Defensible Deletion: When Is It OK to Delete Data Under a Data Deletion Policy?

Twenty years ago, the average corporate General Counsel’s (GC) primary data strategy was to delete all data that was not absolutely necessary to meet regulatory compliance requirements or currently being used in litigation. Ten years ago, that data deletion strategy had completely reversed to where most GCs were hesitant to delete any data at all. I believe this 180-degree change was due to the 2006 amended Federal Rules of Civil Procedure (FRCP) publication. Specifically, Rule 37(e) of the 2005 FRCP stated:

If electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to protect it, and it cannot be restored or replaced through additional discovery, the court has several remedies, including the issuance of an adverse inference instruction. The adverse inference instruction instructs the jury that they can presume that the evidence (data) is unfavorable to the party’s case. In many—though not all—lawsuits, an adverse inference instruction often results in a judgment favoring the opposing party.

In reality, the adverse inference instruction informs the jury that (usually) the defendant didn’t want you to see the evidence because it could be detrimental to their case, so they destroyed it.

What Changed in Data Deletion Policy in 2005?

Because of the 2005 version of 37(e), many GCs changed their minds. They became much more conservative on data deletion mainly because they didn’t want to take the chance of getting caught up in spoliation (destruction of evidence) allegations. There are numerous cases where companies did not anticipate future litigation correctly, and data was inadvertently destroyed, causing the issuance of fines and loss of the case.

When litigation hold responsibilities arise, certain preservation obligations may come into play. This can include suspending document retention schedules and retention policies. However, these obligations apply only to data that can reasonably be tied to the case.

In the famous Zubulake eDiscovery case, the court noted that to comply with legal hold obligations, a party is not required to preserve “every shred of paper, every email or electronic document, and every backup tape.”

More Amendment Changes in 2015

The FRCP was amended again in 2015, including Rule 37(e). The amended Rule 37(e) now includes a critical instruction that subtly changes the anticipation description to: only upon finding that the party acted with the intent to deprive another party of the information’s use in the litigation may the judge apply the most severe sanctions.

In practice, inadvertent deletion of potentially responsive information should not trigger harsher responses from a Judge (usually).

Even with this important FRCP update to Rule 37(e), many GCs have not changed their data deletion stance. I still run into corporate Compliance, Records, and Legal professionals who say their standard data retention/disposition instructions are still not to delete any data, ever.
In fact as part of a comprehensive data deletion policy, the legal best practice is to delete records when expired and general data as soon as the data no longer has value for the company.

The legal system and data deletion policies: what is required?

Unless your company has specific regulatory retention requirements or anticipates legal action, data retention is strictly up to the organization. There are no laws that instruct organizations to keep general (non-regulated) data for any period of time. In the past, I have seen some large organizations institute very compressed retention policies, including only two weeks on all email where the email is automatically deleted from the system unless the custodian or legal department has placed a legal hold on the email.

This very short retention policy is out of the ordinary and does contain some risk. A judge could interpret this policy as an attempt to remove smoking guns before they can be requested in eDiscovery.

For example, in the Apple vs. Samsung patent infringement case, Samsung’s lack of digital evidence preservation in part resulted in Apple being awarded over $1 billion because digital evidence that the judge considered material to Apple’s case was automatically deleted.
No matter the industry or business your company is in, it’s always a best practice, even though it’s not a legal requirement, for your company to create a data retention/disposition schedule,and enforce it.

Companies do this based on regulatory requirements, sound business practices, and legal risk mitigation reasons. In our ebook, learn how new data privacy and security rules are about much more than just privacy and security controls.

Without scheduled retention/disposition, data (and risk) piles up

The amount of data being created or sent or received has accelerated (the velocity of data) to the point where employees can no longer keep up. Because of this, they fall back on the 5-second rule; if it takes more than 5 seconds to decide what to do with a piece of information/file/email, the employee will either delete it immediately or keep it forever,and in my experience, the vast majority choose to keep it forever.

This is one reason very large companies spend millions of dollars every year to employ consultants to cull through terabytes of data to delete files that are no longer required or are required by law to be removed.

For example, the CCPA and GDPR privacy regulations require organizations to dispose of a data subject’s personal information when requested (right to be forgotten), or if the organization no longer needs for the data, i.e., the original reason the data was collected has been fulfilled or no longer exists, or does not have regulatory or legal requirements (litigation/eDiscovery) to keep.

This process is known as defensible disposition – the deletion of data in a legally defensible manner if there is no regulatory or legal reason to keep it. This description refers to documenting the policy, process, and actions when a defensible deletion is being executed. Data has value, but also risk. Read how to get rid of what you no longer need. 

When can you delete? Understanding data deletion policies

Organizational data typically have some amount of value to a company for a period of time. Some information value is very short-lived, while other data can retain its value to the company for much longer periods of time.

The secret sauce in information management is to know when data value becomes less than its potential risk to the organization. In fact, there is a direct connection between the age of data, the cost to keep it, and its risk to the organization (PII security, eDiscovery).

In a great example of the cost of maintaining data too long, Dupont conducted a study back in the late 90s looking at nine key eDiscovery cases. They found that:

• The total number of pages reviewed were 75,450,000
• The total number of pages that were found responsive to be 11,040,000
• The total percentage of expired (beyond the retention period) pages to be 50%
• The total cost of unnecessary eDiscovery review processing was $11,961,000 (1998 costs).

(These findings did not take into consideration the non-litigation costs of data over-retention, including increased costs of data storage and management, backups, inclusion in other litigation, and privacy/security risks)

This study is still relevant today in that it highlights the cost of over-preserved data in the eDiscovery process. Additionally, expired but still preserved data can complicate eDiscovery due to the basic fact that if data exists, even expired data is still discoverable and must be collected and reviewed if potentially responsive to the given case.

Why regular data deletion is a good thing (and legally defensible)

Creating and enforcing data retention/disposition schedules for non-regulated data is a great business practice in case a judge asks for the retention disposition policy when responding to opposing counsel’s inquiries. The key here is disposing of valueless information regularly. This ensures aging data does not stick around and impact storage and data management costs and cause eDiscovery issues in the future.

When is it legal to delete information? It is legal to delete data regularly if not under regulatory retention requirements or involved in current or anticipated future litigation. Data not meeting these two requirements should be defensibly disposed of when legally defensible.

Defensible deletion or disposal questions checklist

Before deleting any data, it’s essential to evaluate whether the action is legally and operationally sound. Use the questions below to assess if your data deletion or disposal plan meets defensibility standards and aligns with your organization’s compliance obligations.

1. Is there a current business need to keep the data in question?
2. Does the data to be disposed of have any regulatory compliance retention requirements that require you to keep the data?
3. Is any data subject to an anticipated or current legal hold?
4. Has your Chief Regulatory Officer, Chief Records Officer, or General Counsel approved your defensible deletion plan?
5. Does your organization have a published data retention/disposition schedule that supports your defensible deletion activities?
6. Can your retention/disposition system produce an accurate report on the data deletion for future chain of custody and regulatory reporting?
7. Do you regularly audit the retention/disposition system?

However, you should always get a written opinion from your corporate or outside counsel.

Take control with a defensible data deletion solution

The Archive360 Modern Archiving Platform removes the issues of vendor lock-in and migration throttling while providing state of the art information management and archiving by managing your data in your company’s data cloud subscription, which means you own the data as well as the cloud tenancy where it’s housed. With Archive360 you can store and manage your data in its native format, or in the PDF/A format meaning that if you want to move away from the  platform, you can, because the data is in your dedicated SaaS cloud tenancy in a format that you control.

For companies needing to archive disparate content for extended periods of time due to regulatory, legal, or business reasons, the combination of a standardized, industry file format and utilizing the Azure public cloud platform with Archive360 Platform as the information management application, will provide you the perfect long-term data storage solution. Contact us to learn more.