By Andrew Spett, Esq., IGP, CIGO
“I hate retention policy! I know retention policies exist for a reason, but we should always look at deletion as the default and retention as the exception,” says Sentinel President Aaron Weller during the recent International Association of Privacy Professionals (IAPP) web conference “Measuring What Matters.”
As information governance professionals well know, the two key exceptions to deletion are 1) a business reason to retain or 2) a legal or regulatory reason to retain. Unfortunately, the vast preponderance of information retained by organizations (hardcopy and digital) do not meet these two criteria.
Without business value or legal relevance, what is left is risk. And all that data, as Weller puts it, “is just sitting out there waiting to be de-risked.”
A Risk Too Substantial to Ignore
The data just sitting out there is, of course, what we colloquially call “ROT.” Redundant, obsolete, and trivial data. Data that definitionally do not meet these two key retention criteria. Or any other compelling reason one might posit, particularly when weighed against the associated risks. “Keep it, you never know, we may need it later” – made easier by the declining cost of storage – is a poor calculus.
The accumulated risks of ROT can be substantial. They span every organizational domain: legal and regulatory; privacy; information security; and core business functions. ROT impacts internal processes and information flows and hampers customer-facing interactions from sales to contracting to service delivery. Not only does ROT create risks, but it also increases the costs of doing business.
Of course, some amount of ROT will always exist. No disposition schedule will want to cut that fine, nor is compliance with those schedules likely to be 100%. Some ROT is acceptable. But the estimates of the amount of ROT that is held by organizations today are jaw-dropping. And in light of the liabilities it creates, should be considered unacceptable:
- A 2012 Survey compiled by the Compliance Governance and Oversight Council (CGOC) found that 69% of electronically stored information (ESI) has no legal, regulatory, or business value at all.
- It is estimated that two to five percent of files are lost or misfiled.
- Individual employees spend upwards of 20% of their time (400 hours per year) searching for documents
- It costs, on average, $120.00 in labor to find a single missing document and $220.00 to reproduce a single lost document.
Worse still, data that no longer has value can surface in lawsuits and regulatory investigations. Attorneys then spend countless hours, at great cost sifting through huge volumes of ROT to find the relevant and potentially responsive information. The ROT can become exposed in data breaches, rendering valueless data very costly. Outdated data used in contracts and other customer-facing interactions can be non-compliant with corporate or regulatory guidelines. All of these very real scenarios create tremendous business, legal, and regulatory liabilities.
An Insidious Challenge
Like its metaphorical namesake, ROT is unplanned and insidious. A by-product of the exponential growth in data.. ROT exists in myriad systems, on premise and off. It will continue to grow exponentially absent targeted mitigation efforts.
Those mitigation efforts are, of course, the bailiwick of information governance. They will involve the development of retention and appropriate disposition schedules, definitions of roles and responsibilities, policies and procedures, and managing go-forward compliance with the established schedules.
But this is only one piece. While critical to preventing the growth of ROT, the existing ROT must also be dealt with.
Here, data mapping and file analysis tools and services, for example, can provide a roadmap to, and enable the processes for, ridding your organization of the existing ROT and with it, the cost, risk, and vulnerabilities that it represents. A file analysis program can also assist with go-forward strategy, providing the insight and method to maintain compliance and bring those information governance and document management policies to life.
Governing information with a focus on the value of information will serve to extract ever more value. The continued acceptance of ROT will serve only to extract ever-increasing cost and risk.
To assess your information governance needs, check out our How to Guide on the topic.
Andrew is a licensed attorney in the State of California, having previously practiced with the Insurance Defense and Construction Defect groups at a mid-sized law firm in San Francisco. Andrew has been employed in the Information Governance, Computer Forensic and eDiscovery field since 2006. He presently works as a Senior eDiscovery Consultant with Ricoh USA. With over 20 years total in the legal vertical, Andrew has been involved professionally with countless cross-border, multi-district, and complex litigation matters spanning multiple industries, and is versed in utilizing advanced search techniques and technologies. He is dedicated to the task of building consultative business relationships with his clients through education, analysis, collaboration, and execution.