© 2019 HBR Consulting LLC. All rights reserved.

Developing Defensible Deletion StrategiesReggie Pool, JDCIPT/CIPMSenior DirectorHBR ConsultingMay 15, 2019

| 2

Session Topics• Defining defensible deletion – what is it and why do we need it?• Setting the foundation- establishing retention policies and

schedules, managing legal holds• Classifying content - understanding content, data analytics /

artificial intelligence• Identifying technology solutions - inside-out: leveraging what you

have)• Developing the roadmap - prioritized strategies and implementation

plan• Measuring success - KPIs, evergreen processes, audit and

monitoring

Defining Defensible Deletionwhat is it and why do we need it?

| 4

What is defensible data deletion?• Keeping records/data needed for business, legal and regulatory

compliance and legal holds• Systematically and defensibly eliminating records and data that are

no longer needed for any of those purposes• A matter of semantics

- Deletion vs. Retention/Remediation vs. Information Governance- Cleaning out the ROT (Redundant, Obsolete and Trivial records / data)

| 5

Today’s Problems / Risks• Relentless Growth of Data

- Soaring costs of storage and IT resources- Unnecessary e-discovery costs

• Over-collection and production- Greater likelihood of sensitive data breach- Inability to find and retrieve needed information

• Fines, sanctions, penalties• Lost business opportunities• Inefficiencies and frustration

- Data duplication and redundancy• No “single source of the truth”

Who Cares?

Record Retention Schedules & PoliciesContent

MgmtInformationLifecycle

Mgmt

RIM

Legal Holds

Discovery ResponseIdentification Collection & PreservationRegulatory Requests

Legal

Privacy Policies

Risk Impact Assessment

Mgmt of Sensitive

DataData Maps

Breach Response

Privacy

Regulatory and

Industry Specific

(Sox, FCPA, etc.)

Enterprise Risk MgmtAudits and Controls

Compliance

Enterprise / Cyber

SecurityData

ClassificationAccess

ControlsBreach

Detection

IT

© 2017 HBR CONSULTING LLC. All rights reserved.

| 7

Disposition is a normal part of the information lifecycle

Create / Receive

Organize &

Manage

Use & Share

Store & Protect

Dispose

| 8

Why you need a defensible deletion processLitigation Liability – Seemingly innocent

comments, jokes, or candid opinions expressed by non-legal personnel can be taken out of context or look unlawful in hindsight, with significant consequences in later litigation

E-Discovery Costs – When accounting for e-discovery costs across all legal matters, the cost exposure for over-retention of email can exceed tens of millions of dollars

Data Breach – Over-retention increases potential harm of unauthorized access or disclosure (i.e., the more you have, the more they can get)

Government Audit and Enforcement – FINRA and SEC imposed fines for failure to effectively manage customer personal information as part of larger investigation

AND…?

| 9

Change in deletion risk: Amended FRCP• New FRCP Amendments protect against inadvertent deletion of legal

hold electronic data and deletion of electronic data as part of an overall deletion program (Fed. R. Civ. P. 26(b)1, 37(e)

• New FRCP support proportionality in preservation (Fed. R. Ci. P. 37€Advisory Committee Notes)

• New FRCP amendments do not protect against the failure to identify and produce responsive data

- Many cases where sever sanction cases were imposed by the court, such as Qualcomm, involved the failure to identify and produce data, not the failure to preserve data

• More risk in not being able to locate responsive data than in deleting data as part of a program

| 10

End the culture of keep: Project vs. Process

Defensible Deletion Project

• On-off Data Sources• Individual, isolated

inquiries• Short-term gain/short-

term investment• Band-aid approach• Facilitates the status

quo

Defensible Deletion Process

• System/Company-wide• Systematic, repeatable

process• Long-term gain/long-

term investment• Organizational health• Requires cultural

change

Setting the Foundationestablishing retention policies and schedules managing legal holds

| 12

Retention policies and procedures

• Goals- Business needs- Legal/regulatory/tax compliance- Litigation defense- DATA PRIVACY

• Practicalities- Employees largely ignore record retention policies- Compliance with record retention policies historically very week

• Who actually uses record retention policies?

Communication from the top - senior management must send messages that this is important

| 13

Employee communication and training• Train employees on records management

- Records Management• What is a record?• Where should specific records be stored (data placement strategies)?

- Information Security and Classification- Legal holds

Can you reasonably rely on employee compliances for data deletion decisions?

| 14

Foundation of data deletion: Defensible Processes• Managing risk associated with the data, including records, should

reflect the risk-based decision of the enterprise• Key to a Defensible Process is the creation of documentation of the

decisions made, and the steps taken, to manage the critical risk• A Defensible Process is an important safeguard against inquiries

from regulators or adverse parties (litigants, buyers, etc.)- A Defensible Process is easier to defend and explain than the actual results- Even with a strong process, errors can and will be made in implementation - The goal is not perfect outcomes (all records retained with no over- or under-

retention) but the following of a reasonable and defensible process

• Comprehensive and accurate foundational components of the program create an environment for the operationalization of the Defensible Process (not ad hoc decision making)

Classifying Content understanding content, file analytics / artificial intelligence

| 16

What is File Analysis?• Two Primary Levels of Analysis

- File System Metadata• Includes information about individual files• Examples include contextual metadata about associated servers, volumes,

shares, folders, and identity related information such as company / department / group / user permissions and ownership; as well as file specific metadata such as file owner, last author, author, file extension / item type, and create, last modified, and last accessed dates

- File Content• Includes information within individual files• Represents a much more granular level of detail, and subsequently a larger

data footprint and supporting set of infrastructure requirements

© 2017 HBR CONSULTING LLC. All rights reserved.

| 17

What is File Analysis?• FA has evolved from a more distinct set of tools allowing for basic

scanning, data collection, and analysis into more robust technology and platform offerings

• Actionable intelligence gleaned from detailed metadata and contextual analysis allow users to better manage and govern unstructured repositories, including:

- Email- File Shares- ERM / EDM / ECM Systems- SharePoint- File sync and share sites such as Box.net or Dropbox- Data Archives- Business Intelligence (BI) / Data Warehouse Environments

© 2017 HBR CONSULTING LLC. All rights reserved.

| 18

The File Analysis Marketplace• The FA Marketplace is still emerging and evolving, including more

specialized niche oriented vendors, as well as established vendors offering a variety of technologies from areas such as:

- eDiscovery- Information Security / Privacy / Data Loss Prevention (DLP)- RIM / IG / EDM / ECM- Data Archiving / Storage / Disaster Recovery (DR)- Identity and Access Management (IAM)- Business Intelligence (BI) / Decision Analysis- Big Data Analytics

• Key Source: Gartner’s Market Guide for File Analysis- First Published in September 2014- Latest (201) version: https://www.gartner.com/doc/3446718/market-guide-file-

analysis-software

| 19

Representative VendorsPrimary Use Cases Supported by 2018 List Vendors

Source: Gartner: Market Guide for File Analysis Software (2018)

Gartner’s Note: Though most vendors support some elements of each use case, vendors are listed in the above diagram according to the major use case supported and what customers acquire the solution for.

Developing the roadmapprioritized strategies and implementation plan

| 21

Roadmap

Identify Data

Sources

Apply Retention Schedule

Develop Clear

Guidelines and

Standards

Document the

Decision Making Process

| 22

1. Identify and prioritize eligible data sources• Identify data sources eligible for deletion process

• Prioritize data sources (low v. medium v. high hanging fruit)- Consider level of business line/function- Consider starting with records prior to a certain cut-off data (e.g. more than 10 years

old)- Identify higher risk (archival, environmental, real estate, legal, pension) v. lower risk

(sales, routine operations) records- Identify highest risk value/risk litigation holds- Identify records with more detailed/reliable indexes and word searchable v. those that

are poorly indexed/no searchable

• Off Site Hard Copy Boxes• Backups/Disaster Recovery• Legacy Systems• Orphan Data

• Email Archives / PSTs• Applications/Systems• Old Litigation Collections• File Servers• Other?

| 23

2. Apply the retention schedule• How should you apply record types? Can you rely on employees or

should you look at technology?• How do you define retention periods?

- Business use- Legal/regulatory requirements- Statue of limitations- Legal/regulatory need to delete (no longer than…?)

• How do you apply retention triggers (date based vs. event based)?- Account closure, transaction, create date, termination?- Maintaining integrity of records?- Can the application effectively apply retention periods?- Can employees effectively apply retention periods?- Do third-parties have rules in place to apply retention to your content?

| 24

3. Develop Clear Guidelines /Standards• Based on the data sources eligible for deletion process, evaluate risks

and determine standards to be met for reliance on indexes, automated searching, review sampling an statistical analysis (if any)

• Not the same risk/process for every data source- Depending on the business line, certain data sources may be lower risk than others- Boxes may have indices that can be leveraged; file servers may have folder structures

that may be leveraged- Data purging in boxes is unlikely to be necessary/feasible; data purging from systems

or file servers may be necessary- Legacy systems may not be accessible for data analysis/review

• Evaluate when/where sampling may be appropriate and consider whether to retain a statistician to assist with the analysis

• Document the procedures/assumptions for each data source/type to enable consistent, repeatable application

| 25

4. Document the decision-making process• Defensible Deletion includes being able to trace the data back

through your process from the end state, i.e., where is the data today and how did the data end up in its final resting place

• Keep written records to support the identification and disposal process

• Document approvals from RIM, Legal, IT or other key stakeholders –everyone has skin in the game

• Document disposal – proof that data no longer exists

An Audit Trail for disposal decisions is proof of following the organization policy/procedure and reasoned decision making.

Measuring successKPIs, evergreen processes, audit and monitoring

| 27

Develop key metrics• Start by conducting measurements

- Where are records stored (data mapping)?- What manual or technology solutions are in place to manage them?- How many records have been identified as ROT that can be removed (what is the

percentage against the whole)?- What percentage of records are actually retained for their mandated retention

period?- How many records are searchable and accessible?- What percentage of records have been classified?- What percentage or records contain sensitive/personal information?- What percentage of records are being deleted after expiration?

| 28

Invest the time and effort to track progress• Measure total data volumes across all media types

- Total number of repositories- Total quantity of data- What percentage is indexed- What percentage has been classified

• Create deletion objectives and measurements across all types of media, including email, files backup tapes, physical records, etc.

- Data Points and Metrics• Yearly cost to maintain business records• %age of physical record boxes with complete metadata• % of known electronic content crawled by indexing tool

- Results and Goals (KPIs)• % departments where DD is completed per annum• % reduction in electronic content / physical record boxes• % reduction in duplicates

| 29

IG Metrics – ARMA SF

http://armagg.org/images/downloads/2017_Presentations/kpmg_pge_sf_arma_presentation_on_ig_metrics___nov_15_2017_rajan_and_hert....pdf

| 30

Continuous measurement• As with all programs, continuous improvement should be the goal so

continuous measurement in terms of risk and cost reduction and capacity improvement is important.

• Once established the Defensible Disposition program should be regularly audited to identify process failures and highlight areas for improvement.

Summary

| 32

Defensible data deletion process summary1. Educate and execute on records and information procedures2. Identify and prioritize locations/sources of records for potential

disposal3. Develop clear procedures/guidelines for disposal decision-making4. Identify records in eligible locations/sources that must be kept for

business/regulatory compliance and match retention requirements/categories

5. Identify data in those sources that must be kept or legal holds or other unique retention obligations (e.g. contracts, tax)

6. Safely dispose of obsolete document/data/systems7. Document process, including decision-making/authorizations

| 33

Foundational ElementsRIM FOUNDATION

Information, policies & procedures essential to

operationalizing disposal and retention decisions (Baseline

State)

Rim Policies & Procedures

Records Retention Schedule

RIM Inventories

Legal Holds

Other Retention Considerations

Employee Training

DISPOSITON PROCESSES

Documented process, approvals, and decisions for retaining or disposing of data

(Who/What/Where/How)

Employee Data

Structured Data

Unstructured Data

Physical Records

END STATEDocumentation to explain

record retention/disposal as needed, and locate and retrieve records up on request (Future

State)

Disposed Documents/Data

Legal Hold

Hard CopiesOffsite/Onsite Storage

Active Structured Databases

Active Unstructured Data Repositories

| 34

Discussion