There are many reasons to develop and follow information management policies including the retention/disposition of information. The most obvious reason is to ensure compliance with regulatory retention requirements. Another reason is because of business requirements such as ensuring that data not deemed having long term value is disposed of so that IT resources are not consumed with "junk" data.
I continue to hear companies make the case for the need to have relatively detailed retention/disposition policies is due to their belief that "the law" requires it - in case your company is involved in a lawsuit and eDiscovery. Let me first touch on the first two reasons before I get into the main reason for this blog.
Regulatory compliance and information retention
It should come as no surprise that there are literally tens of thousands of governmental regulations requiring "records" be captured, managed, retained for specific periods of time, and made available to the governmental agency when asked. Records are documents (hard copy and digital) that are required by a regulation to show the business is functioning according to accepted principles and regulations. These records can include hard copy content, email, voicemail, instant messages, and social media. The regulatory requirement usually lays out the specific content that must be retained and for how long, for example IRS or SOX regulations. Some regulatory retention requirements go further and define more prescriptive requirements such as the kind of storage used, SEC Rule 17 a-3/a-4 and MiFID, and security requirements such as with HIPAA.
Corporate business records retention
Corporate records can be subject to regulatory retention but can also show the day to day running of the business. In many cases, management wants kept these business records for other reasons such as corporate history, ensuring good business practices, and finally, to dispose of data eventually deemed no longer having value to the business.
Litigation and eDiscovery
As I said at the beginning of this blog, there are many out there that still believe that organizations that are not subject to regulatory compliance must have documented retention/disposition polices to be "legal" in case they are involved in eDiscovery. I could write a whole new blog on the subject of companies that have some sort of regulatory retention requirements, which it turns out is almost all companies. For example if you are subject to taxes or employ people, you have regulatory retention requirements, but I will leave that for another time.
Let me start off by saying I am not an attorney (so always check with your internal/external counsel) but I have spoken to many lawyers over the years and they tell me there are few absolutes in courtrooms. Judges can do whatever they see fit in their courtroom however, in reality most Judges will not necessarily expect or penalize you if your company does not have a documented retention/disposition schedule. There is a caveat to this statement however.
Most Judges and opposing counsel will notice if, in anticipation of a lawsuit (or after the lawsuit has begun), a company creates or changes an existing retention schedule to obviously protect against "smoking guns" showing up in discovery.
Shred days are not good days
Another situation to watch out for is where a company that has not followed their retention/disposition policy in the past, instructs employees to suddenly follow the disposition schedule and delete information with the hope that many inconvenient documents will be destroyed before discovery begins. A perfect example of this was when a former Arthur Andersen accountant, David B. Duncan, testified that he had orchestrated a campaign to destroy Enron Corp. audit documents and knew at the time that he was breaking the law.
"I obstructed justice," said Duncan, testifying for the first time in Andersen's criminal trial in federal court. "I instructed people on the [audit] team to follow the document-retention policy, which I knew would result in the destruction of documents."
Another example was in a 2009 New York high tech spoliation case. In 1998, this high tech company held high-level litigation strategy meetings where they discussed preparing trial graphics and claims; retaining experts; gathering critical documents and implementing a document retention policy.
Later in 1998, employees were instructed to conduct a “shred day,” pursuant to the company's new document retention policy. This shred day caused the destruction of 400 bankers’ boxes of documents. The employees did not keep track of what they destroyed however, later evidence indicated that the destroyed materials included documents relating to contract and licensing negotiations, patent prosecution, industry meetings, board meetings and finances.
A second shred day took place a year later, this time involving 300 bankers’ boxes. And a third took place in late 2000 “due to an office move.” The company's outside counsel was never informed of these shred days. Later in 2000, the company filed suit against another high tech company for patent infringement. The Judge in the case found that the company's actions (shred days) amounted to spoliation because parties in the case are under a duty to preserve evidence whenever litigation is pending or imminent or where the party has a reasonable belief that litigation is foreseeable.
Specifically, once a party reasonably anticipates litigation, it “must suspend its routine document retention/destruction policy and put in place a ‘litigation hold’ to ensure the preservation of relevant documents.”
In this case, the Judge concluded that in December of 1998 a duty arose to preserve any evidence potentially relevant to its litigation strategy, meaning they should have paused their new retention/disposition policy and avoid any shred days. Because they didn’t do this, they had knowingly destroyed evidence.
In yet another well-known case, Apple v. Samsung Electronics Co., Ltd., the court ruled that Samsung failed to employ a defensible preservation process once the duty to preserve was triggered. The bottom line in this case was Samsung's unwillingness to modify the company's email document retention policy. Samsung had refused to suspend the auto-deletion of emails after the beginning of litigation.
Retention policies are not mandated by law…
Retention policies are not required by law however, if you have regulatory retention requirements, which most companies have, or are anticipating, or are actually involved in litigation, you must protect potentially responsive documents under a litigation hold -including suspending disposition policies to ensure relevant content is not inadvertently deleted.
This is not to say that retention/disposition policies are a bad thing. In reality, every company should create and follow retention/disposition policies for all information, not just records. This practice will enable them to better control their data which benefits corporate knowledge sharing, end-user productivity, and eDiscovery. For more details on this topic, please read my blogs The Link Between Information Management and Data Value and Part 2 - The Link Between Information Management and Data Value.
Information retention/disposition in the cloud
As more companies retain greater amounts of data, the cloud is becoming the go-to platform with the most secure, lowest cost, and easiest access solution available.
Archive2Azure is the first cloud-managed solution for compliance and long-term data management built on Azure Services that creates a highly secure and low cost, and compliant archive perfect for the storage and management of legal data. And the best thing about Archive2Azure is that you don’t need to hand over your data to someone else. Your sensitive data is held in your Azure subscription, using your encryption keys with the data stored in its native format so you never have to pay a ransom to get it back.