In our cybersecurity and data management webcast now available below, Davis Polk partners Avi Gesser, Gabe Rosenberg, and associate Matt Kelly, recently discussed getting rid of old documents to reduce cyber risk.
To avoid ending up in the news as the latest victim of a cyber-attack, companies are looking to improve their data security. One way is data reduction─getting rid of old data that you don’t need for business purposes and you are not legally required to keep. The less data you have, the easier it is to protect.
New guidance from the FTC, and recent regulations by the NYDFS, make the express connection between data minimization and cybersecurity. The NYDFS cybersecurity rules provide, that by September 1, 2018, covered entities must have “policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information . . . that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation . . .”
The case law that has developed under the new Federal Rules of Civil Procedure on spoliation has reduced the risk of sanctions resulting from accidental deletion of electronic materials that might be relevant to a litigation. But taking millions of electronic documents and sorting those that need to be kept for legal reasons from those that can be deleted has, until recently, been so costly and complicated that few companies have even tried.
However, recent advances in data analytics and machine learning are creating opportunities for companies to responsibly delete large volumes of old data, without having to review each document to make sure it is not subject to a legal hold.
These tricky issues, along with a step-by-step approach to responsible document deletion, are discussed in the recent webcast below.