Episode#7 - Defensible Disposition: Deleting unneeded data

Transcript:

Bill Tolson:

Welcome to the Information Management 360 podcast. This week's episode is titled, Defensible Disposition: Deleting Unneeded Data. My name is Bill Tolson and I'm the VP of Compliance and E-discovery at Archive 360. With me today is Jay Cohen, Senior Advisor at Compliance Systems Legal Group. Jay, can you give us a brief description of what your company does?

Jay Cohen:

Sure. Thanks, Bill. And thanks for giving me the opportunity to talk with you about this subject. So Compliance Systems Legal Group is a boutique law firm that focuses exclusively on compliance, ethics and corporate governance. We help companies build effective legal and regulatory compliance programs, strengthen their existing programs and address substantive rules, regulations, and compliance and ethics risks like the issues that we're going to talk about today. It is a small, but very mighty team of experienced compliance professionals.

Bill Tolson:

Great. Yeah. Jay's been a well-known voice in the information governance and e-discovery industries, advocating the strategy and need for defensible disposition for a long time. So to start off, Jay, I've seen this a couple of times, but it's kind of a saying that I kind of rolled my eyes at first, but kind of like it now and the saying is: now, data is the new oil. However, more data also increases more risks. So I think that's the one thing people don't really take into account is that data actually brings or produces risk as well as value. So many companies are guilty of data over retention as evidenced by the terabytes of unmanaged, unindexed data piling up in corporate data centers and cloud repositories that are rarely, if ever, retrieved or disposed of, and that's kind of one of my pet peeves is data just sits there forever. Just keep everything forever mentality has led to a data environment that has severe financial and risk related implications.

Bill Tolson:

For the employees, waiting through gigabytes or terabytes of often or mostly unclassified unindexed data, it can be a real hindrance to the employee's productivity. Finding that data that you specifically need during that time you actually need it is not easy with a huge amount of data that most companies, most employees are sitting on. So with that in mind, we opened up by explaining the title of the podcast is, Defensible Disposition: Deleting Unneeded Data. And I know, Jay, you've also referred to it as data minimization. Can you start off by describing what defensible disposition really is?

Jay Cohen:

Yes, just what you were talking about, Bill. Defensible disposition is the organized disposal of paper and electronic records that your organization no longer needs to keep for legal or business reasons. What makes this disposal defensible is that it's done carefully, consistently according to a well thought out and organized plan. It's an approach that's not ad hoc, and it's one that takes into consideration any of the legal and regulatory obligations that you may have to keep those records. It enables you to dispose of records defensively, meaning in compliance with applicable laws and regulations.

Bill Tolson:

Great. Yeah. No, that makes a lot sense. The main thing there is defensible, I think. Well, there's two things. They're actually getting rid of data and doing it in a defensible manner. We'll explain why that's important here in a minute. Over the years, and I've been in the business for a long time, companies seem to go through cycles of data retention and data destruction. I remember 20 years ago, most corporate general councils wanted to delete data as fast as possible. They just wanted to get it out of the system, wanting to get it off the books. When you talk to them, it was a matter of the more data, the higher the costs in discovery, but also it was a fear of potentially smoking guns hanging around that could be used against the company years later because it wasn't cleaned up.

Bill Tolson:

Then probably 10 years ago, companies started at least talking about keeping data for a long period of time. I ran into many customers that basically told me that they were going to keep data forever, what it amounts to. They had lots of retention, but no disposition policy. So they, in fact, just kept keeping data forever. One of the reasons, the biggest reasons that I was always told by again, the general councils was we don't want to take a chance of destroying potential evidence in a future lawsuit or things like that, which obviously, is the wrong answer. But I know we went through that period of time or we're still in that period of time a lot of cases where companies are just not getting rid of data mostly at all. Is that what you found, Jay?

Jay Cohen:

Yes. I think that's absolutely right. For the reasons that you said there, Bill, it's funny. I actually lived this change in thinking myself. One of my first responsibilities as a compliance officer was to address a spoliation claim against a large insurance company in the course of a nationwide class action and a multi-state enforcement action by the state insurance regulators. As the new kid on the block, it was my job to create a document retention policy and apply it across that company's entire sales organization because at the time, the risks and the problems with data were just what you outlined, which is spoliation, not having something that you needed for an investigation or a lawsuit.

Jay Cohen:

The second reason in those days that, companies led by their general counsels, as you noted, kept things forever was the growing size, the growing volume and complexity of electronic information. So on the one hand, you had the risk that you would not have something that you needed to have as a matter of law. Then on the other hand, it seemed too hard to try and apply the necessary, organized and consistent approach that would allow for defensible disposition. But I think what's changed, and to your point, what's caused the pendulum to swing in this direction are at least three factors. Being a Pittsburger I think in terms of confluence, the confluence of the rivers that marks Pittsburgh. So I think it's the confluence of at least three factors in this case.

Jay Cohen:

The first is regulation, and I know we're going to talk about that in a minute. The second is the growing risk of data, privacy and security breaches reflected both in the regulations we're going to talk about and in the expectations of customers. The third is the availability of tools, like the kinds of tools that you folks have at Archive 360, that enable companies to cut through the data complexity and make it possible to implement defensible disposition in a practical way. So you've got regulation, you've got a change in the calculus around risk, and you've got the availability of tools and technologies and opportunities to actually make it work.

Bill Tolson:

Yeah, I think that's a key, that the technology is now becoming available to make defensible disposition more of a realistic process. I remember 10, 15 years ago, we we're meeting at a very large North American construction company and we were talking to the general counsel in his staff, and I asked him, "What's your retention policies for the data?" And he very quickly said, "Well, for our Canadian based data, we've decided we're going to keep all data for 34 years. And the US-based operations, we're going to keep all data for..." I forget what he said, 15 or 20 years.

Bill Tolson:

This was a very large company. Just thinking about email and all that kind of stuff, I looked at him and I said, 'Do you understand how much data that you're going to have to manage and pay to store at the end of 20, 25, 30 years?" I had done some calculations while he was talking, and I said, "You're talking about exabytes with the data just you and your company over that period of time." He looked at me and he looked at the rest of the staff and he smiled and he said, "I'm retiring in two years. I don't care," which I thought was very straightforward, but a little misguided.

Jay Cohen:

Well, the other thing that companies that, and I saw this myself was we would rely on each and every employee to implement the paper and electronic records retention schedule. You can imagine the likelihood that you were going to get much compliance when the employees themselves had to decide what to do about all that information, had to move their emails into a folder or take their paper records and check to see if they'd been around for seven years or the retention schedule. So you either did nothing or you essentially, did nothing by relying on all of your employees to do this for you. And now because of the kinds of things that I know you all have available to companies, companies can do a lot better than that.

Bill Tolson:

Yeah. I remember probably five, six, seven years ago, I was consulting and I was at a major well-known bank, and it was a records retention type of engagement. One of the first things I asked in the first meeting, I said, "Can somebody get your records retention schedule?" Somebody whipped it out and gave it to me, and it was over 100 pages long with point type, thousands upon thousands of different types of documents. I kind of looked at him and I said, "You really think employees are following this or referencing this all the time?" The VP of records basically said, "Of course. They have to. We've told them to do it." And I said, "They're not."

Bill Tolson:

During that engagement, I ended up questioning probably about 50 employees and of the 50 I questioned, two of them had heard of the existence of a records retention schedule, but neither one of those two had actually ever seen it. So this falling back on, "Well, we have a records retention schedule and of course everybody follows it. Why wouldn't they? We told them to," is a real cop-out obviously. Even in companies with 10 page retention schedules, employees don't know what it is or don't refer to it or anything else.

Jay Cohen:

Well, and now, the regulators are no longer going to let companies get away with that. Let me just give you a few examples of what I mean in that regard. So the New York Department of Financial Services, which regulates every financial services company in New York, has a provision in its cybersecurity regulations that says that company's cyber security program should include procedures for the secure disposal of non-public information that is no longer required for business or legal reasons. European Union's general data protection regulation has provisions that say that personal data should not be kept for longer than is necessary for the purposes for which it was processed. The new California Consumer Privacy Act and it's sort of a new edition that California Privacy Rights Act has provisions around data minimization and data storage and storage limitations. There are cases from the European Union that have sanctioned fined companies for maintaining information that they didn't need to keep any longer.

Jay Cohen:

Even the Federal Trade Commission has started to include, in its settlements with companies for privacy violations, procedures to delete personal information that is no longer necessary. To me, what's fascinating about all these regulations is that regulators and legislatures are including defensible disposition provisions in their data, privacy and security rules because they recognize that the ultimate protection against a data breach is not to keep the information for any longer than you need to. Information that you no longer have can't be hacked, can't be left on a laptop in a car to be stolen, or can't be the subject of ransomware. So now, in addition to the risk that something you shouldn't be keeping could be improperly accessed, the regulators are telling you that your program of data security and data privacy has to include provisions for the defensible disposition of information.

Bill Tolson:

Yeah. I think that's great. Also, as part of that in the laws, some of the laws putting in provisions that say you can't keep it any longer than it was originally needed, that tied back to the actual consent by the data subject as well. A consent is specific to a use case, not I'm going to capture Bill's data and I'm going to use it like crazy for anything I want for two years. If I want to send out or get Bill to reply and download a white paper, that is not consent for using that PII for all kinds of other things. So yeah, getting rid of data, and I think this is going to be very hard for companies, but getting rid of data after its original consent use case has been met, I think is going to catch lots of companies in bad situations.

Jay Cohen:

That is so true. Your point is well taken, that it's going to be very challenging to deal with it, but the alternative is besides running the risk of violating these regulations that we were just talking about, you run the risk of making your customers very unhappy because to your point, Bill, you have exceeded the permission that they've given you to have their personal information. The third is that all that information that's sitting there is a huge ticking time bomb of a data breach.

Jay Cohen:

One of the companies I worked at decided to look for social security numbers in unstructured data systems, and it used a tool that will enable it to find that stuff. We shouldn't have been, but we were astounded by the extraordinary volume of social security numbers that were sitting largely ineffectively protected throughout those unstructured data systems. People didn't know about them. People didn't pay attention to them, and people in the company certainly didn't need those social security numbers to be sitting there. They were sitting there as potential data breach ticking time bombs, and the company was fortunate that it went through this exercise to find all that information before something terrible happened. So you're violating the rules, you're violating the trust of your customers, and you're risking a significant regulatory, reputational and financial harm by not taking on the challenge that you outlined.

Bill Tolson:

That's a great point. You mentioned spoliation. In my mind and in my travels, e-discovery seems to play a big role in putting off defensible disposition processes, meaning companies not believing information. Nowadays, how does the fear of spoliation figure into whether documents, information is defensively disposed of?

Jay Cohen:

Well, that's a great question, and this is probably something that you and your colleagues are very familiar with. One of the things that I've seen over the last few years is the use of the same tools that are used in e-discovery to identify information that can be defensively disposed of. The same tools, the same forensic analysis that looks for things that may be relevant to a legal proceeding I've also seen use to find, what we call, rot: redundant, obsolete, and trivial information; searching vast quantities of information through structured and unstructured data systems, using metadata to look for things that shouldn't be there or shouldn't be there any longer. So I think what's kind of cool about this sort of linked to e-discovery is the opportunity to use the same tools that companies use for e-discovery to kill two birds with one stone, to find the things that they need to find for purposes of litigation and make sure they keep it, but also to find things that shouldn't be there anymore.

Bill Tolson:

Yeah. Yeah. No, that's kind of preemptive of defensive measures. It's always good with this kind of stuff. I remember doing a consulting engagement many years ago with a high-tech company and they were a very litigious company. They sued lots of other companies, had a very interesting reputation, but they had sued another high-tech company. After the case had started and supposedly discovery had started, this company decided it'd be a good idea to put on a shred day without oversight by the legal, by the way, and they ended up potentially either shredding or deleting lots of potentially responsive information. Later, years later as the case wound on, they were fined hundreds of millions of dollars because of that stupid shred day kind of thing.

Bill Tolson:

What they were thinking, and I was there and I don't know what they were thinking, it was just kind of wow. But discovery does play a big role and that's one of the reasons why many companies are defaulting to keeping everything for ever, or not managing it, just letting it kind of hang around. We've talked about how PII can be in that and that's a risk. But Jay, how is, and we've talked about the privacy stuff, but how is regulatory compliance requirements driving the need for companies to adopt formal defensible disposition policies and procedures? I think we've touched on this already and it has to do with, I believe, GDPR, CCPA CPRA. Actually, I read today, and it's probably a couple of weeks old, but Canada has a very strict draft bill in their government going on, the CPPA that also gets into much of what GDPR, CCPA does, but is around regulatory compliance. Does that match off with or help drive a more sustained defensible disposition kind of process for companies?

Jay Cohen:

Absolutely, and it's also helping to drive the general councils to take it sort of a different view. So here's a sentence from the California privacy law, "A business shall not collect data for longer than is reasonably necessary for the disclosed purpose." Getting back to what you were talking before, the purpose for which they collected it in the first place, they can't keep it for any longer. The New York DFS says that, "Your data privacy program shall include policies and procedures for the periodic secure disposal of any non-public information that is no longer needed for legal or business reasons." So here's what I think it takes, and it's trying to look at all of this together rather than separately. So when it gets back to the point you were making about how sort of e-discovery and spoliation relate to defensible disposition.

Jay Cohen:

Instead of thinking about e-discovery and spoliation over here and defensible disposition over there, thinking about how to bring those two things together and manage records in a way that takes both of those things into account, that applies a retention schedule, that leverages the tools and technologies that are available now, that includes all of the things that it takes to make a program work, policies, procedures, training, monitoring, auditing, oversight, that makes sure that when you need to retain something for legal reasons, you've got the right legal hold process in place, but that if you don't need to retain something anymore, you've got the right defensible disposition in place. So one way is to take all of these concepts and put them together in a comprehensive program that enables you to comply with your e-discovery and spoliation obligations on the one hand and your defensible disposition responsibilities at the same time.

Bill Tolson:

Yeah. No, that's perfect. We've talked a bit about the fear of spoliation and kind of on the opposite side of that, keeping too much data does actually drive up the cost of discovery as well because one of the little known truths in e-discovery is if data exists, then it may be part of a discovery. So everything is discovered if it relates to the case. So if you're sitting on a petabyte of data, the opposing counsel might make it a point to say, "I want you to search that," or, "I want you to search your backup tapes because there might be something responsive on there."

Bill Tolson:

I know there years ago, and this is still valid today, I think it was 1999, but DuPont, well-known chemical manufacturer and stuff like that, did a study on nine of the lawsuits they were involved in 1999, just nine, and there was many more than that, but they just randomly picked nine. They found that they had to collect and review around 24 million documents over those nine cases. It had cost them $30 million to do just the discovery on those nine cases because of review. They later found out that a little bit more than half of all of those documents that had been reviewed were actually expired and should have been deleted. So they ended up spending $12, $15 million in discovery on data that should not have existed; prime example for defensible disposition. If they had disposed of that stuff when they could have and should have, they would have say $12, $15 million.

Jay Cohen:

That's a great point. I was involved in a couple of projects to look for rot: redundant, obsolete, and trivial information, in unstructured data systems at two different companies; email, share files and not surprisingly, we found a lot of rot, emails going back years well past any record retention schedule requirements, personal information scattered throughout all of these data systems, email and share files with people who didn't work at the company anymore. After we put all this together in a report to the general counsel at that those two companies, they came to the same conclusion that you just talked about, Bill, which is our risks of keeping everything forever and not paying attention to what we have and where it is are just too great. So we need to think about taking a different approach.

Bill Tolson:

Yeah, that's so true. So in looking at defensible disposition, Jay, you're obviously a leading expert in the information governance industry and e-discovery. Can you describe how effective information governance practices can help organizations create, implement, follow, enforce on effective defensible disposition practice in their organization?

Jay Cohen:

Well, it's not easy as we've talked about. It requires a lot of attention. You've got to understand the data that you have. You've got to do a comprehensive inventory of your systems, your applications and your information.

Bill Tolson:

That's a data map, correct?

Jay Cohen:

Correct, a data map, data inventory. You've got to then decide what to do with that data based on retention schedules, business needs, other inputs. You've got to understand what options you have once you've decided what to do with the data, what options you have, what tools, policies, procedures, training, change management, what's it going to take to implement those decisions? For example, can we leverage a migration to the cloud to think about defensible disposition? Can we store records in a different way or in a different place to better secure and manage? What tools exist in the data systems that we have or could be using to operationalize our decisions? So you've got to map and inventory your data. You've got to decide what to do about it. You've got to figure out what kinds of tools and other resources it's going to take to implement those decisions. Then you've got to execute and document your decision. You've got to put in place the overall organization and structure that it takes to make it happen and then to monitor, sustain, and enforce the program.

Jay Cohen:

It's not easy to do, but the cool thing about this is that if you do it right, not only do you get the benefits of addressing all of the issues that we've just been talking about, but you also get the opportunity to improve customer service because information will be easier to find and produce and you'll be meeting your customer's expectations to make better decisions on the basis of information that you can actually get your hands on. It'll be easier for you to find and retrieve information, and you're going to save money the way you described earlier, Bill. All at the same time, you reduce risk and promote compliance. So while it's a big challenge to take on, the benefits are well worth it.

Bill Tolson:

Well, and that brought up another point I wanted to run by. I know defensible disposition, you said it's sometimes complicated, it takes people, it costs money, and I know some companies look at it as kind of a soft cost and they don't necessarily want to spend the money on it. But one of the things I was talking to my GC about, wouldn't it be interesting to be able to produce an annual report to give to the board or to the CEO on an annual basis on the estimated money saved and risk mitigated by actually doing this on an annual basis?

Jay Cohen:

If you think about it, you'd know more about the cost of storage and all those issues. Companies are storing an awful lot of information, but from my perspective, the real, as a compliance officer and a compliance consultant, the real cost is in the potential cost of a data breach. I know there've been a lot of studies that talk about how much each data breach costs, and it can get into the millions pretty quickly from lawsuits, from fines, from lost value because of lost reputation, lost business. It can get to be a pretty expensive proposition, and also, the loss to the business of not being able to find and use the information that it needs in a timely fashion.

Jay Cohen:

One of the things I found when I was a chief compliance officer in an insurance company, Bill, was that the regulators would come in and they would ask us to produce 100 customer files. They thought we had a file with every interaction that we had with Bill or Jay. That file didn't exist. The time it took us and the time and resources, not just on the compliance side, but on the business side to find all of the ways we interacted with Bill and put that together in a file so that we could give it to the regulators was enormous. So better governing your information in a way in which defensible disposition is a critical component has all sorts of business advantages and cost savings, as well as reducing your compliance and regulatory risk.

Bill Tolson:

Well, that brings up a fact that I've always kept in mind, and this is from an old, previous CEO I worked for probably 10, 15 years ago and his comment was that it costs up to 500 times more to find a specific document and utilize it in the time required than to store it for 20 years. So, yeah. As your data centers or clouds get into the petabytes of data, if you can't find what you're looking for when you need it, it's valueless and it's just a risk more than anything else.

Jay Cohen:

At the end of the day, if my company suffers a data breach of sensitive personal information that should not be there any longer, that will be a very difficult problem to explain.

Bill Tolson:

Yeah. In principle, defensible disposition should not be a separate once a year process. It should be ongoing and it should be something that all employees are involved with, the right technology associated with it, and oh, by the way, it should be audited and enforced as well. You can have a policy that says so-and-so, but that policy isn't enforced. I've been in courts where the judge said, "I'm sorry. You don't have a policy if you're not enforcing it." So there's always that enforcement part of it, but I know we're running long here.

Bill Tolson:

So Jay, I think that wraps up this edition of the Information Management 360 podcast. I want to thank you for the great discussion and insight we had today on this really important and interesting subject. Just everybody know, Jay has written and published a new e-book that's available through Archive 360 on data minimization and information governance. So you can get up into our websites and go to the resources page and look at e-books and you could download it, which is great. Also, if anybody has questions on this topic or would like to talk to a subject matter expert, please send an email mentioning this podcast to info@archive360.com and we'll get back to you as soon as possible. You can also email Jay at JayCohen@cslg.com. Also, check back regularly for new podcasts as we publish them and put them on our website. Again, Jay, I thought this was a fantastic discussion. Very much appreciate being part of it.

Jay Cohen:

Bill, thank you very much. Thanks for giving me the opportunity to talk with you about this. I really appreciate it.