Data Retention: “Do I Really Need to Keep This?”

The posture of in-house counsel toward information governance and data retention is in the midst of a noticeable and rapid shift from “are we retaining the right information?” to “please, please tell me I can get rid of some of this stuff.”

Those urgent pleas are fed not by data storage costs, which continue to decline, but by savvy in-house lawyers anticipating a subpoena or lawsuit, confronting a decade’s worth of retained emails and calculating compliance costs.

How are in-house counsel expected to advise their business clients on data retention when, in the typical company, numerous legal holds have piled up over time, executives may be effectively exempt from whatever retention/destruction policy is in place and no audit process exists to ensure records are actually deleted in compliance with the policy? The right advice at the right time can save in-house counsel the stress of dealing with these tricky — and, let’s face it, not particularly glamorous — issues.

The ideal approach to information governance and data-retention policies involves a comprehensive review of where data is stored, what technologies or software are no longer used, what archives exist and what happens to data when employees leave. This review would also examine current policies and procedures for data retention and destruction.

But in-house counsel rarely operate under ideal circumstances, where time and resources are unlimited. Instead, legal and compliance departments are notoriously cost-constrained and often prefer a more surgical approach. A more limited review, when designed correctly, can be effective in spotting major issues and solving immediate problems. For example, if there is one particular data repository that has never been culled and the data is sensitive in nature (customers’ personally identifiable information, for example) and is of limited or no real use to the company from a business perspective, such data could be tackled in a more surgical way (i.e., deleted, potentially, as long as there is no other legal or business reason to retain it).

Similarly, there are easy and automated ways to adjust retention settings on most major email and messaging systems that companies can deploy immediately to reduce what is retained going forward. (Of course, these automated settings need to be overridden in the event that a legal hold is put in place.)

The best course is to draft policies and procedures that work in practice rather than just on paper — in other words, those drafted with input from the various business lines impacted by the policy and that actually make sense in light of the company’s retention obligations and business needs — and then to ensure those policies and procedures are implemented. Implementation is, of course, the trickiest part, but once a workable policy is in place, in-house counsel, working with IT, can methodically revisit each area of the company to ensure the correct records are being retained. This can be accomplished with a hands-on approach (e.g., conducting interviews, auditing company systems) or, if the concerns about compliance and retention are less serious, by simply asking individuals or groups of employees to self-certify that they’ve reviewed the policy and have conducted whatever audit is required. Of course, as with any self-certification plan, counsel and IT should follow up with random audits from time to time to verify and document compliance.

Creating workable information governance policies and procedures does not need to be a terribly taxing exercise, and it can result in very real cost savings to the company. Third-party validation of current policies can reduce the burden on in-house counsel and ensure that company policies meet best practices that are constantly evolving. And, when the next subpoena comes in the door, the CEO and CFO will hopefully remember to thank the legal department for going through the effort.