We have written here before about the challenges and benefits of getting rid of old data. As we have noted, in light of recent legal, regulatory, and technological developments, companies should reevaluate their long-term data management planning. Last week, the New York Department of Financial Services (“NYDFS”) issued a reminder that by September 4, 2018, covered entities must have a policy for disposing nonpublic information that is no longer necessary for business operations or for other legitimate business purposes, unless required to be retained by law or regulation. GDPR also requires companies to minimize the amount of personal data that they store to what is necessary. At the same time, the case law that has developed under the new Federal Rules of Civil Procedure on spoliation has significantly reduced the risk of sanctions resulting from accidental deletion of electronic materials that might be relevant to a litigation or investigation. But despite these developments, companies operating in the U.S. still have little guidance on how to balance the costs and risks of deleting large volumes of data with the long-term costs and risks of keeping it.
For this reason, we see the recent release of the Sedona Conference: Principles and Commentary on Defensible Disposition, as a watershed moment for data minimization in the United States. The Sedona Conference is one of the nation’s premier non-partisan, non-profit law-and-policy think tanks, whose publications have been relied upon as authoritative by courts when faced with novel data issues. The Sedona Paper begins with the core principle acknowledged in Sedona’s 2014 Commentary on Information Governance: The effective, timely, and consistent disposal of physical and electronic information that no longer needs to be retained should be a core component of any Information Governance program.
The Paper builds on this statement with the following three new principles:
PRINCIPLE 1. Absent a legal retention or preservation obligation, organizations may dispose of their information.
PRINCIPLE 2. When designing and implementing an information disposition program, organizations should identify and manage the risks of over-retention.
PRINCIPLE 3. Disposition should be based on Information Governance policies that reflect and harmonize with an organization’s information, technological capabilities, and objectives.
In the guidance and commentary accompanying these principles, the Paper makes several compelling arguments for data minimization, many of which echo similar arguments that we’ve made here over the last year:
- When considering whether to implement a data minimization program, and the scope of any such program, companies should give serious consideration to the long-term costs and risks of keeping data, including:
- the projected overall growth in the size of the company’s data over the next 5-10 years, and the associated storage costs
- lost productivity associated with searching large volumes of irrelevant data
- the cybersecurity and privacy risks of having large volumes of unneeded data, especially considering GDPR-type rights of erasure
- internal audit and compliance risks
- contractual risks (e.g., obligations to clients and customers to delete data once it is no longer needed)
- potential, but not yet reasonably anticipated, litigation or regulatory inquiries.
- If there is no legal retention obligation, information should be disposed as soon as the cost and risk of retaining the information outweighs any likely business value of retaining the information.
- Typically, as information ages, its business value decreases, and the cost and risk of keeping it increases.
- Absent a legal obligation to retain certain documents, companies may dispose of those documents, even if an obligation to keep those documents arises at some point in the future.
- Data minimization programs that target narrow categories of documents or a small group of custodians carry greater risk than programs that are generally applicable.
- Data minimizations programs that are not enforced broadly lead to selective disposal and thereby increased risk.
- Regular data minimization programs may need to be suspended due to legal hold requirements, but those programs should ensure that routine disposal of documents resumes promptly when the legal hold requirements are lifted.
- For heavily regulated industries, time-based data minimization programs that cover periods beyond any statutory document retention obligation can be prudent.
- Getting rid of old irrelevant data makes future litigation more efficient by:
- reducing the time and effort required to identify potentially relevant information,
- reducing the cost of searching and analyzing large, and often outdated, data sources,
- reducing the cost of implementing and monitoring document preservation obligations,
- reducing the number of documents to be collected, processed and reviewed,
- reducing the risk that relevant documents will be lost or missed in a sea of irrelevant documents.
The Paper is subject to public comment, but it provides a helpful roadmap for a sensible and effective data disposal program. Still, implementation remains tricky. Companies face a web of overlapping local, federal, and international document preservation obligations, along with their legal hold obligations associated with lawsuits and regulatory inquiries. No company is going to pay someone to actually review millions of old documents to separate the ones that need to be preserved from the ones that can be deleted.
But that separation can be done efficiently, and in a cost-effective manner, through careful planning and the utilization of advanced data management software and data analytics. These issues, along with a step-by-step approach to responsible document deletion, are discussed further in the below webcast.