How to establish a defensible deletion policy

Control risk and manage expenses associated with employee documents and email

Are you a data hoarder? Does your Outlook inbox remind you of a cluttered attic filled with items of questionable use and unknown origin? If you’re like most in-house counsel, you keep as many emails and documents as your IT department will allow. It may well be time for some prudent spring cleaning.

Not only can you defensibly delete your legacy data, but you also should do so as a responsible member of your organization. Now is the perfect time to initiate a controlled electronic data purge and to develop a companywide defensible deletion policy.


What is defensible deletion?

As the name suggests, defensible deletions are simply documents and emails that can be freely deleted because they are no longer required for compliance or ongoing business purposes. A defensible deletion policy dictates a standardized process to manage corporate data according to information governance and compliance requirements.

Companies have had strategies to protect and safeguard data for decades, which has led to huge data stockpiles. Employees have been permitted to accumulate massive amounts of data on desktops, including archiving email in local repositories known as PST’s. Storage administrators in IT departments frequently add massive silos of disk space to accommodate the saving of more and more files, even storing content from employees that left the company years ago. Archiving and records managers are continually copying important documents and email, too, for long-term retention. Business continuity and backup administrators are replicating all of this content on a weekly basis and archiving it to offsite storage for safekeeping in case of a disaster.

Given these highly redundant procedures, enterprise data is continually copied, sometimes more than once and stashed away throughout an enterprise and in offsite vaults. Thus the overall data store multiplies, growing exponentially forever, if left unchecked by a policy.

This is where a defensive deletion policy can help. To create the policy, inside counsel work with corporate IT and other stakeholders to determine what data needs to be kept for compliance or business reasons, and what can be safely and responsibly deleted.

Implementing a defensible deletion methodology not only manages long term risks and liabilities related to enterprise data assets; it also saves time and expense to support ongoing litigation and e-discovery efforts and reduces data center budget spent on storing and managing data that is no longer useful.

Prioritize according to risk

Corporate data resides on desktops, networks, servers, legacy backup tapes and repositories. Understanding and profiling the magnitude of this data is not an easy task. However, knowledge of where data resides and what it contains will drive efficiency and management of the content. Getting a firm grasp on this is the foundation of your defensible deletion playbook.

A viable way to develop policy is to segment the environments and prioritize the data that represents the most risk and liability as follows:

 

Volume of Storage

Data Risk and Liability

                Desktops:

Low

Medium

                Network Servers:

High

Low

                Email Servers:

Low

High

                Legacy Backup Tapes:

High

High

 

The highest-risk data environments are typically email servers and legacy tapes. Email is the most common source of evidence produced for litigation. Additionally, email has regulatory and compliance preservation requirements because it is the source of sensitive communication and agreements.

When a company is sued and evidence is collected, email—usually stored on an email server—is usually the first place to look. However copies of email are lurking in many other locations throughout the network. A sensitive email from the CEO, for instance, can reside on the CEO’s desktop, a copy on his/her laptop or home PC, a PST file that was archived to a network server, a copy on the email server and, finally, multiple copies clustered away on legacy backup tapes.  

Legacy backup tapes contain a snapshot of everything, including email and files, from a particular time period, so they are extremely high risk to keep lying around. Using new technologies enables remediation and indexing of the data on these tapes, so the physical tapes can be eventually destroyed once the responsive content is identified and extracted.

Your policy can initially focus on high risk data and continue down to lower risk items; this makes a monumental task more manageable. A playbook is critical to determining an achievable action plan. Many organizations are overwhelmed when faced with massive volumes of data, including legacy content archived away in old data stores. The playbook breaks down the process and develops an approach that is achievable and measurable.

Managing corporate data, both current and legacy content, is more critical than ever. Defensible deletion of content not required for compliance or operational purposes is justifiably a key focus of chief risk officers and information governance teams worldwide. Many organizations have had legal issues resulting from “hidden” or older data that was discovered during litigation. These documents and email sometimes contains “smoking guns” that prove harmful in the event of current and ongoing litigation.

Don’t let this happen to you. Work with stakeholders at your corporation to develop a sound defensible deletion policy which creates boundaries around your data and guides employees appropriately. True, you and your colleagues will have to clean out your virtual attic, but it’s certainly better to be proactive than to have a dusty old email or document surface at your organization that causes you an even bigger headache. 

Contributing Author

author image

Jim McGann

Jim McGann is VP of Information Discovery for Index Engines, a leading electronic discovery provider based in New Jersey. McGann is a frequent writer and...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.