By Rian Kennedy.
If you haven’t been living under a rock for the last few years, you’ve noticed that how companies store and dispose of their data has come under increased scrutiny by regulators and opposing counsel. Further complicating the requirements are data sovereignty laws, privacy acts, and legal hold compliance. These elements combine to demonstrate the need for programs in place to defensibly dispose of data to avoid fines and sanctions.
In the legal world, when there’s pending litigation or expectation of litigation, the duty to preserve related data becomes necessary regardless of a company’s normal retention schedule. There are two parts to compliance:
1) notification to custodians; and 2) preservation of relevant data until the matter is resolved. If not met, risk of spoliation and sanctions from courts loom large. Often corporations do not have a formal or automated process to link both legal hold and regulatory retention, resulting in monetary and legal sanctions.
Legal Hold Compliance
Technology is finally here to help inter-departmental communication and collaboration by centralizing controls. Legal departments can now take advantage of legal hold platforms, like Hold360, to automate and centralize legal hold compliance: from sending preservation letters to preserving potentially responsive Electronically Stored Information (ESI). API integrations between your legal hold platform and source data repositories like Google Workspace, Office365, Slack, and more, enable corporate legal departments to automate preservation of data related to active custodians.
Another area of note is the ability to create workflows for holds on employee assets (company-issued laptops, phones, etc.) for current as well as terminated employees who may still be subject to a legal hold. Technology is now available to solve for this problem as well by having Human Resource Information Systems (HRIS – like Workday or SAP SuccessFactors) communicate with the legal hold platform to inform IT of active legal holds for exiting employees in order to mitigate the risk of spoliation.
Data Classification - Retention & Disposition
By integrating your legal hold platform with your company’s data classification platform, once custodians are released from a legal hold their data can automatically rejoin the general population of data subject to your company’s retention schedule. Given the scale of enterprise data volumes, more and more companies utilize data classification tools (like Classify360), document management systems (DMS) and other data governance tools to help manage retention and defensible disposition in a programmatic and auditable manner. It is vital that both legal hold software and data classification software communicate.
The old strategies of “keep everything just in case” and “just make a copy of it” are becoming increasingly unsustainable given the costs to procure and maintain hardware and software to store data. Data volumes necessarily trigger significant costs as it relates to litigation and eDiscovery (including collection, review and export), and risk profiles increase as data footprints expand in light of evolving privacy and data sovereignty regulations. Where possible, managing data in place is a much more viable option. Many matters do not move forward to discovery and never have a need to collect and review all the data identified within a legal hold. To be able to identify data as “On Hold” in your source data and/or DMS ensures compliance while limiting spend and risk.
Inter-departmental Coordination
The most well-crafted retention policies may sometimes overlook inter-departmental alignment with stakeholders across the enterprise, which can compromise the enforcement of preservation compliance and defensible disposition. Available technology can enable greater alignment and coordination between departments. Centralizing and coordinating how data decisions are made in a single platform can be a reality for companies.
Coordination is a key issue and is often difficult as each department is focused on their own goals, many of which do not necessarily overlap or may even be at odds with the goals of other departments:
Information Technology is interested in ensuring that their systems run well and that they regulate proper access and maintain the integrity of data, but not necessarily make decisions on the value of the content of data. If an exited employee’s laptop is made available, they want to wipe it and reassign it to a new employee. Unfortunately, IT may not always be aware that data on the laptop is on legal hold—risking spoliation of that data. From IT’s perspective, it is merely an efficient, cost-effective use of assets.
Information Security is interested in identifying sensitive or risk content (PII, PCI, PHI, etc.) and ensuring it is properly secured or deleted. They, again, may not realize regulatory retention requirements or legal hold compliance constraints resulting in mishandling of data and potential sanctions without a coordinated effort with other departments.
Legal departments are aware of legal requirements and want to mitigate risk. They don’t necessarily hold the keys for the systems of where potential evidence resides. Without a legal hold platform that performs in-place preservation, like Hold360 and others, they may not be able to control the deletion of relevant data. Unless Legal is at the table for data classification, they may not realize policies are in play that undermine regulatory and legal retention.
Information Governance Automation
There is an absolute necessity to have legal counsel and consultants assist with retention schedules. Once those schedules are in place, the next step is translating them into policies that technology can execute. A consultant should have the ability to alleviate department stakeholders’ concerns by automating policies and ensuring workflows address each issue—solving for the department’s goals while addressing any potential complications. This holistic approach is often not achieved without true collaboration and stakeholder involvement from all company sectors.
Artificial Intelligence, or machine learning, is a large component of effective retention technology. Both unsupervised machine learning (classification of data without initial user input) and supervised machine learning (user-fed seed documents/searching) are effective ways to enforce the policies created. Layering regular expression searching (keywords, specific formats, etc.) with Boolean logic (proximity searches, connectors, etc.) further powers more accurate recall rates. Again, rely on consultants who have experience with these methods and a team behind them with significant data science background.
Even with the best technology to identify data, many disposition initiatives get stuck because the technologies previously available often did not have a mechanism to ensure data owners can make final decisions for deletion and execute the required disposition. We have seen this single factor determine selection of new InfoGov technology as IT professionals have tried other solutions that can only get them to identify data to dispose, but lack a decision step. To solve for this problem, data owners must be part of the final decisions for disposition. Having a user interface for them to access data out of retention empowers them to defensibly dispose of data with a full audit trail.
Tying back to legal hold preservation, identifying data to dispose must have a filter to ensure legal hold compliance. An InfoGov tool that does not have a way to tag or label data for legal hold is lacking. There has to be a comprehensive, collaborative playbook to handle all aspects of retention.
Conclusion
There are a number of factors to consider in managing legal hold within a larger context of data retention and disposition. In the diagram below, we outline how a legal team must have more control and visibility throughout the lifecycle of their enterprise data and necessitates more collaboration with other departments:
Defensible disposition is a highly complex undertaking, involving stakeholders from across an organization and scrutinized by both regulatory and legal requirements. Siloed approaches will no longer be an option. Holistic solutions that centralize controls, integrate with enterprise systems, communicate across departments and automate compliance are necessary. Legal hold and regulatory compliance can then be ensured even through the process of defensible data disposition.
About the Author Rian Kennedy is a legal technology expert with experience in all stages of the eDiscovery and Information Governance lifecycle and works as Senior Consultant, Legal Products at Congruity360. Since 2005, he has lived the many changes in regulation, technology and society that have driven innovation within Legal and Information Governance technology. His expertise has helped his clients bridge the gap between Legal and other departments (HR, IT, RIM, etc.), while solving real needs through automation and workflow.
At home, Rian is family first, living in Southern California with his wife, three kids, dog, cats, chickens, hamster and fish. He’s an avid basketball and baseball fan, but he dreams of one day being a farm to table chef on a self-sufficient homestead he runs.