If your business does not have a well thought out and properly implemented Data Retention Policy, you are heading for trouble. This article will explain why.
The starting point is that you need a structured data retention plan so you know what kinds of data you have, where you store your data, what data you should destroy, and when. Not only is it good business, but also having a data retention plan is invaluable if you are ever sued or need to sue somebody.
It's not surprising that most of us are turning our computer systems into our garages-cluttered with piles of useless outdated stuff that we're hesitant to throw away. Data storage is getting cheaper every day while engineers keep increasing storage capacities. So we continue our normal business operations with our data out of sight and out of mind out on the server or hard drive. Since it is not overflowing filing cabinets and storage boxes cluttering up your office, the easiest solution is to simply keep everything forever and play it safe, buying more storage as required.
However, this is not practical for a variety of reasons. File sizes can become enormous, resulting in degraded system performance and the ability to manage and retrieve your own data. You're also constantly incurring new storage expenses. While storage costs less, it's still not free and costs can grow quickly when you consider storage for your archives, backups, and as required by your disaster recovery plan. Finally, as we'll see later, storing everything could expose you to significant expenses in producing that data in response to an electronic discovery request.
I hope that you already have a data retention policy in place. A working data retention policy helps you create policies and procedures for preserving, storing, indexing, and deleting data. As a best practice, you should have such a policy in place and operating before it is critically needed in response to a business need or litigation.
Creating and implementing a data retention policy will help you answer the "where" "why" and "how" questions related to your data and avoid the worst-case scenario where you have lost control of your data. Imagine having your intellectual property, financial records, and confidential information spread across all of your systems. Where would you start to look for your data, and how could you hope to protect it against unauthorized access?
Having a data retention policy is not just good business. Depending on your industry, you may also face data retention requirements that come from a variety of legal sources. Federal, state, and local requirements are the easy sources of possible retention requirements to think of, but in today's world you could also face some international requirements.
What to Address
A well crafted data retention policy is a formal plan that should address a variety of issues including, but not limited to: (i) management of different data types; (ii) retention periods for each data type; (iii) policies and procedures on backing up and archiving data; (iv) how to handle different versions and duplicates of data; (v) setting up deletion or purge schedules; and (vi) how your plan handles aspects of the electronic discovery process.
As a first step, you need to create a retention team to review the current status of your systems and data. Building your data retention team is going to depend on the size of your company. Larger companies may be able to delegate many of these tasks to the IT team after receiving input from upper management. Smaller companies may have to get individual end users involved.
By combining the skills and expertise of your people the plan should be able to address and support your company's business operational requirements, comply with relevant legal requirements, and not put too much of a strain on IT resources. Care needs to be taken to ensure your data retention policy does not conflict with your company's other policies such as computer and Internet use policies or privacy policies.
Data comes in many types, so you're going to need different retention policies for different types of data. How long you keep email (and where) is likely to differ to how long you need to keep copies of signed contracts or customer orders and records. I'm guessing you're not going to know all the data types you have on your systems, categorizing all of it is a step where your IT folks have a chance to shine.
Once you've figured out what you have, how do you decide how long to keep your data? When does particular data lose its use to the organization? Now it's time to turn to your attorney so he can advise you on the legal retention requirements (if any) your company and industry face. Those requirements should serve as a bare minimum retention period, in most cases no one is going to care if you go above and beyond those time limits. Your attorney can advise you on what's required.
If you're in an unregulated industry then your retention requirements mostly depend on your businesses' requirements and your own comfort levels. Again, the bare minimum retention period you choose should allow you to set your retention requirements so that you're able to maintain your business operations and live up to your contractual obligations.
Establish retention periods for each category of electronic data. For example, your plan might state that email messages are purged after 45 days and backup tapes are purged after 90 days. You also need to be clear on when data is removed from servers, desktops, and laptops since these often contain the "live" data another party in a court case will be seeking.
You also need to address what happens to your old data. Are you going to archive old data, create backups, and when (if ever) are these going to be deleted or purged? The policy should set clear standards and schedules on how these processes will occur, to include the types of data to be archived/backed up, and on what schedules.
Care needs to be taken in creating your data purge schedules, you don't want a disastrous accidental purging of data you need. Your IT team should be consulted to ensure the data you need is archived as required, safely backed up in the appropriate places, and not purged accidently. How long are you going to keep your backups? Don't get confused and think that by writing over your backups every 90 days that you're losing ALL data every 90 days. You're actually only deleting backed up sets of data, not all old data that resides elsewhere on your systems.
How will you address duplicate data? Your employees probably create multiple versions of the same documents during the course of normal operations (contracts, invoices, letters, etc.). They're also probably creating multiple copies as they pass these documents around via email or work on them independently. Do you need each and every copy, and if so for how long?
Deleting or purging schedules can be built into your regularly scheduled maintenance programs, though if your company or computer resources are of significant size you may want to stagger purge times to avoid the performance impact on your systems.
These are only a few data retention policy suggestions to help you get started. Contact your tech attorney to help formulate your plan.
Electronic Discovery
The major benefit to having an established data retention policy in place is that it can really help you in dealing with litigation. Sticking your head in the sand like an ostridge and hoping litigation won't come your way is really not an option in today's world. Having rational and defensible data management guidelines in place helps you respond to the electronic discovery process that occurs when parties take a fight to court.
You have an obligation to make a reasonable and good faith effort to preserve data that may be relevant to pending or threatened litigation. That's right, you have to account for data that MIGHT be of value to the other side in the event of a future legal action.
Should litigation start you're likely to face a "legal hold" request that requires you to stop portions of your normal data retention and destructions process relating to data that might be relevant to the particular case. At this point you need to preserve relevant data, but you're not freezing your systems or data to preserve everything. Your data retention plan needs to address how you will respond to these hold requests. Should you fail to stop your process and relevant data is lost you could face serious consequences from the court.
Since you've taken the time to implement a data retention plan, you're better able to assist your attorney in responding to electronic discovery requests. Your plan helps you play defense. You'll have some idea on what kinds of costs and burdens will be associated with your production of your data, be able to control production costs, and minimize the risk of failing to presser or produce relevant information from your systems. Having such knowledge is invaluable to your attorney and your case, and you're really crippled without it.
I can't give you a primer on all the aspects of electronic discovery in this article. But generally, as part of the electronic discovery process if you have relevant data on your systems, even if it is stored on an old backup tape from 1979, you're going to have to produce it, and possibly at your own expense. There are exceptions of course, privileged or confidential information are examples of information that may not have to be disclosed. However, you should anticipate that the other side is going to get what it is looking for. Still, by having a data retention policy in place you can effectively manage the electronic discovery process.
Get your technology attorney involved in the creation and management of your data retention policy early. He can help you balance the need to retain data relevant to your company's operations and potential litigation, and your company's need in good faith, to continue normal operations and delete useless data clogging your systems.