"Back in Time": Looks Good on Paper
In an earlier, simpler time, records managers ruled the world of archival storage – paper was their currency, onsite storage in the corporation was limited and came with indirect costs. Offsite storage facilities such as Iron Mountain came with direct costs. Records officers deployed detailed departmental retention schedules to ensure information was disposed of regularly, absent a legal hold or other preservation requirement.
The governing philosophy was that company information should be kept only as long as absolutely needed and then be destroyed. This process was relatively easy with paper records, as departments were typically in charge of what was sent offsite and kept an index with corresponding destruction dates. When the dates came up, the records department checked the box against legal holds, gained the necessary approvals, and shredded the box or portion of the box.
The Tyranny (and Limited Reign) of Inbox Rules
When electronic filing became popular, information was still being disposed of, but for different reasons. Computer storage was expensive and systems such as Outlook/Exchange had limited capacity. As a result, network administrators imposed time or size-based restrictions and often did so without consulting the records officers or considering how these items were actually used in a business sense.
Further, there was little coordination with the disaster recovery and archiving functions. This gap resulted in users believing that information was electronically “deceased,” while phantom copies were still in existence on backup tapes, on optical drives, in “shadow” user locations, and with disaster recovery vendors.
The Bits Hit the Fan
In 2003, the first Zubulake v. UBS Warburg case was decided, in which UBS claimed it would cost $175,000 to restore 94 backup tapes containing contested emails. By Zubulake V in 2004, the Court found that deleted emails had prejudiced the plaintiff’s case.
This case and similar developments heralded a wave of fear-induced corporate retreat from the principals of principled disposition. While retention policies remained on the books, they served only as paper tigers – the new reality was that nothing was going to be thrown out from that point forward, especially from an optics standpoint.
More storage was purchased, annual cleanout days were suspended, and backup tapes started to pile up. The situation was compounded by a wave of corporate mergers and acquisitions, retention of departing employee materials (including putting laptops and hard drives in closets), ever-cheaper storage, expanded capacity of systems such as Outlook/Exchange, multiplicity of archiving tools, and the retirement of legacy systems.
Why Old Data is Like a New York City Garbage Collection Strike
Like the proverbial “boiling of the frog,” corporations suddenly faced a landfill of old, unclassified, out-of-date data that interfered with operations, slowed down searches and business efficiency, and contributed to corporate liability, particularly in the realm of litigation and data migration.
Unlike the paper-based days of departmental filing and oversight, electronic systems, like email, don’t naturally lend themselves to user classification of individual items as business records to be assigned retention, convenience record treatment, or “junk” status. To paraphrase a “Seinfeld” episode, anyone can make a decision to save information, but authorizing destruction has become a “not me, Charlie!” exercise, to the point where forensics firms make whole engagements out of purging bad words or documents from an organization.
Within a few years, the problem became irreversible, with too much redundant, obsolete and trivial data, or ROT, having piled up exponentially to be actionable through human effort and assignment, corporate fiat or reasonable expense.
Further, for the past five years, the impact of surplus data has been magnified by an exponential rise in breach and ransomware incidents, along with the onset of privacy regulations in Europe and California, and now Nevada, Colorado, Connecticut, Utah, and Virginia. Both of these factors put the onus on the corporation to tightly manage all of its information assets centrally, including any expired data that contains sensitive or personal information.
Just Wash That Mail Right Out of Your Hair
So, do companies have an appetite to finally take this tiger by the tail? Signs point to yes.
As the risk and compliance walls begin to close around them, the cost/benefit shifts to getting rid of information that has become a liability and to moving these projects to front burner status as budget begins to get allocated. Often these projects can be incorporated into other initiatives such as a risk assessment, incident recovery, M&A due diligence, cloud migration, or legal hold implementation.
If the company doesn’t have it:
- It can’t be a security threat
- It won’t need to be identified as having personal information for DSAR or compliance reporting obligations
- It won’t need to be preserved, collected, processed, hosted, reviewed and produced in litigation
- It won’t cause operational inefficiency
- It won’t require additional “harvesting” to determine what records exist if it is a forensic image or legacy data type
- It won’t require additional resources to ascertain its owner and provenance
- It won’t incur additional storage expense
- It won’t need to be migrated to the cloud
- It won’t need to be backed up
How Can We Help?
We can drill into the business and assimilate the policies, workflows, systems, lines of business, organizational structure, preservation obligations and data map, to then build out into an action plan that can take into account historic traps and pitfalls. At the conclusion of efforts, the corporation can be a leaner, more self-aware organization, better positioned to respond to risk, compliance, litigation, migration and operational challenges, and better prepare itself for the next wave of the unexpected.