Data retention policies are definitely a topic of discussion among IT departments, but they should also be top of mind for legal departments as well.
In fact, legal teams and IT should be communicating regularly about how data retention policies affect legal hold processes–so they can better balance required preservation of evidential ESI, while still supporting ongoing information governance programs.
What Are Data Retention Policies?
Put simply, data retention policies are the ongoing data deletion protocols organizations run as part of their information governance program to keep data stores manageable and reduce risk. Data retention policies can vary across organizations and even between departments or teams within an organization, which is why it’s important all stakeholders involved in the eDiscovery process stay aware of how data retention policies affect legal holds and data preservation.
In the 2021 Case Law Recap I recently wrote for IPRO, four cases stood out where retention policies played a part in different ways, highlighting these challenges.
The Classic Blunder
This case is an example of the classic data retention policy blunder (which this month’s eDiscovery Blues comic highlights with fiery humor): the defendant placed a legal hold on data as requested but failed to suspend data retention policies, so the ESI thought to be preserved was instead deleted on schedule. And while the spoliation wasn’t carried out in bad faith or with intent to obscure evidence, partial sanctions and attorney’s fees were ordered, because reasonable efforts weren’t made to ensure the preservation of data.
Best Practice 1: Communication is key here. Legal and IT need to continuously stay up to date on current legal holds, preservation efforts, and how retention schedules affect them. All stakeholders must be aware of what the others’ needs are and how they can align their efforts to make sure nothing falls through the cracks.
A Variation on the Classic
In a variation on the first theme, this case also has spoliated data as a result of automatic retention policies. However, the defendant at first didn’t realize these policies were affecting the discovery request, but once they did, rectified the automatic deletion protocols and saved the remaining data. On top of that, they found other sources for the data which had been deleted. Because of these good faith efforts, no sanctions were ordered.
Best Practice 2: This example shows how the changing landscape of a litigation can be affected by retention policies which didn’t seem to be a problem at the outset. Fortunately for the defendant, communication and a quick response, as well as efforts to solve the problem, avoided sanctions.
Someone Else’s Retention Policies
Here, the retention policies aren’t those of the plaintiff or the defendant, but of a third party (in this case Facebook) who hosts the data in question. In this instance, the plaintiff’s social media data was requested, but the plaintiff deleted (not deactivated) his Facebook account after discovery had begun, against the advice of his attorney. Even with this bad faith action, the plaintiff may have avoided an adverse inference if the data could have been retrieved from the source. However, Facebook has a 30-day data retention policy for deleted accounts, so the requested ESI couldn’t be retrieved. Needless to say, all of this led to harsh sanctions from the court.
Best Practice 3: Legal and IT should be aware not only of their own retention policies, but those of potential sources of ESI hosted outside the organization. This is especially true with the rise of the remote workplace where cloud-based communications apps (Teams, Slack, Zoom, M365, G-Suite, etc.) are vital for conducting business. Understanding the retention policies of each, as well as how those retention policies may change with automatic updates or new versions, is imperative.
Retention Policies After Custodians Have Left the Building
This is the ongoing antitrust case involving Martin Shkreli, AKA The Pharma Bro. There are so many lessons in “what not to do” with this one, it’s definitely worth looking into. For this article, it raises the issue of how retention policies affect data held for litigation after the custodian has left the organization. In this case, data was requested from a business phone belonging to Shkreli even though he was no longer employed with the organization which issued the phone (he was in fact currently incarcerated).
Best Practice 4: Civil litigation can go on for years, and a lot can change in that time. A common situation is that data custodians may change positions within the company or leave to work somewhere else, retire, or in Martin Shkreli’s case, go to jail. Which means, even if their data was preserved via a legal hold, the organization’s automatic retention policies will most likely go into effect after the custodian has left the company. So, while the legal hold may still be in place, that person’s company-issued hardware, as well as log in credentials and data, will be wiped 90 days after their exit, unless those retention policies are superseded. Again, communication between legal and IT is essential.
To learn more about how Information Governance and Legal Hold Processes and Technology Can Work Together.