DEFENSIBLY DOWNSIZING YOUR DATA: WHERE … DOWNSIZING YOUR DATA: WHERE TO START WITH RECORDS...
Transcript of DEFENSIBLY DOWNSIZING YOUR DATA: WHERE … DOWNSIZING YOUR DATA: WHERE TO START WITH RECORDS...
DEFENSIBLY DOWNSIZING YOUR DATA:
WHERE TO START WITH RECORDS
RETENTION AND DEFENSIBLE DELETION
August 12 & 13, 2015
Robert FowlerJordan Lawrence
CIPP/US
Director of Professional
Services
2
Sean Rahilly Chief Compliance Officer
Senior Legal Counsel
Enova International
8-12-15
Therese King NohosDeVry Education Group
8-13-15
Partner, Chair eDiscovery, Data
& Document Management
Practice Group
Ann GraysonBarnes & Thornburg LLP
CONFIDENTIAL © 2015 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of Barnes & Thornburg LLP, which may not be disseminated or disclosed to any person or
entity other than the intended recipient(s), and may not be reproduced, in any form, without the express written consent of the author or presenter. The information on this page is intended for informational purposes only and shall not be
construed as legal advice or a legal opinion of Barnes & Thornburg LLP.
BIGGEST ISSUES FACING IN-HOUSE
COUNSEL
3
WHY IS INFORMATION GOVERNANCE
IMPORTANT?
• Data Breach
• Costs
– Litigation Costs
– Data Volume
• Technology
• Officer/Director Exposure
• Business Performance Improvements
• Compliance with State and Federal Regulations
• Risk Mitigation
– Preservation – In re Actos; In re Praxada; In re Ethicon
– Litigation/Investigation
4CONFIDENTIAL © 2015 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of Barnes & Thornburg LLP, which may not be disseminated or disclosed to any person or
entity other than the intended recipient(s), and may not be reproduced, in any form, without the express written consent of the author or presenter. The information on this page is intended for informational purposes only and shall not be
construed as legal advice or a legal opinion of Barnes & Thornburg LLP.
CONFIDENTIAL © 2015 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of Barnes & Thornburg LLP, which may not be disseminated or disclosed to any person or
entity other than the intended recipient(s), and may not be reproduced, in any form, without the express written consent of the author or presenter. The information on this page is intended for informational purposes only and shall not be
construed as legal advice or a legal opinion of Barnes & Thornburg LLP.5
Sony Hack Exposed Personal Data ofHollywood StarsBreach Includes Social Security Numbers for 47,000 Employees and
Actors, Including Sylvester Stallone, Judd Apatow and Rebel Wilson
The hack at Sony Pictures Entertainment
revealed far more personal information than
previously believed, including the Social Security
numbers of more than 47,000 current and former
employees along with Hollywood celebrities like
Sylvester Stallone.
An analysis of 33,000 Sony documents by data-
security firm Identity Finder LLC found personal
data, including salaries and home address,
posted online for people who stopped working at
Stony Pictures as far back as 2000 and one who
started in 1955.
CONFIDENTIAL © 2015 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of Barnes & Thornburg LLP, which may not be disseminated or disclosed to any person or
entity other than the intended recipient(s), and may not be reproduced, in any form, without the express written consent of the author or presenter. The information on this page is intended for informational purposes only and shall not be
construed as legal advice or a legal opinion of Barnes & Thornburg LLP.
LITIGATION COSTS
6
UNCONTROLLED DATA GROWTH
• Data doubles every 18-
24 months
• Proliferation of text and
IM use
• Record duplication
within organization
• Storage Costs
• Discovery costs
repeated with each
new case/investigation
7
CONFIDENTIAL © 2015 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of Barnes & Thornburg LLP, which may not be disseminated or disclosed to any person or
entity other than the intended recipient(s), and may not be reproduced, in any form, without the express written consent of the author or presenter. The information on this page is intended for informational purposes only and shall not be
construed as legal advice or a legal opinion of Barnes & Thornburg LLP.
TECHNOLOGY
8
REAL WORLD EXAMPLES
9
CONFIDENTIAL © 2015 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of Barnes & Thornburg LLP, which may not be disseminated or disclosed to any person or
entity other than the intended recipient(s), and may not be reproduced, in any form, without the express written consent of the author or presenter. The information on this page is intended for informational purposes only and shall not be
construed as legal advice or a legal opinion of Barnes & Thornburg LLP.
HOW TO ADDRESS THESE CONCERNS?
ENTER INFORMATION GOVERNANCE!
• Information governance (IG) is “an
organization’s coordinated inter-
disciplinary approach to satisfying
information compliance requirements
and managing information risks while
optimizing information value.”1
1 See THE SEDONA CONFERENCE, THE SEDONA CONFERENCE COMMENTARY ON INFORMATION GOVERNANCE 5 (Conor R. Crowley ed., 2013).
10CONFIDENTIAL © 2015 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of Barnes & Thornburg LLP, which may not be disseminated or disclosed to any person or
entity other than the intended recipient(s), and may not be reproduced, in any form, without the express written consent of the author or presenter. The information on this page is intended for informational purposes only and shall not be
construed as legal advice or a legal opinion of Barnes & Thornburg LLP.
CONFIDENTIAL © 2015 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of Barnes & Thornburg LLP, which may not be disseminated or disclosed to any person or
entity other than the intended recipient(s), and may not be reproduced, in any form, without the express written consent of the author or presenter. The information on this page is intended for informational purposes only and shall not be
construed as legal advice or a legal opinion of Barnes & Thornburg LLP.
INFORMAL IG DEFINITION
• Policies and Protocols that help you get and keep your company’s house in order
-May Include:• Data Map
• Document Retention/Legal Hold/Defensible Destruction
• Mobile Device Policy
• Social Media/Acceptable Use
• Data Security/Data Privacy
• Policy Enforcement
• Regular Check-Ups
11
DEFENSIBLE DOWNSIZING
• It’s a key part of an overall Information
Governance Program
• Why should it be on your Radar?
12CONFIDENTIAL © 2015 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of Barnes & Thornburg LLP, which may not be disseminated or disclosed to any person or
entity other than the intended recipient(s), and may not be reproduced, in any form, without the express written consent of the author or presenter. The information on this page is intended for informational purposes only and shall not be
construed as legal advice or a legal opinion of Barnes & Thornburg LLP.
Where Do We Start?
13
ABC Company’s Retention Schedule
14
THE CORNERSTONE
PROCESSES
WHAT
WHERE RETENTION
SENSITIVITYRecords Inventory
15
Accident/Incident Records
Advertising Records
Benefit Records
Budget Records
Contracts & Agreements
Coupon Records
Credit Approvals
Customer Information
Customer Orders
Employee Medical Files
Gift Card Functions
Payment Records
Sales Receipts
WHAT DO YOU HAVE?
16
1010100011
1001010011
0 1 1 0 1 0 0
1 0 0 1 0 1 1
0 1 0 0 1 1 0
1 0 0 1 1 0 1
1 0 0
0 1 0 0 1
WHERE IS IT?
17
BUSINESS NEEDS
DOL
FSMA
GLB
HIPAA
OSHA
PCI
SEC
State Privacy Laws
Corporate Sensitive
PII
Customer Data
Intellectual Property
Bio Metric
Patient Health Info.
Personal Financial
Sensitive EU
REQUIREMENTSSENSITIVITY
WHAT ARE THE REQUIREMENTS?
18
19
20
21
22
23
ACTIONABLE RETENTION SCHEDULE
24
DISABILITY RECORDS | 6 YEARS
DELETION STRATEGY FOR EMAIL
INBOX = 180 DAYS
SENT ITEMS = 180 DAYS
DELETED ITEMS = 2 DAYS
NON-ESSENTIAL COMMUNICATION
18 MONTH RETENTION
(ALL DEPARTMENTS)BUSINESS NEED COMMUNICATIONS
6 YEAR RETENTION | HR
7 YEAR RETENTION | LEGALDEPARTMENTAL EXCEPTIONS
7 YEAR RETENTION | TAX
25
What Makes Deletion
Defensible?
26
Show Your Work
27
Records Retention Policy
Require regular policy attestation
BUILD YOUR AUDIT TRAIL
28
CONFIDENTIAL © 2015 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of Barnes & Thornburg LLP, which may not be disseminated or disclosed to any person or
entity other than the intended recipient(s), and may not be reproduced, in any form, without the express written consent of the author or presenter. The information on this page is intended for informational purposes only and shall not be
construed as legal advice or a legal opinion of Barnes & Thornburg LLP.
Legal Holds
29
CONFIDENTIAL © 2015 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of Barnes & Thornburg LLP, which may not be disseminated or disclosed to any person or
entity other than the intended recipient(s), and may not be reproduced, in any form, without the express written consent of the author or presenter. The information on this page is intended for informational purposes only and shall not be
construed as legal advice or a legal opinion of Barnes & Thornburg LLP.
WHEN IS PRESERVATION REQUIRED?
• Whenever litigation is reasonably anticipated, threatened or pending against an organization, that organization has a duty to undertake reasonable and good faith actions to preserve relevant and discoverable information. This duty arises at the point in time when litigation is reasonably anticipated. - See Fujitsu Ltd. v. Federal Express Corp., 247 F.3d
423, 436 (2d Cir. 2001).
30
TRIGGER EXAMPLES
• Settlement demand enclosing proposed complaint - Salvatore v. Pingel, 2009 U.S. Dist. LEXIS 37905
(D.Col. 2009)
• Pre-filing communications between litigants- Goodman v. Praxair Servs., 632 F.Supp. 494
(D.Md. 2009)
• Demand Letter - Id.
• Series of cases in the industry- Adams & Assocs. v. Dell, Inc., et al., 621 F.Supp.2d
1173 (N.D. UT 2009)
31CONFIDENTIAL © 2015 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of Barnes & Thornburg LLP, which may not be disseminated or disclosed to any person or
entity other than the intended recipient(s), and may not be reproduced, in any form, without the express written consent of the author or presenter. The information on this page is intended for informational purposes only and shall not be
construed as legal advice or a legal opinion of Barnes & Thornburg LLP.
CONFIDENTIAL © 2015 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of Barnes & Thornburg LLP, which may not be disseminated or disclosed to any person or
entity other than the intended recipient(s), and may not be reproduced, in any form, without the express written consent of the author or presenter. The information on this page is intended for informational purposes only and shall not be
construed as legal advice or a legal opinion of Barnes & Thornburg LLP.
WHAT MUST BE PRESERVED?
• Reasonably Accessible Electronically Stored Information- Email; Departmental Shared Drives; SharePoints; etc.
• Not Reasonably Accessible Electronically Stored Information - Committee Note: “Identification of electronically
stored information as not reasonably accessible does not relieve the party of its duties to preserve … which depends on the circumstances of each case.”
• Bottom Line: Act reasonably and in good faith
32
CONFIDENTIAL © 2015 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of Barnes & Thornburg LLP, which may not be disseminated or disclosed to any person or
entity other than the intended recipient(s), and may not be reproduced, in any form, without the express written consent of the author or presenter. The information on this page is intended for informational purposes only and shall not be
construed as legal advice or a legal opinion of Barnes & Thornburg LLP.
HOW TO PRESERVE? THE HOLD NOTICE
- Be in writing with clear instructions
- Encompass all company personnel who
may possess potentially relevant
information (including key IT personnel)
- Include “active” collection from “key
players”
- Encompass all possible sources of
potentially relevant information (may
include archives, back up tapes, former
employee data)
To be effective, a hold must:
33
HOW TO PRESERVE? THE HOLD NOTICE
To be effective, a hold must:
-Require affirmative responses from all
relevant personnel
-Be monitored
- Include procedures for periodic
reissuance
Zubulake IV, 220 F.R.D. 212 (S.D. N.Y. 2003).
-Be followed
-Be released34
CONFIDENTIAL © 2015 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of Barnes & Thornburg LLP, which may not be disseminated or disclosed to any person or
entity other than the intended recipient(s), and may not be reproduced, in any form, without the express written consent of the author or presenter. The information on this page is intended for informational purposes only and shall not be
construed as legal advice or a legal opinion of Barnes & Thornburg LLP.
CONFIDENTIAL © 2015 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of Barnes & Thornburg LLP, which may not be disseminated or disclosed to any person or
entity other than the intended recipient(s), and may not be reproduced, in any form, without the express written consent of the author or presenter. The information on this page is intended for informational purposes only and shall not be
construed as legal advice or a legal opinion of Barnes & Thornburg LLP.
CONCLUSION
35
Robert FowlerJordan Lawrence
636-821-2281
CIPP/US
Director of Professional
Services
36
Sean Rahilly Chief Compliance Officer
Senior Legal Counsel
Enova International
Therese King NohosDeVry Education Group
Partner, Chair eDiscovery, Data
& Document Management
Practice Group
Ann GraysonBarnes & Thornburg LLP
317-231-7202