Steps to Making the Defensible Destruction of ESI a Reality in 2013
The volume of Electronically Stored Information (ESI) for most enterprises continues to grow with no end in sight. Storing and managing all ESI is overwhelming from an operational standpoint, increases legal liability and is cost prohibitive. Therefore, the question for the enterprise is what ESI should the Enterprise keep and what ESI can it legally depose of?
Historically known as data retention policy, the focus in 2012 and beyond is on defensible data destruction. Enterprises are no longer legally able to just destroy whatever ESI they no longer want to keep.
The National Archives and Records Administration (NARA) requires all U.S. federal agency electronic records, including e-mail messages, be destroyed in accordance with an approved records disposition schedule (2 CFR Part 2600, Subchapter B, Part 1234.34). Additionally, electronic records scheduled for destruction must be disposed of in a manner that ensures protection of any sensitive, proprietary, or national security information.
For organizations in the private sector, destruction practices for protected information about an identifiable individual employee, customer, or supplier are regulated. Examples of protected information include Social Insurance/Security number; account number, credit, or debit card, in combination with any required security code, access code, or password that would permit access to an individual's financial account; driver's license or state identification card number; consumer credit reports, and personal medical information.
In the United States, federal legislation such as HIPAA and the Fair and Accurate Credit Transactions Act (FACTA) requires the destruction or deletion of electronic files or media so the information cannot be read or reconstructed. At the U.S. state level, more than 40 state governments have adopted privacy protection legislation that may impact private sector organizations. Colorado, for example, has a law requiring the establishment of policies for safe destruction of documents containing Social Security numbers.
Most enterprise Chief Information Officers (CIOs) and General Counsels (GCs) know intuitively that half or more of stored ESI doesn't really have to be kept for any real legal, operational or business reasons. A survey taken at the 2012 Compliance, Governance and Oversight Counsel (CGOC) Summit validated these facts. The survey found that typically:
- 1 percent of corporate ESI is on litigation hold
- 5 percent of ESI is in a records category
- 25 percent ESI has current business value
Therefore, 69 percent of ESI in most companies has no business, legal or regulatory value and may be confidently disposed. The trick then becomes disposing of this data quickly and confidently without deleting data the 31% of the data that your business does need.
Unfortunately, it is anything but easy or quick to implement this. Enterprises usually must bring together stakeholders and decisions makers from legal, compliance, records, business and Information Technology (IT) and create enterprise committees to assist and guide in the development of these policies.
Further, due to the volume of ESI, enterprises must go beyond just simply developing and publishing policies. They must bring in a technology solution to:
- Enable the granular identification of ESI across the entire enterprise
- Provide real-time analysis and reporting
- Automate policy-based general ESI retention
- Automate policy-based legal hold(s)
- Automate policy-based de-duplication
- Automate policy-based defensible ESI Destruction
Due to the number of technologies available that perform these tasks, the time it takes to evaluate them and make a recommendation further delays the decision making process. So in an attempt to short cut through this process, I recommend doing the following:
First, use a storage system to indentify, analyze, preserve and collect ESI. Storage systems are turnkey solutions and have matured tremendously in recent years in their ability to support the defensible destruction of ESI.
Second, implement an email archiving system. In recent years, email archiving system vendors have enhanced their platforms to include more sophisticated search and analysis technology and support for legal holds, eDiscovery requests and other information governance requirements to include the defensible destruction of email.
Finally look to standalone information management systems to complete the process. These are independent of the storage of ESI and enable the enterprises to scan stored ESI to perform tasks such as Early Case Assessment (ECA), First Pass Review (FPR) and normalization for production throughout the remainder of the ESI lifecycle.
The volume of ESI continues to grow overwhelming many enterprises from an operational standpoint even as it increases their legal liabilities and costs. However it is for these exact reasons that enterprises can no longer procrastinate on dealing with it as the costs and risks associated with doing so dictate they pay attention now. Using the steps outlined above, enterprises could do more than make dealing with their ESI a priority in 2013. They can actually develop, implement and execute on a comprehensive and defensible ESI destruction strategy.