Developing Defensible Deletion Strategies...– what is it and why do we need it? • Setting the...
Transcript of Developing Defensible Deletion Strategies...– what is it and why do we need it? • Setting the...
© 2019 HBR Consulting LLC. All rights reserved.
Developing Defensible Deletion StrategiesReggie Pool, JDCIPT/CIPMSenior DirectorHBR ConsultingMay 15, 2019
| 2
Session Topics• Defining defensible deletion – what is it and why do we need it?• Setting the foundation- establishing retention policies and
schedules, managing legal holds• Classifying content - understanding content, data analytics /
artificial intelligence• Identifying technology solutions - inside-out: leveraging what you
have)• Developing the roadmap - prioritized strategies and implementation
plan• Measuring success - KPIs, evergreen processes, audit and
monitoring
Defining Defensible Deletionwhat is it and why do we need it?
| 4
What is defensible data deletion?• Keeping records/data needed for business, legal and regulatory
compliance and legal holds• Systematically and defensibly eliminating records and data that are
no longer needed for any of those purposes• A matter of semantics
- Deletion vs. Retention/Remediation vs. Information Governance- Cleaning out the ROT (Redundant, Obsolete and Trivial records / data)
| 5
Today’s Problems / Risks• Relentless Growth of Data
- Soaring costs of storage and IT resources- Unnecessary e-discovery costs
• Over-collection and production- Greater likelihood of sensitive data breach- Inability to find and retrieve needed information
• Fines, sanctions, penalties• Lost business opportunities• Inefficiencies and frustration
- Data duplication and redundancy• No “single source of the truth”
Who Cares?
Record Retention Schedules & PoliciesContent
MgmtInformationLifecycle
Mgmt
RIM
Legal Holds
Discovery ResponseIdentification Collection & PreservationRegulatory Requests
Legal
Privacy Policies
Risk Impact Assessment
Mgmt of Sensitive
DataData Maps
Breach Response
Privacy
Regulatory and
Industry Specific
(Sox, FCPA, etc.)
Enterprise Risk MgmtAudits and Controls
Compliance
Enterprise / Cyber
SecurityData
ClassificationAccess
ControlsBreach
Detection
IT
© 2017 HBR CONSULTING LLC. All rights reserved.
| 7
Disposition is a normal part of the information lifecycle
Create / Receive
Organize &
Manage
Use & Share
Store & Protect
Dispose
| 8
Why you need a defensible deletion processLitigation Liability – Seemingly innocent
comments, jokes, or candid opinions expressed by non-legal personnel can be taken out of context or look unlawful in hindsight, with significant consequences in later litigation
E-Discovery Costs – When accounting for e-discovery costs across all legal matters, the cost exposure for over-retention of email can exceed tens of millions of dollars
Data Breach – Over-retention increases potential harm of unauthorized access or disclosure (i.e., the more you have, the more they can get)
Government Audit and Enforcement – FINRA and SEC imposed fines for failure to effectively manage customer personal information as part of larger investigation
AND…?
| 9
Change in deletion risk: Amended FRCP• New FRCP Amendments protect against inadvertent deletion of legal
hold electronic data and deletion of electronic data as part of an overall deletion program (Fed. R. Civ. P. 26(b)1, 37(e)
• New FRCP support proportionality in preservation (Fed. R. Ci. P. 37€Advisory Committee Notes)
• New FRCP amendments do not protect against the failure to identify and produce responsive data
- Many cases where sever sanction cases were imposed by the court, such as Qualcomm, involved the failure to identify and produce data, not the failure to preserve data
• More risk in not being able to locate responsive data than in deleting data as part of a program
| 10
End the culture of keep: Project vs. Process
Defensible Deletion Project
• On-off Data Sources• Individual, isolated
inquiries• Short-term gain/short-
term investment• Band-aid approach• Facilitates the status
quo
Defensible Deletion Process
• System/Company-wide• Systematic, repeatable
process• Long-term gain/long-
term investment• Organizational health• Requires cultural
change
Setting the Foundationestablishing retention policies and schedules managing legal holds
| 12
Retention policies and procedures
• Goals- Business needs- Legal/regulatory/tax compliance- Litigation defense- DATA PRIVACY
• Practicalities- Employees largely ignore record retention policies- Compliance with record retention policies historically very week
• Who actually uses record retention policies?
Communication from the top - senior management must send messages that this is important
| 13
Employee communication and training• Train employees on records management
- Records Management• What is a record?• Where should specific records be stored (data placement strategies)?
- Information Security and Classification- Legal holds
Can you reasonably rely on employee compliances for data deletion decisions?
| 14
Foundation of data deletion: Defensible Processes• Managing risk associated with the data, including records, should
reflect the risk-based decision of the enterprise• Key to a Defensible Process is the creation of documentation of the
decisions made, and the steps taken, to manage the critical risk• A Defensible Process is an important safeguard against inquiries
from regulators or adverse parties (litigants, buyers, etc.)- A Defensible Process is easier to defend and explain than the actual results- Even with a strong process, errors can and will be made in implementation - The goal is not perfect outcomes (all records retained with no over- or under-
retention) but the following of a reasonable and defensible process
• Comprehensive and accurate foundational components of the program create an environment for the operationalization of the Defensible Process (not ad hoc decision making)
Classifying Content understanding content, file analytics / artificial intelligence
| 16
What is File Analysis?• Two Primary Levels of Analysis
- File System Metadata• Includes information about individual files• Examples include contextual metadata about associated servers, volumes,
shares, folders, and identity related information such as company / department / group / user permissions and ownership; as well as file specific metadata such as file owner, last author, author, file extension / item type, and create, last modified, and last accessed dates
- File Content• Includes information within individual files• Represents a much more granular level of detail, and subsequently a larger
data footprint and supporting set of infrastructure requirements
© 2017 HBR CONSULTING LLC. All rights reserved.
| 17
What is File Analysis?• FA has evolved from a more distinct set of tools allowing for basic
scanning, data collection, and analysis into more robust technology and platform offerings
• Actionable intelligence gleaned from detailed metadata and contextual analysis allow users to better manage and govern unstructured repositories, including:
- Email- File Shares- ERM / EDM / ECM Systems- SharePoint- File sync and share sites such as Box.net or Dropbox- Data Archives- Business Intelligence (BI) / Data Warehouse Environments
© 2017 HBR CONSULTING LLC. All rights reserved.
| 18
The File Analysis Marketplace• The FA Marketplace is still emerging and evolving, including more
specialized niche oriented vendors, as well as established vendors offering a variety of technologies from areas such as:
- eDiscovery- Information Security / Privacy / Data Loss Prevention (DLP)- RIM / IG / EDM / ECM- Data Archiving / Storage / Disaster Recovery (DR)- Identity and Access Management (IAM)- Business Intelligence (BI) / Decision Analysis- Big Data Analytics
• Key Source: Gartner’s Market Guide for File Analysis- First Published in September 2014- Latest (201) version: https://www.gartner.com/doc/3446718/market-guide-file-
analysis-software
| 19
Representative VendorsPrimary Use Cases Supported by 2018 List Vendors
Source: Gartner: Market Guide for File Analysis Software (2018)
Gartner’s Note: Though most vendors support some elements of each use case, vendors are listed in the above diagram according to the major use case supported and what customers acquire the solution for.
Developing the roadmapprioritized strategies and implementation plan
| 21
Roadmap
Identify Data
Sources
Apply Retention Schedule
Develop Clear
Guidelines and
Standards
Document the
Decision Making Process
| 22
1. Identify and prioritize eligible data sources• Identify data sources eligible for deletion process
• Prioritize data sources (low v. medium v. high hanging fruit)- Consider level of business line/function- Consider starting with records prior to a certain cut-off data (e.g. more than 10 years
old)- Identify higher risk (archival, environmental, real estate, legal, pension) v. lower risk
(sales, routine operations) records- Identify highest risk value/risk litigation holds- Identify records with more detailed/reliable indexes and word searchable v. those that
are poorly indexed/no searchable
• Off Site Hard Copy Boxes• Backups/Disaster Recovery• Legacy Systems• Orphan Data
• Email Archives / PSTs• Applications/Systems• Old Litigation Collections• File Servers• Other?
| 23
2. Apply the retention schedule• How should you apply record types? Can you rely on employees or
should you look at technology?• How do you define retention periods?
- Business use- Legal/regulatory requirements- Statue of limitations- Legal/regulatory need to delete (no longer than…?)
• How do you apply retention triggers (date based vs. event based)?- Account closure, transaction, create date, termination?- Maintaining integrity of records?- Can the application effectively apply retention periods?- Can employees effectively apply retention periods?- Do third-parties have rules in place to apply retention to your content?
| 24
3. Develop Clear Guidelines /Standards• Based on the data sources eligible for deletion process, evaluate risks
and determine standards to be met for reliance on indexes, automated searching, review sampling an statistical analysis (if any)
• Not the same risk/process for every data source- Depending on the business line, certain data sources may be lower risk than others- Boxes may have indices that can be leveraged; file servers may have folder structures
that may be leveraged- Data purging in boxes is unlikely to be necessary/feasible; data purging from systems
or file servers may be necessary- Legacy systems may not be accessible for data analysis/review
• Evaluate when/where sampling may be appropriate and consider whether to retain a statistician to assist with the analysis
• Document the procedures/assumptions for each data source/type to enable consistent, repeatable application
| 25
4. Document the decision-making process• Defensible Deletion includes being able to trace the data back
through your process from the end state, i.e., where is the data today and how did the data end up in its final resting place
• Keep written records to support the identification and disposal process
• Document approvals from RIM, Legal, IT or other key stakeholders –everyone has skin in the game
• Document disposal – proof that data no longer exists
An Audit Trail for disposal decisions is proof of following the organization policy/procedure and reasoned decision making.
Measuring successKPIs, evergreen processes, audit and monitoring
| 27
Develop key metrics• Start by conducting measurements
- Where are records stored (data mapping)?- What manual or technology solutions are in place to manage them?- How many records have been identified as ROT that can be removed (what is the
percentage against the whole)?- What percentage of records are actually retained for their mandated retention
period?- How many records are searchable and accessible?- What percentage of records have been classified?- What percentage or records contain sensitive/personal information?- What percentage of records are being deleted after expiration?
| 28
Invest the time and effort to track progress• Measure total data volumes across all media types
- Total number of repositories- Total quantity of data- What percentage is indexed- What percentage has been classified
• Create deletion objectives and measurements across all types of media, including email, files backup tapes, physical records, etc.
- Data Points and Metrics• Yearly cost to maintain business records• %age of physical record boxes with complete metadata• % of known electronic content crawled by indexing tool
- Results and Goals (KPIs)• % departments where DD is completed per annum• % reduction in electronic content / physical record boxes• % reduction in duplicates
| 29
IG Metrics – ARMA SF
http://armagg.org/images/downloads/2017_Presentations/kpmg_pge_sf_arma_presentation_on_ig_metrics___nov_15_2017_rajan_and_hert....pdf
| 30
Continuous measurement• As with all programs, continuous improvement should be the goal so
continuous measurement in terms of risk and cost reduction and capacity improvement is important.
• Once established the Defensible Disposition program should be regularly audited to identify process failures and highlight areas for improvement.
Summary
| 32
Defensible data deletion process summary1. Educate and execute on records and information procedures2. Identify and prioritize locations/sources of records for potential
disposal3. Develop clear procedures/guidelines for disposal decision-making4. Identify records in eligible locations/sources that must be kept for
business/regulatory compliance and match retention requirements/categories
5. Identify data in those sources that must be kept or legal holds or other unique retention obligations (e.g. contracts, tax)
6. Safely dispose of obsolete document/data/systems7. Document process, including decision-making/authorizations
| 33
Foundational ElementsRIM FOUNDATION
Information, policies & procedures essential to
operationalizing disposal and retention decisions (Baseline
State)
Rim Policies & Procedures
Records Retention Schedule
RIM Inventories
Legal Holds
Other Retention Considerations
Employee Training
DISPOSITON PROCESSES
Documented process, approvals, and decisions for retaining or disposing of data
(Who/What/Where/How)
Employee Data
Structured Data
Unstructured Data
Physical Records
END STATEDocumentation to explain
record retention/disposal as needed, and locate and retrieve records up on request (Future
State)
Disposed Documents/Data
Legal Hold
Hard CopiesOffsite/Onsite Storage
Active Structured Databases
Active Unstructured Data Repositories
| 34
Discussion