When is it ok to Delete Data: Defensible Deletion and Retention Schedules

Twenty years ago, the average corporate General Counsel's (GC) primary data strategy was to delete all data that was not absolutely necessary to meet regulatory compliance requirements or currently being used in litigation. Ten years ago, that data deletion strategy had completely reversed to where most GCs were hesitant to delete any data at all. I believe this 180-degree change was due to the 2006 amended Federal Rules of Civil Procedure (FRCP) publication. Specifically, Rule 37(e) of the 2005 FRCP stated:

If electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to protect it, and it cannot be restored or replaced through additional discovery, the court has several remedies, including the issuance of an adverse inference instruction. The adverse inference instruction instructs the jury that they can presume that the evidence (data) is unfavorable to the party's case. [In many, but not all lawsuits, an adverse inference instruction generally ends the case in favor of the opposing party.]

In reality, the adverse inference instruction informs the jury that (usually) the defendant didn't want you to see the evidence because it could be detrimental to their case, so destroyed it.

Because of the 2005 version of 37(e), many GCs changed their minds. They became much more conservative on data deletion mainly because they didn't want to take the chance of getting caught up in spoliation (destruction of evidence) allegations. There are numerous cases where companies did not anticipate future litigation correctly, and data was inadvertently destroyed, causing the issuance of fines and loss of the case.

When litigation hold responsibilities arise, preservation obligations, including the suspension of document retention and retention policies, could very well be required, but only for data that can reasonably be tied to the case. In the famous Zubulake eDiscovery case, the court noted that to comply with legal hold obligations, a party is not required to preserve "every shred of paper, every email or electronic document, and every backup tape."

The FRCP was amended again in 2015 - including Rule 37(e). The amended Rule 37(e) now includes a critical instruction that subtly changes the anticipation description to: only upon finding that the party acted with the intent to deprive another party of the information's use in the litigation may the judge apply the most severe sanctions. In practice, inadvertent deletion of potentially responsive information should not trigger harsher responses from a Judge (usually).

Even with this important FRCP update to Rule 37(e), many GCs have not changed their data deletion stance. I still run into corporate Compliance, Records, and Legal professionals who say their standard data retention/disposition instructions are still not to delete any data, ever.

In fact, the legal best practice is to delete records when expired and general data as soon as the data is no longer has value for the company.

The legal system does not mandate data retention policies

Unless your company has specific regulatory retention requirements or anticipates legal action, data retention is strictly up to the organization. There are no laws that instruct organizations to keep general (non-regulated) data for any period of time. In the past, I have seen some large organizations institute very compressed retention policies, including only two weeks on all email where the email is automatically deleted from the system unless the custodian or legal department has placed a legal hold on the email.

This very short retention policy is out of the ordinary and does contain some risk. A judge could interpret this policy as an attempt to remove smoking guns before they can be requested in eDiscovery. For example, in the Apple vs. Samsung patent infringement case, Samsung's lack of digital evidence preservation in part resulted in Apple being awarded over $1 billion because digital evidence that the judge considered material to Apple's case was automatically deleted.

No matter the industry or business your company is in, it's always a best practice, even though it's not a legal requirement, for your company to create a data retention/disposition schedule - and enforce it. Companies do this based on regulatory requirements, sound business practices, and legal risk mitigation reasons.

Without scheduled retention/disposition, data (and risk) piles up

In today's business environment, the amount of data being created/sent/received has accelerated (the velocity of data) to the point where employees can no longer keep up. Because of this, they fall back on the 5-second rule; if it takes more than 5 seconds to decide what to do with a piece of information/file/email, the employee will either delete it immediately or keep it forever – and in my experience, the vast majority choose to keep it forever.

This is one reason very large companies spend millions of dollars every year to employ consultants to cull through terabytes of data to delete files that are no longer required or are required by law to be removed. For example, the CCPA and GDPR privacy regulations require organizations to dispose of a data subject's personal information when requested (right to be forgotten), or if the organization no longer needs for the data, i.e., the original reason the data was collected has been fulfilled or no longer exists, or does not have regulatory or legal requirements (litigation/eDiscovery) to keep.

This process is known as defensible disposition – the deletion of data in a legally defensible manner if there is no regulatory or legal reason to keep it. This description refers to documenting the policy, process, and actions when a defensible disposition is being executed.

READ MORE:  Data Has Value, but also Risk – Get Rid of What You No Longer Need

When can/should data be deleted?

Organizational data typically have some amount of value to a company for a period of time. Some information value is very short-lived, while other data can retain its value to the company for much longer periods of time.

The secret sauce in information management is to know when data value becomes less than its potential risk to the organization. In fact, there is a direct connection between the age of data, the cost to keep it, and its risk to the organization (PII security, eDiscovery). In a great example of the cost of maintaining data too long, Dupont conducted a study back in the late 90s looking at nine key eDiscovery cases. They found that:

• The total number of pages reviewed were 75,450,000
• The total number of pages that were found responsive to be 11,040,000
• The total percentage of expired (beyond the retention period) pages to be 50%
• The total cost of unnecessary eDiscovery review processing was $11,961,000 (1998 costs).

(These findings did not take into consideration the non-litigation costs of data over-retention, including increased costs of data storage and management, backups, inclusion in other litigation, and privacy/security risks)

This study is still relevant today in that it highlights the cost of over-preserved data in the eDiscovery process. Additionally, expired but still preserved data can complicate eDiscovery due to the basic fact that if data exists, even expired data is still discoverable and must be collected and reviewed if potentially responsive to the given case.

READ MORE: Corporate Legal Budgets are getting Squeezed –
How to Reduce eDiscovery Costs (with Cloud Archiving)

Data deletion – "it's a good thing"

Creating and enforcing data retention/disposition schedules for non-regulated data is a great business practice in case a judge asks for the retention disposition policy when responding to opposing counsel's inquiries. The key here is disposing of valueless information regularly. This ensures aging data does not stick around and impact storage and data management costs and cause eDiscovery issues in the future.

Circling back to this blog's main topic, when is it legal to delete information? It is legal to delete data regularly if not under regulatory retention requirements or involved in current or anticipated future litigation. Data not meeting these two requirements should be defensibly disposed of when legally defensible.

Defensible Deletion/Disposal questions checklist

1. Is there a current business need to keep the data in question?
2. Does the data to be disposed of have any regulatory compliance retention requirements that require you to keep the data?
3. Is any data subject to an anticipated or current legal hold?
4. Has your Chief Regulatory Officer, Chief Records Officer, or General Counsel approved your defensible deletion plan?
5. Does your organization have a published data retention/disposition schedule that supports your defensible deletion activities?
6. Can your retention/disposition system produce an accurate report on the data deletion for future chain of custody and regulatory reporting?
7. Do you regularly audit the retention/disposition system?

However, you should always get a written opinion from your corporate or outside counsel.

Archive360 is the world's leader in intelligent information archiving and management. The Archive2Azure solution is a complete cloud-based information management and archiving solution for both structured and unstructured data, which is installed in your company's own Azure Cloud tenancy for increased security and functionality, ongoing customization, and complete control. Unlike SaaS archiving platforms where you are forced into a one-size-fits-all application and security configuration, the Archive2Azure PaaS solution is architected so that you store your company's data in your own Azure tenancy with complete control over the security, including the ability to encrypt data on-premises before movement to your Azure tenancy – while keeping your encryption keys locally.