There is a famous quote from the Greek philosopher Socrates, “Knowing is not the same as doing.” We all know that to feel better physically and mentally, we should exercise and eat right. Many times, however, we skip the workout and can’t resist pizza or chocolate cake, even though we know a salad would be more nutritious.
Even in the business world, Socrates’ age-old adage applies. We don’t always do what we know we should do, especially when it comes to the data our business uses. A recent study by Veritas found that as much as 85% of data in organizations is either Redundant, Obsolete, or Trivial (ROT). Keeping ROT data in check requires organizations to exercise defensible deletion best practices to remove data once it has been determined to have no value for the organization.
Even organizations that have a defensible deletion program in place must be vigilant in applying it. Those of us old enough to remember the Arthur Andersen debacle in 2002 know that the only thing worse than having no policy in place is having a policy and not following it. Andersen’s belated shredding and digital deletion of Enron-related documents – purportedly in compliance with the accounting firm’s records retention policy – resulted in an obstruction of justice conviction. The firm was eventually exonerated by the Supreme Court in 2005 – a Pyrrhic victory, since the $9 billion firm collapsed after the initial conviction.1
Another common occurrence of “knowing is not the same as doing” is failing to timely and properly release litigation holds on nonrelevant or obsolete data associated with a matter. Organizations recognize the importance of promptly returning data to retention and deletion schedules, but often fail to do it — ultimately derailing a defensible deletion program and increasing ROT data. The matter may be over, but the unneeded data remains in limbo – costing organizations billions of dollars a year and increasing cyber and data privacy compliance risks. If there are any doubts about this very real danger, take a look at last month’s spate of law firm data breach announcements2 or this year’s docket of cyber class action suits against law firms.3
This article discusses how to avoid the high cost of inadequate processes for the defensible deletion of data and what you should consider when determining whether and how to delete data that was subject to a legal hold – both knowing and doing.
Defensible disposition is the deletion of data in a legally defensible manner if there is no regulatory or legal reason to keep it. It involves documenting the policy, process, and actions associated with the disposition of data. Here are some best practices for defensibly deleting data within your organization.
Understand Legal Obligations and Retention Policies. To avoid legal complications, it’s important to understand and adhere to the specific regulations governing data retention, as different jurisdictions and industries have different rules for how long certain types of data must be kept. Organizations must establish clear, compatible retention policies that define how long each type of data should be stored.
Develop and Maintain a Sensible Data Map. You can’t delete ROT data unless you know where it is (or that it even exists). This seems obvious, but the devil is in the details. Organizational systems and IT infrastructure change so frequently and at so many levels, that encountering a CIO who can answer the question, “What data does your company maintain?,” is the exception rather than the norm. A sensibly scoped and regularly maintained data map provides both Legal and IT the ability to effectively identify data for legal hold purposes and leverage technology advancements, including index-in-place solutions, to differentiate important and sensitive data from ROT data that can be deleted.
Work with Appropriate Stakeholder Groups. Defensibly deleting Electronically Stored Information (ESI) is a cross-departmental task that involves multiple stakeholder groups. Key groups often include: 1) the legal team that determines whether information may be released from legal hold; 2) the records information management (“RIM”) team that maintains the organization’s RIM policies and will confirm whether information must be preserved for compliance beyond the needs of a specific legal matter; and 3) the IT team that performs or oversees the technical aspects of the deletion.
Document and Communicate. Organizational best practices for defensible deletion should be documented and communicated to appropriate stakeholder groups, with training to ensure adherence to company policies. This documentation should include what data was deleted, why it was deleted, who authorized the deletion, and when the deletion occurred.
Perform Periodic Reviews and Audits. It’s important to conduct periodic reviews and audits of data deletion practices to not only make sure they remain compliant with evolving laws and best practices, but also to help ensure that these practices are consistently followed across the organization.
Provide a Certification of Destruction. Once data is deleted, it’s important to validate the deletion with a certification of destruction to ensure that it has been entirely removed and cannot be recovered.
Litigation Holds and Their Impact on Defensible Deletion
Once there is a reasonable anticipation of litigation, organizations have a duty to preserve relevant evidence and issue a legal hold.4 The issuance of a litigation hold suspends defensible deletion programs for any data placed on hold until it is released.
Many organizations think that all data associated with a matter should remain subject to legal hold until the litigation ends (or longer), but realigning holds throughout the case – which can be accomplished during early scoping and as the case progresses and claims narrow – provides continuing opportunities to release data from hold. The process for releasing holds should be clearly documented and communicated to all relevant parties; and certainly, data cannot be deleted until it is no longer subject to any litigation hold. Therefore, it’s important to track all the holds placed on data sources to ensure any data subject to a hold remains preserved.
For more information on how to navigate legal holds effectively, see the blog post, “Litigation Holds Causing Corporate Heartburn? Ease the Pain with this eDiscovery Antacid.”
Where Many Organizations “Drop the Ball”
Regardless of when the litigation hold is released, many organizations fail to do the one thing that they know they should do — return the released data to defensible deletion programs. This practice runs the risk of driving up data costs and unnecessarily leaving the organization open to the perils of over-preservation, as described earlier. There are several reasons organizations keep data after the litigation hold is released.
Reasonable Anticipation of Litigation Isn’t Clear Cut. Reasonable anticipation of litigation can be open to interpretation, which causes many organizations to keep data after a matter concludes. Additionally, some counsel take the position that data under hold could still be relevant and helpful to future litigation, so they opt for caution in keeping data that should be deleted.
Communication and training within the organization is vital to enable everyone to understand the risks associated with failing to delete any data that can be defensibly deleted and ensure that best practices are employed when doing so.
Multiple Copies of the Data Exist. During litigation, multiple copies of the data are often created. Copies of data are typically created during collection, processing, ingestion into an eDiscovery platform, and production. It’s easy to miss at least one of those copies when proceeding to delete that data, which makes deletion efforts ineffective. Deletion of production data should always be conducted as part of a comprehensive end-of-matter process, both internally and with other parties.
Lack of Understanding Where the Data is Located. Custodians often misunderstand what data is subject to hold and simply stop deleting data altogether. It is often easier to hold everything rather than take the time to locate the actual responsive materials.
Applying best practices to track the location of data within the organization is imperative to the ability to locate responsive data, then execute defensible deletion programs. Because of the difficulty of doing so manually (even with best practices), the ability to track data location within an organization is a prime opportunity for automation.
Managing Third Parties. One of the most frequently overlooked parts of data disposition is ensuring that third parties, including law firms, dispose of the data in their possession. To address this problem, there should be, at the least: 1) appropriate terms and conditions in retention letters, cloud and vendor contracts, etc., that clarify data ownership and retention/disposition responsibilities of the parties; 2) a tickler system to make sure there is follow up and closure with the third parties holding data at the close of the matter; and 3) terms that require that third parties document their compliance.
A Proactive Strategy Can Save Millions
A defensible deletion program doesn’t start after a matter is over; it starts at the very beginning. Applying the “knowing and doing” philosophy is imperative to a successful, cost-saving, and defensive data strategy. Utilizing technology, such as Evidence Optix®, legal hold applications, and index in place solutions, to more accurately analyze and target what data really needs to be collected, processed, and kept for litigation, is a critical step toward avoiding the wild, wild west of data.
Legal teams that take a holistic approach to data management – that includes information governance, data mapping, data remediation, legal hold reconciliations, and defensible disposition plans – realize greater efficiencies and a dramatic reduction in spend and risk. Prism Litigation Technology leverages extensive expertise in these areas to help clients get their house in order and position themselves to achieve best case scenarios and avoid costly mistakes.
Yogi Berra’s famous line of “it’s never over ‘til it’s over” applies perfectly to defensible deletion at the end of a case – the matter isn’t completely over until you have defensibly deleted data no longer subject to a litigation hold.
Applying best practices for defensibly deleting data includes doing so for data that has been released from litigation hold. Failing to do so defeats the purpose of a defensible deletion program in the first place, which is to minimize the costs and risks associated with ROT data. As is the case with exercising and eating right, defensibly deleting data released from litigation hold is something you know you should be doing. Do it and feel better about your organization’s data health!
 Arthur Andersen LLP v. United States, 544 US 696 (2005). See also, M. Maurer, Arthur Andersen’s Legacy, 20 Years After Its Demise, Is Complicated, WALL ST. J.: CFO JOURNAL (August 31, 2022 5:30 AM), https://www.wsj.com/articles/arthur-andersens-legacy-20-years-after-its-demise-is-complicated-11661938200
 See S. Skolnick, S. Whitely & O. Cohen, Law Firm Cyberattacks Grow, Putting Operations in Legal Peril, BLOOMBERG LAW (July 7, 2023 4:30 AM), https://news.bloomberglaw.com/business-and-practice/law-firm-cyberattacks-grow-putting-operations-in-legal-peril.
 See, S.D. Nelson, J. W. Simek & M. C. Maschke, Law Firm Data Breaches Surge In 2023: Cybercriminals appear to be successfully hitting small and large firms alike, ABOVE THE LAW (August 1, 2023 11:42 AM), https://abovethelaw.com/2023/08/law-firm-data-breaches-surge-in-2023/
 See e.g., Peter Kiewit Sons’, Inc. v. Wall St. Equity Group, Inc., 8:10CV365, 2012 WL 1852048, at 12-13 (D. Neb. May 18, 2012.