by John Burchfield
If you don’t have any information management policies in place, you may be wondering where to start. We encourage clients and friends to ask questions about their corporate data and how to best manage it. The question we get asked the most is this: where is my greatest vulnerability?
The answer is two-fold because vulnerability comes from two main areas: cost and risk. Let’s look at risk first.
When it comes to risk, BYOD policies (or the lack thereof) are the biggest culprit. The personal mobile devices that are used to access data within your corporation, how those devices are storing information, and who has access to what bring a lot of unknowns to your data environment.
From a cost perspective, the lack of a retention policy could be your greatest vulnerability. Though we focus on eDiscovery, many times we end up helping our clients develop policies about what data can and should be kept, as well as what should be deleted and when. When we collect data and move it through the eDiscovery process, we often find that clients have terabytes of data, which can lead to unnecessarily huge expenses in eDiscovery and attorney review costs. This kind of data overload can drive projects up to hundreds of thousands or even millions of dollars.
To combat this cost inflation, it’s critical to have an understanding of where your data is and to make sure you don’t keep data longer than you need to while still maintaining regulatory compliance and addressing business intelligence needs. Just like with BYOD policies, if too much data is available or if you have data you didn’t know you had, you are at risk for a plaintiff to find something you were not expecting—or didn’t even know existed. This is why you need a retention policy.
If electronically stored information that is not subject to regulation or legal hold (including preservation associated with the anticipation of litigation) is deleted as a normal course of business as part of a fair, accurate and consistent retention policy, there is no penalty from the courts. If you don’t have the information requested you simply don’t have the information… and you do not have an obligation to keep it. That said, if your retention policy isn’t being followed completely, it might look like you’re purposely deleting the information.
The key point with having and enforcing BYOD and retention policies is to know what data exists and where it is located. This is the first step to being prepared for any issues that come up in the future.