WHITEPAPER
Defensible destruction:
Five steps to your retention and preservation program
Companies have been struggling for years with the dilemma of how to manage their
vast information stores so that the right information is available to run the business
and information that no longer has value is discarded. This paper addresses typical
Information Governance challenges and discusses a framework for addressing these
challenges and some of the resulting benefits.
Contents
03
Introduction
04
Five steps in creating a retention
management policy
06
Information governance benefits
06 Take users out of preservation loop
06 Less information means it is easier to find
what you truly need
06 Run early stage eDiscovery tasks in-house
04 Retention policy
05 Mandatory save
05 Carve out for legal hold
05 Involve the business
05 Train, audit, repeat
It has grown tiresome to point out that information growth continues to explode and shows no signs of
slowing. There is a cottage industry in continually updating the amount of storage we consume and in
comparing the amount of information created this year to the number of words ever spoken. While these
pursuits may prove an interesting diversion from time to time, they do little to actually relieve the burdens that
the management of information continues to place upon those responsible for doing so.
It would take a treatise of multiple volumes to address all of what is broken in information management today
so this whitepaper will necessarily limit its scope to the discrete sub-specialties of keeping and getting rid of
information. And, given the legal and regulatory landscape that is evolving across the planet, these can best
be pigeonholed into retention management and preservation.
Much of the discussion on retention and preservation initially comes up around eDiscovery, which is fine
because eDiscovery has turned out to be such a high-profile issue for so many organizations. But perhaps,
There are many challenges to a successful retention management
(read: disposition enablement) program. This was not such a
challenge 15 years ago. Right before the PC explosion, workers
were pretty much limited to keeping information in their desk
drawers or in departmental filing cabinets. Long-term storage
was for business records and documents that were kept pursuant
to regulatory obligations. With only so much space available,
people had to spend a portion of each day/week/month evaluating
information so that they could keep only the stuff that had value
and dispose of the rest.
Contrast that to today. It is difficult to buy a PC that does not
come with more electronic storage space than just about every
employee’s entire organization had available to it in physical
equivalency in 1995. To some degree, this is good. It has
allowed organizations to get rid of space dedicated to most
physical onsite storage and it is generally good to have to pay less
for something than to have to pay more. Plus, most people can
remember that the disposition process was sometimes painful with
workers being forced to decide which of two potentially significant
or relevant documents they could keep. And, the very process of
deciding which documents had business value was a tax on the
productivity of the worker.
But, we may have swung too far in our empowering the
organization to avoid the process of keeping too much information.
As it turns out, the abilities to keep more and to avoid the taxing
chore of deciding which documents are valuable have unintended
consequences:
• There are risks of keeping too much information.
• Information, our most valuable asset, is only valuable if you
can you find what you need, when you need it. Otherwise, it is
only a liability.
So, the well managed organization will create a framework for
creating, using, managing and disposing of information. Some
people are calling the discipline around these steps Information
Governance.
Introduction
Pete Pepiton is an industry expert and evangelist in Information Governance and eDiscovery. He has spent the past 17 years developing software and delivering professional services to the Fortune 2000. He has spent much of that time helping to reengineer the way lawyers use technology to achieve greater efficiency and better results in litigation, both as an attorney and at several technology companies. Pete is a longtime member of The Sedona Conference®, a think tank dedicated to education and dialogue surrounding eDiscovery and Information Governance issues, and is a member of several drafting teams. He is a member of the Electronic Discovery Reference Model, a project aimed at generating guidance through the maze of managing an electronic discovery project. He is a frequent speaker and author on Information Governance and specifically its beneficial effects on eDiscovery. Pete is a member of the Louisiana State and American Bar associations. He received his JD from Louisiana State University Law School and a BS in Accounting from LSU as well.
Five steps in creating a
retention management policy
1
. Retention Policy
The first step in the program of keeping and disposing of information is drafting the policy of what ought to be kept. Organizationally, this is not an easy task as it will require several groups to come together. Often the people involved may not want to spend the time drafting a policy when they think it is better to follow the easier path of keeping everything.
The Electronic Discovery Reference Model (“EDRM”) has a separate group that is examining the process of managing information inside organizations and the group is called the Information Management Reference Model (“IMRM”). The IMRM was formed in early 2009 and has generated a graphic that illustrates the process of drafting an information management policy and actually using it to manage the organization’s information.
The graphic illustrates that it is the duty of the business to create and use the information and to inform the other stakeholders of the value of the information. The individual workers inside the business may also have some responsibility to dispose of information or to have some of the actions they take on a daily basis to be mapped to disposal activities.
The Legal and RIM (Records and Information Management) functions are responsible for identifying and evaluating risks that the organization may face as part of the way it manages information. This includes providing a listing of the obligations that the organization has in keeping information (e.g., SEC regulations, recordkeeping obligations that apply to pharmaceutical companies, etc.) as well as in storing and securing that information.
And, of course, IT manages the plumbing that stores and serves up the information as part of its routine use. This includes providing for the availability and security of the information pursuant to guidelines established by the business and provided by the Legal/RIM combination.
None of these functional areas should come as a surprise to people involved in these jobs. What may be new, however, is the interrelationship of the various parties and something that might amount to a checklist of what each group should be prepared to discuss at the initial cross-functional meeting.
Information Management Reference Model (IMRM)
Linking duty+value to information asset = efficient, effective management
VALUE Create, Use Hold, Discover Business Retail Archive Store, Secure INTERGRATED PROCESSES LIN KA G E
2
Mandatory Save
After the cross-functional group is identified, the usual first step is to identify those items which the organization has decided it must keep. The ‘must’ can refer to legal/statuatory obligations, internal governance standards or a simple desire from the business that some types of information have enough value that they will be kept for a desired length of time.
3
Carve out for Legal Hold
Of course, there no longer exists a defensible Information Governance policy that does not carve out an exception to document destruction for preservation. Preservation is a common law obligation derived from the common law tort of spoliation, but it is abundantly clear that once a preservation obligation exists, organizations need to suspend deletion of information for the affected areas/custodians. See Zubulake v. UBS Warburg, 220 F.R.D. 212 (S.D.N.Y. 2003) and its progeny, up to and including The Pension Committee of the University of Montreal Pension Plan v. Banc of America Securities, LLC, 2010 U.S. Dist. LEXIS 4546 (SDNY Jan. 15, 2010).
4
Involve the business
There are two key elements to this phase of developing your retention policy. First, get senior level buy-in to the retention policy. Many of the things that need to happen in order to make the retention efforts successful will be borne on the backs of the business workers, who already are trying to do more with less. If there is not a clear message from senior management that retaining specific information is important to the success of the organization and is part of everyone’s jobs, policies will stand little chance of being fully implemented.
The second key element is that someone needs to represent the end-user community so that the impact on their daily activities can be considered and minimized. No organization can survive the transformation of their workers into full-time records managers, even as RIM functions need to take place. The successful program will ask just enough from the business to get the most bang for their retention buck.
5
Train, audit, repeat
This is related to the previous point. The people on the front lines of determining retention will be those who already have a full plate of other tasks and for whom information is just a tool that they need to do their jobs. They need to be given specific training on how to put the retention policy into effect and then their efforts tracked in order to determine if they are doing the right things. Again, this ought to be common sense and not a groundbreaking assertion.
Five steps in creating a
Information governance benefits
Help take end users out of the preservation loop
The top legal risk is failing to keep information that needs to be kept, whether this means failure to retain information such as is required by the SEC/FINRA or failure to preserve information subject to a legal hold. In May 2010, Piper Jaffray was fined $700,000 for failure to keep emails, as required by regulations, between 2002 and 2008. A much more publicized issue is the failure to preserve information when under a preservation obligation. See Zubulake and Pension Committee, supra, as well as much less publicized cases like Passlogix, Inc. v. 2FA Tech., LLC, 2010 WL 1702216 (S.D.N.Y. Apr. 27, 2010) and Jones v. Bremen High School Dist., 228, 2010 WL 2106640 (N.D. Ill. May 25, 2010).
One of the best ways to minimize the risk of spoliation is to minimize the reliance on end users in the preservation flow. We first saw reports of assertions that custodial-based preservation was inadequate in AMD v. Intel, and actually saw such a notion appear in a reported decision in Phillip M. Adams & Associates, L.L.C., v. Dell, Inc. 2009 WL 910801 (D.Utah March 30, 2009). This should not come as a surprise; custodial preservation suffers from the same risks as custodial retention which is the risk that someone who is already overtaxed will not fully understand the task at hand or simply be too busy to pay it the attention it deserves.
Having less information means it is easier to find what
you truly need
It is a truism that information is an organization’s most valuable asset, but that is only the case if said information can be found when it is needed. If you cannot find the document, presentation, spreadsheet that you need, then those pieces of information are not valuable to you. They have simply become a liability costing you money to store, back up and manage and waiting to cost you money in the event that they need to be reviewed and produced in litigation.
Run early stage eDiscovery tasks in-house
With a solid information management program comes the ability to locate and keep information when required. Add in the capability to cull through that information and you can begin to reduce the amount of eDiscovery work that needs to be sent to outside vendors or firms. This gives the legal team greater control over the process and lets them perform these tasks with in-house personnel on a timing that meets the organization’s goals.
