Document retention and management are one of the last things many companies think about. Particularly, if it is not mandated by industry or regulation, as is the case with most small and medium size businesses. In many cases, particularly in smaller companies, everyone is trusted, drive shares are fully open, and people are allowed to save whatever they want for as long as they want. Many times, the reason for this is that no one either wants to or has the time to go back and check what is being kept. As time goes on, systems are upgraded or added to increase storage capacity. This is the most common way of addressing the “space issue”. In many instances, this is the quickest, simplest solution.
This process can and has gone on for years, or decades. It does not just include electronic data (e-data), but also backups. There are companies who not only have no offsite storage of their backup, but do not even keep it in a fireproof safe. The unused tapes are just placed on top of the server, or shelves above the server (great DR plan). Many times, they are not reused, and just accumulate, or there could be boxes of them in a storeroom somewhere. Cloud backup solutions have eliminated some of this, but there are other issues mentioned later. Everyone is afraid of purging and deleting data and the excuse is always “We\I may need it later!” This is a poor excuse that almost is never true. It has been estimated that in many cases, as much as 85-90% of data on company systems is not touched after 30-60 days.
When does all this really come to light? When the company is presented a lawsuit and e-Discovery begins. When someone has to start digging into the data, that sheer amount is realized. The other problem with keeping everything, the discovery can go back as long as you have data. To add to this, if there is no set document retention policy, then there is nothing to backup any processes that users have been followed. What most people do not realize is that there can be huge fines in the form of sanctions, issued by the court, for the improper management of documents. Sanctions cannot be appealed and therefore have to be paid. These types of things can bankrupt a company, putting it out of business. Several well known cases that resulted in sanctions, judgments, and fines from improper management are:
• 2004 Zubulake vs Warburg Cost: $29.2 Million
• 2005 Coleman vs Morgan Stanley Cost: $1.4 Billion
• 2007 Qualcomm vs Broadcom Cost: $19.6 Million
There have also been cases where owners of small and mid-size companies have asked employees to delete data and shred documents. This resulted in jail time for these individuals. Huge cost may not just be associated with sanctions. Attorney fees can really add up in a hurry. The more data you have, the more data your attorney will need to go through, or pay a third party to process and review. These fees could be hundreds of dollars per hour. This is where a good document management policy that is followed the employees can really help the company.
Document Retention Policy
First, there are several types of files that are mandated by law regardless of industry. These are typically related to financial, human resources, email (in some cases), etc. These files have laws regarding how long they should be retained for any type of audit or investigation. Make sure you know what the laws are for your data.
Next, all other classes of documents have to be analyzed. This is easier if the company is large enough to have a variety of departments like quality control, marketing, and sales. Discussions around how long the files for these departments need to be retained can be made based on industry standards or other determined criteria.
Last, one area that is often not considered is backup retention. The shortest retention allowed by regulation or law is the best. If a company had backups going back for years, then they can be “discoverable”. Producing data from all of these backups can be costly and time consuming. Their retention should definitely be considered. Once all of the information is gathered and placed into a policy, an attorney or legal department should review it (or even be involved) to ensure that the policy is “legally defensible”. The policy must then be fully implemented. This will probably involve a lot of time in going back through all of the old data and deleting anything that is beyond the retention period.
One of the easiest ways to implement and manage e-data is with an automated system. These usually have the data classified and time stamped. This way, when the retention period is up, the data is automatically deleted. However, these systems can be costly, ranging from tens of thousands to over $1 million. One of the easiest and less expensive solutions to implement is email archiving. Many times, these can be purchased as an appliance and can be up and running in less than an hour. There are a wide variety of vendors in this market place, and each company needs to choose a vendor that best suits them. This option should really be evaluated and considered by all companies.
The Cloud? Well, there is a lot of talk today about “moving to the cloud”. Companies are offering services from hosting all servers and applications, to providing backup solutions, even down to archiving and e-Discovery. Here is the biggest problem of all with this option. The Department of Justice (DOJ) can subpoena these hosting companies for your data and you may not even be aware of it. There are cases now where the DOJ is trying to obtain data and while being met with resistance, these companies may still have to turn over data in the end.
In the event Cloud services are considered, make sure the entire contract is reviewed by a legal professional. In many cases there is a lot of fine print about what happens if data disappears, responsibility, and other factors. At a recent conference, it was pointed out that in the fine print of an agreement with a well-known search engine’s hosting agreement basically said they really own the data. Not to mention the well-publicized cloud crash in 2011 that resulted in permanent data loss for some customers. These are just a few reasons why many companies are hesitant to move and are still sticking to a “no cloud” policy.
No matter what document management or archiving solution is selected for your organization, it is important to include this system in your disaster recovery plans. Just because the company suffers a disaster, it may have no impact on what a court wants in a discovery. There are various ways of doing this depending on the vendor of choice. For example, if the data is written to a WORM or CAS (Content Addressed Storage) device like the EMC Centera or HP Information Access Platform, then a separate “target” system needs to be included at the disaster site for replication. Any system that is evaluated should be able to provide a disaster plan for their system. If they have no option in this type of scenario, they should not be considered.
In conclusion, with the rate at which lawsuits are filed in the United States, many for little or no reason, companies really need to look at protecting themselves. The best way is to evaluate and implement a proper document and backup retention policy. The less data kept is in the best interest of the company. The “I may need it later” mentality can actually harm the company in the future. The less data you have, the less you can produce, the less attorneys have to review, all in reducing your liability foot print. Just make certain your legal department or attorney is fully involved with any decisions.
Remember, in the end, if you have it, then it is discoverable!