The Lost Art of Data Destruction: An overlooked key to records management and e-discovery

Posted on October 3, 2011

0


Although storing 250GB of data can cost less than $250, hiring an external firm to process and review this data for e-discovery can cost up to $1 million. The impact of these costs is particularly noticeable to in-house legal teams and support staff who are often at the front lines of any e-discovery activities occurring within their organizations. Even though advanced information access technologies are available to help minimize these costs, many legal professionals do not yet have these tools in place, and for those that do, they are still confronted with the primary challenge to effectively managing e-discovery costs: the continued addiction throughout organizations to keeping and storing too much electronic data.

To put this problem in perspective, think about how much data your organization currently stores. Then, project that amount through the revised definition of Moore’s Law, which predicts that computing and storage capacity will continue to double every 18 months – probably for the next two decades. Storage costs themselves are so low that constantly bumping up capacity can seem like the obvious, no-brainer solution to “managing” data. However, if situations arise in which particular information must be found and retrieved within repositories, storage-first solutions compromise organizations’ ability to control processing costs, work efficiently and minimize legal risk.

To neutralize e-discovery cost and risk issues, organizations must classify documents with a proper filing plan and implement data retention and destruction policies. Regulatory authorities have established clear guidelines (i.e. Federal Rules of Civil Procedure) about what data must be kept and for how long. Only in rare cases do all e-mails, for example, have to be stored. Often, no practical or legal requirements exist for retaining large chunks of organizational data, especially when one considers that data is often duplicated throughout an organization.

Unfortunately, many people are pack rats at their jobs, collecting and storing every e-mail they send and receive as if the entire company would crumble without a solid foundation of ever-growing data repositories on which to rest. But data retention isn’t synonymous with knowledge management, and knowledge management is what is supposed to be the goal of any kind of implicit or explicit data retention activity. For “data” to become “knowledge”, data must be structured and organized, and an understanding must be in place about the impact of that data.

Understanding the need for destruction

In order to implement and execute a filing plan for your organization, you must classify every type of document you have, establish retention rules for each type, and enforce these rules. All of which seems logical and straightforward. However, although most organizations have some type of document retention policies in place for physical documents, almost 95% of organizations do not apply records management policies to electronically stored information (ESI). Hence, a real need exists to apply the “art” of destruction, as well as of structure and transfer, to all ESI throughout an organization.

This process is easier than it seems. Granted, a big challenge with ESI records management systems is that users often don’t like them and don’t use them. E-mail archiving, for example, is often postponed “until tomorrow”, which then becomes the first day of the end of the records management initiative. The only solution in these situations, then, is to make archiving e-mails as easy as possible, which only works if there’s a (semi)-automated system in the e-mail environment (such as in MS Outlook). However, the effectiveness of this plan is only as good as the filing plan that supports it.

Developing a filing plan

Effective records management must follow a logical sequential order. Many organizations that buy an electronic records management system have no idea what document collections exist in their organization, especially in terms of essential archives that may only reside on someone’s personal hard disk. To compound the issue, opinions often differ about what collections should even exist in their organizations. Therefore, the first step is to define a list of essential archives. Start by looking at your organization’s departments and their recognized information flows.

Departments and their relevant archives could include, for example, Sales (contracts, customer contact files, quotes), Management (board minutes and notes, legal agreements, quality control), Finance (accounts payable, accounting, correspondence files with various external contact), and on down the departmental lists.

After mapping out the departments and relevant archives, define the documents that must be retained in each archive (paper, electronic and e-mail), as well as who has the appropriate access rights, the location of the archive (physical or network based), the responsible officer, and the retention and destruction rules. Responsible officers carry out and enforce the collection, structure, access and retention rules for the documents in their designated archive. The basic filing plan is in place.

Rolling out a records management system

Next, the filing plan needs to be put into action, which can be done manually. Fully automatic RMA systems aren’t necessary as long as data has been clearly separated into archives and locations that allow for individual retention actions. For example, if all outgoing quotes from one year are stored in one directory, they can be deleted in one batch when their designated destruction data comes up.

Training and Enforcing your RMA Solution

Users need to be trained on how to file relevant e-mails, paper documents, faxes and other electronic files when they become an employee. HRM and the direct manager are responsible for conducting this training.

Although they can delegate enforcement of this policy, the responsible officer always has final responsibility. In addition, IT people must be trained on how to discovery PSTs on the network and restrict the usage of memory sticks and CDs/DVDs. Any copies made must be registered.

Make sure that an authorized officer (ideally, a board member) annually checks the responsible officers for execution of these procedures. RMA is useless without the proper training and enforcement to support it.

To sum up, filing plans are the drivers of effective electronic records management, and one of their critical components is their ability to instigate controlled, yet thorough, document destruction. To enhance user acceptance, consider starting with a manual system and then gradually automating relevant parts.

After a plan is in place, more advanced automatic filing systems, such as those with text analytics technology, can be used to automatically classify records into the filing system.

Advertisements