Defensible
Disposition
Jennifer Crawford, CRM
Director, Product Management
Iron Mountain
What We Will Cover
What is Defensible Disposition?
Why should I care?
How do I get there?
What is
Defensible
Disposition?
Defensible Disposition:
Disposal (deletion/destruction) of content in good-faith
compliance with legal, regulatory, privacy, and security
requirements.
Managing Records Does NOT
Require Perfection
FRCP 37 “recognizes that ‘reasonable steps’ to
preserve suffice; it does not call for perfection.”
Reasonable steps - “routine, good-faith operation of an
electronic information system” is a factor to consider…
Bare Minimum Path to Defensible Disposition
Current
Retention
Schedule
Preservation
Confidence
Secure
Destruction
Reliable
Reporting
Tell Me About Yourselves
Which of the following are true?
Where is your RIM function?
• Compliance
• Finance
• Legal
• Operations/Corporate Services
• Risk
• Sourcing/Vendor Mgt
• Technology
• Elsewhere?
• We always consistently dispose in accordance with our
retention schedule and preservations because we are
perfect.
• We have a retention schedule and preservation policy,
but we struggle to convince legal or other stakeholders
to get comfortable with destruction.
• We have a retention schedule and preservation policy,
but we struggle to enforce individual employee adoption
and/or technology implementation across the company.
• We need improvements to our policy/retention schedule
before we can even begin to think about defensible
disposition.
• We just do what Legal tells us to do.
Why Should I Care?
The Value of
Defensible Disposition
Exponential Growth in Electronic Data
Results in Crippling Costs
90% of all information was
created in the last 2 years.
44x more information will
exist in 2020 than today.
650% volume increase
between 2005-2015. Requires
50% more staff to manage.
Most Organizations
Over-Retain Information
According to a 2012 Compliance, Governance and Oversight Counsel (CGOC) survey,
at any given time:
1% of corporate information is on litigation hold;
5% is in a records category; and
25% has current business value.
This means that as much as 69 percent of all the data stored in an organization could
be defensibly eliminated, that is, disposed of without increasing the risk to the
company of undercutting business initiatives or risking legal or regulatory penalties.
Save on Costs and Drama
69% of information within a company is needlessly retained
far beyond retention requirements.
Over-retained information is a liability and racks up costs.
They can’t hack what you don’t have.
Get rid of what you legally can to protect yourself from data breaches.
Every company, regardless of size or industry,
should have a current retention schedule in place.
Managing Costs and Risks
While the basic cost to manage a terabyte of information
may be about $5,000, if that terabyte is retained
unnecessarily and becomes the subject of discovery
(and collection, processing, analysis, and review), that
unneeded data may cost the organization an extra
$15,000; i.e. $20,000 per TB.
Jake Frazier & Anthony Diana, 'Hoarders': The Corporate Data Edition, LAW TECH.NEWS (Dec.
19, 2012).
Data Breach Costs
Data breach laws in US and Europe are increasing
fines and liability for failure to protect private
information maintained on individuals increasing risks
of maintaining information that has outlived its
usefulness.
For example, EU fines can be as much as 4% of global
sales or 20 million euros.
1000 respondents from around the
world in 12 industries and federal
and local government
70% ARMA Members
85% North America
BENCHMARK REPORT:
Demographics
15% Europe, Asia, Africa,
Latin America, Mid East
BENCHMARK REPORT FINDINGS:
Transforming Info Management
KEY THEMES
1
Organizations recognize IG as a business priority yet still
struggle to overcome institutional and cultural barriers.
2
Automation of critical lifecycle and governance activities
is elusive.
3
Lack of training and compliance monitoring continue to
inhibit RIM and IG program maturity.
BENCHMARK REPORT FINDINGS
2013 | 2014
2016 | 2017
WHAT THIS MEANS
No forward progress in RIM and IG program maturity
How Do I Get There?
Implementing a
Defensible Disposition
Program
Remember this slide?
Bare Minimum Path to Defensible Disposition
Current
Retention
Schedule
Preservation
Confidence
Secure
Destruction
Reliable
Reporting
INSIGHTS: Records Retention
Schedules
Respondents continue to seek improvements:
Opportunity to Improve
SIDE EFFECTS
MAY INCLUDE:
Fewer categories
•
Inconsistent
retention
rules for
Fewer event-based
periods
•
Uniformity across business
like records
•
More up-to-date
Difficult to apply to electronic
Global standard
records
•
2013 | 2014
2016 | 2017
63%
59%
Not
reacting quickly
67%
65% enough to
69%
71%
changes
in laws
and regs
•
55%
60%
44%
32%
Employee misapplication of
rules to records
respondents say they need no improvement
Inaction20%
basedofon
not knowing
while in 2013 | 2014 that number was 41%
when a trigger occurs
Prescription For Change
• Take a closer look at how you can collapse classes into larger buckets for
ease of use by employees and technology
35%
STILL FIND IT HARD TO MAP RECORDS TO SCHEDULE (Same as in 2013|2014)
• Use automated tools to classify records on creation or through a workflow
CHECK OUT
EVENT-BASED
RETENTION GUIDE
Practical advice for reducing
amount, capturing triggers
and more
IRON MOUNTAIN’S POLICY CENTER
•
Notification of changes to the
Schedule as rules and regs change
•
Global research
•
Cloud-based for easy access across
the enterprise
Path to Defensible Disposition
Current Retention
Schedule
Preservation
Confidence
Secure
Destruction
•
Update/refresh retention schedule every 12-18 months
•
Be aware of and enforce privacy obligations
•
Make sure everyone is working from the same version of the truth
•
Train all employees at least annually on retention/privacy obligations
•
Enforce record code application through process and system controls, such as:
•
Reliable Reporting
•
Require that all electronic systems include ILM capabilities, including record code classification (automate disposal)
•
Require authorized record code application when creating orders to send boxes to storage (NO commingling!)
•
Require standardization of onsite storage procedures, to include indexing and lifecycle management
•
Update business processes to include record code classification and other lifecycle-related metadata, such as:
•
Record Code
•
Retention Start Date (Event Date, Create Date, Receipt Date, etc.)/Destruction Eligibility Date
•
Unique Identifier, Departmental Identifier, System Identifier, etc.
Other best practices?
Path to Defensible Disposition
Current Retention
Schedule
Preservation
Confidence
Secure
Destruction
Reliable Reporting
•
Central tracking/maintenance mechanism for preservation management
•
Ensure that preservation data is current and trustworthy, with unique hold codes and specific, actionable, metadatalevel parameters (custodian, record class, application/system level, etc.)
•
Train all employees at least annually on preservation obligations
•
Enforce preservation/hold code application through process and system controls, such as:
•
Require that all electronic systems have unique identifiers/content descriptions so that holds can be placed at
system level and implement controls to prohibit destruction eligibility when under preservation
•
Apply hold codes to boxes in offsite storage, with rules that boxes with hold codes are not destruction eligible
•
Update business processes/systems to contemplate preservation requirements and implement controls to prohibit
destruction eligibility when under preservation
•
•
Get rid of copies/duplicative information where Rule of Best Evidence does not apply
Other best practices?
Path to Defensible Disposition
Current Retention
Schedule
Preservation
Confidence
Secure
Destruction
Reliable Reporting
•
Are you confident that retention has been satisfied and no preservations apply? If yes, then:
•
Electronic Deletion:
•
•
•
•
Full deletion of all content + upstream/downstream data without possibility of reconstitution
•
Disposition Summary vs keeping full metadata log of what was destroyed
Offsite Storage Destruction (for all media):
•
Review Destruction Eligibility Reports produced by vendor
•
No destruction without authorization from customer central point of contact
•
Vendor destruction chain of custody/destruction practice confidence
•
Certificates of Destruction
Onsite Physical Records Destruction:
•
Secured containers for disposal, emptied securely and routinely. Who has the key?
•
Clean Desk Policy
Other best practices?
Path to Defensible Disposition
Current Retention
Schedule
Preservation
Confidence
Secure
Destruction
Reliable Reporting
•
How current is your retention schedule? When was it last updated? What changed and when?
•
What is on hold? When was the hold established? Who established it? What are the parameters?
•
Was was on hold? When was the hold released? Who released it? What were the parameters?
•
What was destroyed? (Summary/batch info may be sufficient)
•
When was it destroyed?
•
Who authorized destruction?
•
When were your employees trained on retention policy? Who completed the training?
•
Can you demonstrate conformation to Right to Erasure data handling (and other GDPR/Privacy requirements) at the
individual level?
•
Let’s talk about Privacy and the GDPR…
GDPR Applicability
General Data Protection Regulation
 Does my company offer goods or services to Individuals?
 Does my company monitor the behavior of Individuals?
 Does my company have employees in the EU?
Answering these three questions can help determine whether your
company is impacted by the GDPR.
If the answer is “yes” to any of these questions, the GDPR may apply to
your company.
Source: Essential Guide to the GDPR, TRUSTe
Major Provisions of the
EU General Data Protection Regulation
• Scope: EU law would apply to EU citizens’ personal data, even if the
data is collected, stored, processed, etc. outside of the EU.
• Definitions and conditions to consent: Data subjects would have to
give explicit, fully informed consent to anyone processing personal
data.
• Profiling: Restrictions on profiling would mandate a highly visible right
to object.
• Right to compensation: EU citizens would have the right to seek
compensation for monetary and nonmonetary damages from any data
processing considered unlawful by the EU.
• Sanctions: Fines for noncompliance could reach 20 million euros or
4% of total worldwide annual turnover of the preceding year (whichever
is higher).
Schoch, Teresa Pritchard. “EU Privacy Regulations’ Impact on Information Governance.” Information Management, January/February 2016.
Major Provisions of the
EU General Data Protection Regulation, cont’d.
• Permission: An organization must obtain permission from an EU DPA and
inform the affected person before complying with a non-EU country
government’s request to disclose personal data processed.
• Breach notification: The notice of breach requirement is set at within 24
hours of breach.
• PII definition: Personally identifiable information (PII) includes personal
information as any information that if combined with another available piece
of information would allow the identification of an individual. Information does
not need to be assimilated to be considered PII.
• “Sensitive data” definition: The EU definition of “sensitive data” relating to
background such as religion, national origin, medical history, sexual
orientation, etc. is more specific than before. Holding this type of information
will require more stringent security, since the impact of dissemination is
considered more egregious.
Schoch, Teresa Pritchard. “EU Privacy Regulations’ Impact on Information Governance.” Information Management, January/February 2016.
Impacts of Data Breaches
Nonexistent Information Cannot Be Breached
• Lawsuits
• Negative publicity
• Fines and penalties
• Damage to “brand equity”
• Loss of customer loyalty
• Damage to company reputation
• Loss of revenue
• Increased operations costs
• Erosion of share price
• Loss of intellectual property
They can’t hack what you don’t have.
Get rid of what you legally can to protect yourself from data breaches.
Schoch, Teresa Pritchard. “EU Privacy Regulations’ Impact on Information Governance.” Information Management, January/February 2016.
GDPR High Risk Data
Remember also that it is not enough to conform to data handling
requirements under the GDPR – your company also must be able to
demonstrate that it conforms.
Source: Essential Guide to the GDPR, TRUSTe
GDPR Obligations
• Maintain the data subject’s consent for collection and use
• Protect the data from unauthorized access
• Retain the data for the appropriate length of time and dispose of it subject to
the EU’s limitations on the length of time it can be kept
• House it in a manner that would allow immediate access to it and action to
meet the EU’s quick data breach notification requirements
Schoch, Teresa Pritchard. “EU Privacy Regulations’ Impact on Information Governance.” Information Management, January/February 2016.
INSIGHTS: Barriers to Disposition
2013 | 2014
2016 | 2017
SIDE EFFECTS MAY INCLUDE:
“Keep everything culture” is
impediment to exposure
efficient to
•anUnnecessary
RIM/IG
breaches
•Can’t
Increasing
storage costs
let go of information,
•
•
81%
78%
Ineffective data analytics
•
Time consuming searches
even if eligible
64%
64%
Cannot obtain approvals
for destruction
37%
40%
Over-production for litigation
INSIGHTS: Automation Deficit to
Assist with Disposition
2013 | 2014
75%
2016 | 2017
78%
Lack of automation processes remains the greatest barrier to timely
and consistent disposition for paper and electronic records
Scoring Your Disposition Program
CONTROL
Secure
Destruction
of Eligible
Records
DESCRIPTION
Records eligible for
destruction are securely
disposed of in accordance
with RIM Policy and
Information Security
protocols.
SUPPORTING INFO
Roles and responsibilities of the
secure disposition process are
clearly defined and
communicated in policy and
procedure.
Electronic data or physical record
secure destruction standards are
upheld consistently and audited.
RATING
1. All eligible records are disposed
of routinely and securely. The
process is documented and
regularly audited.
2. Eligible records are disposed of
securely, but the process is not
audited or discrepancies have
been found in the process.
3. Some, but not all, eligible records
are securely destroyed or there is
no confirmation in writing of the
secure destruction.
4. Records are not disposed of in a
secure manner.
Establish a consistent rating scale
for all controls
SUPPORTING INFO
RATING
RATING
Records eligible for
destruction are securely
disposed of in accordance
with RIM Policy and
Information Security
protocols.
1.
Roles and responsibilities of the
1.
disposition
process
are
Allsecure
eligible
records
are disposed
of
clearly defined and communicated
routinely
andprocedure.
securely. The process
in policy and
is documented and regularly
Electronic data or physical record
audited.
secure destruction standards are
upheld consistently
anddisposed
audited. of
2. Eligible
records are
securely, but the process is not
audited or discrepancies have
been found in the process.
LOW
Secure
Destruction
of Eligible
Records
DESCRIPTION
HIGH
CONTROL
All eligible records are disposed of
routinely and securely. The
process is documented and
regularly audited.
2. Eligible records are disposed of
securely, but the process is not
audited or discrepancies have
been found in the process.
3. Some, but not all, eligible records
are securely destroyed or there is
no confirmation in writing of the
secure destruction.
3. Some, but not all, eligible records
are securely destroyed or there is 4. Records are not disposed of in a
secure manner.
no confirmation in writing of the
secure destruction.
4. Records are not disposed of in a
secure manner.
Prescription For Change
INSTITUTE A DEFENSIBLE DISPOSITION FRAMEWORK
Institutionalize
a consistent
protocol for all
to use
Govern the
program through
ongoing
monitoring and
testing
Identify and
address
weaknesses in
RIM/IG
processes
Provide
evidence of
compliance
to authorities
Creating
Retention
Schedules
Records Schedules are Complex
The amount of time an electronic record should be maintained by an
organization depends on many factors:
• The record classification,
• The record content (e.g., does it contain private information),
• Business needs,
• Legal holds (is the information related to subject matter relevant to an
identified litigation matter?),
• Legal requirements imposed by local, state, federal, or global law and
regulations.
Developing a Retention Policy
Records retention policies are, in part, subjective and are
filtered through legal risk appetite factoring in:
Costs of over/under retention;
Risks of over/under retention;
Potential conflicts among legal obligations to
purge/retain; and,
Impact of statutes of limitation which may extend
beyond retention periods.
Analyzing Conflicting Obligations in the
Application of Schedules
Conflicts often arise when operations span different jurisdictions.
• When resolving conflicts, key objective should be good faith
compliance with all laws and obligations.
• When this is not possible, the organization should thoroughly
document its efforts to reconcile the conflict and its resulting
decision-making process.
When applying retention schedules, privacy, data protection,
security, records and information management, risk management,
and sound business practices should all be considered.
The Sedona Conference Commentary on Information Governance, Sedona Conference Journal, 15 Sedona Conf. J. 125, Fall 2014
Creating Legal Records Schedules:
Costly Endeavour
“Determining the retention schedule for a given
organization through traditional methods of legal research is
a labor intensive and expensive effort. In the case of a
global enterprise…doing business in 130 countries could
easily exceed one million dollars.”
Dagan, Charles R., It’s a Duty and It’s Smart Business, 19 Rich.J.L. and Tech. 12 (2013), at 14.
Costly Schedule Creation
(An organization)…could easily spend $10,000 per state
jurisdiction.*
Best practice requires that schedules be updated annually
or every eighteen months.
Dagan, Charles R., It’s a Duty and It’s Smart Business, 19 Rich.J.L. and Tech. 12 (2013), at 14. fn44.
Affordable Retention Policy from the Most
Trusted Name in Records Management
COMMON BUSINESS
CHALLENGES
•
Keeping records longer than required
for legal, regulatory, or business reasons
•
Limited resources to build, curate, and update
a legally defensible, global retention schedule
•
Inconsistent regulatory citation and change
tracking that impacts legal defensibility
•
Manual placement of the rules and regulations
across your content infrastructure
A retention schedule dictates how long records must be
retained before they may be deleted or destroyed.
POLICY CENTER STANDARD EDITION
A prebuilt legally defensible retention schedule management platform,
backed by the same high quality legal research used by the world’s largest
companies.
Why does a prebuilt retention schedule matter to you?
•
Annual updates provided by Iron Mountain
•
A simple browser-based editor
•
Faster implementation of policy
•
Lower start up cost
•
Easy way to share your policy within your organization
Maintaining a retention schedule through traditional
methods of legal research is a labor-intensive and
expensive effort.
With Policy Center Standard Edition you can now…
•
Grow beyond manual, time-intensive processes to research, update, and
communicate changes to retention policies
•
Keep your retention guidelines current and compliant for all types of information
•
Personalize your records classes and modify your retention rules
•
Subscribe to this prebuilt retention schedule without a large, upfront fee
Policy Center
Solution Suite
ESSENTIAL
EDITION
STANDARD
EDITION
PROFESSIONAL
EDITION
ENTERPRISE
EDITION
Pre-Built Retention Schedule


Customizable
Customizable
General Business Functions
Retention Schedule




Singular
Multiple
Multiple
Read Only
Partially
Editable
Up to 5
Unlimited
Up to 10
Global
Ongoing
Ongoing
Industry Specific Retention
Schedule
Custom Views
Country Coverage
Retention Schedule/Rule Updates
1
1
US or Canada
US, Canada, or UK
Annual
Annual
Q&A
©2017 Iron Mountain Incorporated. All rights reserved. Iron Mountain and
the design of the mountain are registered trademarks of Iron Mountain
Incorporated in the U.S. and other countries. All other trademarks and
registered trademarks are the property of their respective owners.