared file sites; PII; and data hoarders may present special challenges for data disposition.