I think we can all agree this past year presented new challenges for information governance teams, beyond our wildest imaginations. In 2021, an annual review of information governance policies and data retention schedules will take on a whole new meaning.
Modes and means of communication have shifted drastically. In-office meetings have become recorded Zoom calls, and files once stored on local drives behind firewalls are now being downloaded onto personal devices by at-home employees. Even more prevalent, the use of instant message and ephemeral messaging has skyrocketed. What used to be someone popping by a desk for casual chit-chat is now a lengthy Slack or Teams thread ripe with salty language and gifs.
Why Data Retention Isn’t Just IT’s Problem
While the task of data retention typically falls on information technology and information security disciplines, the general counsel’s office at any corporation should also be actively engaged in the creation of a retention schedule that effectively reduces the corporation’s risk profile.
Relativity’s general counsel, Karen Klein, pointed me in the direction of a great piece written by her colleague Sterling Miller when I asked her about her role in our company’s retention policies. The piece is part of a multi-part series he wrote called “10 Things You Need to Know as In-House Counsel,” which focuses on the larger issue of records retention.
Space here on The Relativity Blog is too short to run through the entire list as of items he provides, which are all encompassing—but a few points are worth calling out. In particular, he provides some invaluable reasons behind having a consistent and intentional data retention schedule:
- reducing data storage costs,
- decreasing litigation/regulatory costs and risks,
- mitigating risks from data breaches, and
- improving speed and accuracy of record retrieval.
The four points given to us by Sterling Miller are compelling enough, but some might still wonder why this topic deserves so much attention in the legal sphere.
As a member of the corporate accounts team at Relativity, I can tell you first hand that outdated and non-existent data retention schedules are an ever-increasing source of risk for corporations. Over-retention of data leads to over-production downstream in litigation, and simultaneously slows the speed with which a corporation can search and produce documents—making the process increasingly expensive and fraught with risk.
In speaking my colleague, Don Sawyer, current channel sales executive and former antitrust attorney, he points to the risk of over-retention and how it is exactly what plaintiff’s attorneys are looking for in terms of gaining a competitive edge: “A corporation’s over-retention of easily accessible ESI can be a plaintiff attorney’s dream come true. With technology making searching documents easier than ever, the once-dreaded document dump can now result in the opportunity to find that one email that forces a corporation to the settlement table or an increased jury award.”
Bringing Big Data into Balance
With so much attendant risk in over-retention, why do it at all? There are a few trains of thought on this related to the transition from paper to digital, but as Randolph Kahn notes in an article for Business Law Today, “much of the growth in information volumes comes from communications, social media, and collaboration technologies the output of which may not rise to the level of a company record. Thus, the pile grows further with information that may be ‘non-record,’ which need not be retained to satisfy legal or business needs.”
In my role, I get the chance to see and understand daily why certain business decisions regarding information governance are made begrudgingly. Quite often, there are non-culpable, extraneous factors like a GC stepping into a new role to discover the department sorely needs some housekeeping, or merging with a company with lax retention schedules. Separate from such circumstances, and even more common, is a sizable litigation profile and the effect it has on an organization’s efforts in implementing new data retention schedules.
Herein lies the rub for many in-house teams: How can you implement an updated data retention schedule when the company is carrying a large litigation profile? While the suggestion is often to wait for a downturn in litigation, that possibility is not a reality for many corporations—so how can a legal team assist in implementing these new retention schedules while still keeping clear of FRCP 37 sanction liability for any data that is reasonably anticipated to be part of litigation?
The answer lies in implementing a strong, defensible disposition program led by the general counsel’s office.
A Measured Approach
So, what makes “a strong, defensible disposition program”? The Sedona Conference tackled this very issue in 2019 and provided some rather instructive advice on how to defensibly dispose of data.
For folks new to in-house legal operations or simply unfamiliar with the term, defensible disposition is the elimination of information “that has low business value and that need not be retained for legal, regulatory, or other business purposes” (a well stated definition by Driven’s Philip Favro, writing for Legaltech News).
To go a step further, The Sedona Conference commentary on the importance of defensible disposition declares that: “The effective, timely, and consistent disposal of physical and electronic information that no longer needs to be retained should be a core component of any information governance program.”
In his article, Philip Favro, who happens to be an information governance guru and Special Master, provides an overview of the Sedona commentary and how the court viewed a corporation’s somewhat lazy attempt at defensible disposition in Moreno v. Correctional Healthcare Companies.
In Moreno, defendant corporation was faced with a 37(e)(2) terminating sanctions order for intentionally depriving another party of information needed for litigation. The destroyed evidence were emails that had been deleted as part of a large-scale disposition program implemented company-wide. The claims manager at the corporation initially took the right steps in getting custodial email accounts placed on hold as part of a duty to preserve data, but then failed to implement any additional safeguards that would have kept the defendant from incurring sanctions when the emails were ultimately deleted.
Where did the defendant go wrong? The court found the terminating sanctions order appropriate for a few reasons that could have been easily avoided. First, counsel had only provided a form letter describing the new preservation process; then, they failed to provide a secondary check-point to the process; and they had an interest in avoiding discovery risks through the email destruction. The court found this behavior sufficient to infer an intent to deprive the opposing party of the emails being sought.
We can get into a long discussion of what qualifies as inferred intent to deprive, but that is an issue for another day. Our focus today is what makes a solid defensible disposition program that can keep your team out of hot water. In pointing out where defendant erred in Moreno, Mr. Favro points to four areas for improvement that would have kept Correctional Healthcare out of sanctions territory:
- Generate a checklist of custodians determined to be part of reasonably anticipated litigation.
- Interview key custodians to identify relevant information. This can be done by in-house or outside counsel, and assisted by leveraging legal hold software.
- Create an audit trail that points to specific steps counsel has taken to ensure preservation of data reasonably anticipated as part of litigation, and the steps to dispose of other data.
- Implement and document quality control measures that can ensure compliance; running through multiple stakeholders before disposing of data is one he highly suggested.
What we can learn from the Sedona Conference and Moreno is very valuable: In short, defensible disposition is a worthy goal and one that can be reached if procedure and safeguards are followed.
And always, always leave an audit trail!
For the majority of in-house folks I speak with, the perceived monumental task of changing data retention schedules and then defensibly disposing of data feels like a bit of a pipedream. Working 60-hour weeks, managing litigation, and working from home have subsumed many—but fret not, because this is when we leverage technology to do our dirty work.
Any legal hold tool worth its salt can help you identify custodians, send out questionnaires, and provide a full audit trail. This is no longer a strenuous manual task, but something that can be automated to some extent and then filtered into actionable information.