Key Technologies and Services for Building a Defensible Data Destruction Plan for 2013

DefensibleDestructionofDataWe all know that the volume of Electronically Stored Information (ESI) for most enterprises continues to grow with no end in sight. Obviously ESI storage vendors would love to see enterprises worldwide keep all of their ESI.  However, storing and managing all ESI is overwhelming from an operational standpoint, increases legal liability and is cost prohibitive.  Therefore, the real question for the enterprise is what ESI should the Enterprise keep and what ESI can it legally depose of?

Historically known as ESI or data retention policy, the focus in 2012 and beyond is now on defensible data destruction. Enterprises can no longer legally able to just destroy whatever ESI they no longer want to keep. The National Archives and Records Administration (NARA) requires all U.S. federal agency electronic records, including e-mail messages, be destroyed in accordance with an approved records disposition schedule (2 CFR Part 2600, Subchapter B, Part 1234.34). Additionally, electronic records scheduled for destruction must be disposed of in a manner that ensures protection of any sensitive, proprietary, or national security information. NARA does not require certificates of the destruction for federal agency electronic records.

For organizations in the private sector, destruction practices for protected information about an identifiable individual employee, customer, or supplier are regulated. Examples of protected information include Social Insurance/Security number; account number, credit, or debit card, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; driver’s license or state identification card number; consumer credit reports, and personal medical information. In the United States, federal legislation such as the Health Insurance Portability and Accountability Act (HIPAA) and the Fair and Accurate Credit Transactions Act (FACTA) requires destruction or deletion of electronic files or media so the information cannot be read or reconstructed. Organizations must implement reasonable safeguards in connection with the disposal of protected information; however, neither HIPAA nor FACTA mandate specific disposal methods.

At the U.S. state level, more than 40 state governments have adopted privacy protection legislation that potentially impacts private sector organizations. Colorado, for example, has a law requiring the establishment of policies for safe destruction of documents containing Social Security numbers.

Rule 37 of the Federal Rules of Civil Procedure (FRCP) states that, “Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.” This safe harbor is a compelling reason for organizations to include a well-documented policy for electronic record destruction in their records and information management (RIM) programs.

International requirements such as Canada’s Federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the European Union (EU) Data Protection Directive 95/46 EC also address destruction of personal information. The EU directive, for example, requires personal information be rendered anonymous and retained in a form in which identification of the data subject is no longer possible when the data’s purpose has been served. For organizations that must comply with EU requirements and countries with similar privacy legislation, the indefinite retention of personal information is considered excessive in terms of data protection requirements.

Most enterprise Chief Information Officers (CIOs) and General Counsels (GCs) know intuitively that half or more of stored ESI doesn’t really have to be kept for any real legal, operational or business reasons.  According to a July 17, 2012 article on Forbes.com by Deidre Paknad is founder of the Compliance, Governance and Oversight Counsel (CGOR) and Director of Information Lifecycle Governance Solutions at IBM, titled, “Defensible Disposal: You Can’t Keep All Your Data Forever,” a survey taken at the2012 Compliance, Governance and Oversight Counsel (CGOC) Summit validated these facts.  The survey found that typically:

  • 1 percent of corporate ESI is on litigation hold
  • 5 percent of ESI is in a records category
  • 25 percent ESI has current business value

Which means that 69 percent of ESI in most companies has no business, legal or regulatory value which means that the enterprise can dispose of this unused ESI to:

  • Return more profit to shareholders
  • Free up more of their IT budgets for strategic investments
  • Avoid excess expense in legal and regulatory response

To address the question and establish policies of what ESI to keep and what ESI to dispose of, the enterprise needs to bring together stakeholders and decisions makers from legal, compliance, records, business and Information Technology (IT). The CGOR, organizations such as The Ritter Academy  and other Information Governance (IG) consulting can provide these enterprise committees with the guidance and assistance to develop these policies.

However, due to the volume of ESI, the enterprise must go beyond just developing and publishing policy.  It must engage the support of technology to:

  • Enable the granular identification of ESI across the entire enterprise
  • Provide real-time analysis and reporting
  • Automate policy based general ESI retention
  • Automate policy based legal hold(s)
  • Automate policy based de-duplication
  • Automate policy based defensible ESI Destruction

There are numerous technology platforms, in various categories that are available to enable the enterprise to accomplish these tasks.

Storage Systems
Historically, storage systems provided enterprises with the hardware and associated software, such as automated backup, required to store ESI.  However, over time as enterprise requirements for the management of stored ESI become more sophisticated, storage system providers began to enhance their ESI management capabilities. Today, most storage systems include software to enable the enterprise to indentify, analyze, preserve and collect ESI as may be required to support the the defensible destruction of ESI and  information management and eDiscovery requirements.

Storage systems are a technology option to support the defensible destruction of ESI for those enterprises believe that a totally integrated storage and ESI management from the same vendor is an attractive option.  Examples of storage systems that support the defensible destruction of ESI are as follows:

Iron Mountain: Iron Mountain Incorporated (NYSE: IRM) is a leading provider of information storage and management solutions. The company’s real estate network of 64 million square feet across nearly 1,000 facilities in 32 countries allows it to serve customers around the world with speed and accuracy. And its solutions for records management, data backup and recovery, document management, and secure shredding help organizations to lower storage costs, comply with regulations, recover from disaster, and better use their information for business advantage. Founded in 1951, Iron Mountain stores and protects billions of information assets, including business documents, backup tapes, electronic files and medical data. For more information about Iron Mountain, please visit: www.ironmountain.com.

HP: As the world’s largest technology company, HP (NYSE: HPQ) brings together a portfolio that spans printing, personal computing, software, services and IT infrastructure to solve customer problems. For more information about HP, please visit: www.hp.com.

IBM:  As one of the largest technology companies in the world, IBM (NYSE: IBM) provides a variety of hardware and software solutions to support the entire enterprise. For more information about IBM, please visit: www.ibm.com.

Dell: As one of the largest technology companies in the world, Dell (NASDAQ: DELL) provides a variety of hardware and software solutions to support the entire enterprise. For more information about IBM, please visit: www.dell.com.:

Email Archiving Systems
Historically, email archiving systems enabled enterprises to store email outside of the email system of origin (i.e. Microsoft Outlook, Lotus Notes) and enable knowledge workers to perform rudimentary searches to support legal, compliance and business requirements.  However, email archiving system vendors have enhanced their platforms to include more sophisticated search and analysis technology and support for legal holds, eDiscovery requests and other information governance requirements including the defensible destruction of email.

Email archiving systems are a technology option to support the defensible destruction of ESI for those enterprises where the majority of its ESI is email.  Examples of Email archiving systems that support the defensible destruction of ESI are as follows:

C2C Systems: C2C Systems has earned the trust of its four million software users since 1992 by consistently delivering high-value, dependable core messaging system enhancements. Microsoft® Exchange, SharePoint®, and Windows® File Server form the heart of C2C’s commercial and governmental customers’ businesses worldwide. C2C’s ArchiveOne® product family is the trusted choice for email and file archiving, eDiscovery, compliance management, legal forensics and storage management tools to enhance these platforms. For more information about C2C Systems, please visit: www.c2c.com.

Smash: Smarsh ® provides hosted solutions for archiving electronic communications, including email archivinginstant message archiving and social media archiving for platforms such as Facebook, LinkedIn and Twitter. Founded in 2001, Smarsh helps organizations manage and enforce flexible, secure and cost-effective compliance and records retention strategies. For more information, please visit: www.smarch.com.

Barracuda Networks: Barracuda Networks combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content and network security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email and Web threats as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International Headquarters in Campbell, California. For more information, please visit www.barracudanetworks.com.

Symantec: Symantec protects the world’s information, and is a global leader in security, backup and availability solutions.  Its innovative products and services protect people and information in any environment – from the smallest mobile device, to the enterprise data center, to cloud-based systems. Its world-renowned expertise in protecting data, identities and interactions gives its customers confidence in a connected world. For more information about Symantec, please visit: www.symantec.com.

Standalone Information Management Systems
Standalone information management systems are independent of the storage of the ESI and enable the enterprises to scan stored ESI within its native storage technology and native file structure, identify specific ESI, analyze that ESI, preserve, hold, collect or destroy that ESI  and then provide support for sophisticated information management such as Early Case Assessment (ECA), First Pass Review (FPR) and normalization for production throughout the remainder of the ESI lifecycle.

Standalone information management systems are a technology option to support the defensible destruction of ESI for those enterprises that have a wide variety of different types of ESI residing in different storage systems with different file types and sophisticated and complex information governance and eDiscovery requirements that believe in best-in-class solutions.  Examples of standalone information management systems that support the defensible destruction of ESI are as follows:

Autonomy:  Autonomy, an HP Company, is a global leader in software that processes human information, or unstructured data, including social media, email, video, audio, text and web pages, etc. Autonomy’s powerful management and analytic tools for structured information together with its ability to extract meaning in real time from all forms of information, regardless of format, is a unique tool for companies seeking to get the most out of their data. Autonomy’s product portfolio helps power companies through enterprise search analytics, business process management and OEM operations. Autonomy also offers information governance solutions in areas such as eDiscovery, content management and compliance, as well as marketing solutions that help companies grow revenue, such as web content management, online marketing optimization and rich media management.  For more information about Autonomy, please visit: www.autonomy.com.

Symantec: Symantec protects the world’s information, and is a global leader in security, backup and availability solutions.  Its innovative products and services protect people and information in any environment – from the smallest mobile device, to the enterprise data center, to cloud-based systems. Its world-renowned expertise in protecting data, identities and interactions gives its customers confidence in a connected world. For more information about Symantec, please visit: www.symantec.com.

StoredIQ: StoredIQ, recently acquired by IBM, offers a range of active information management solutions utilizing the StoredIQ Platform to provide industry-leading data insight and control for Data Intelligence, eDiscovery, or Information Governance.  For more information on StoredIQ, please visit: www.storedIQ.com.

Rational Retention: Primarily supporting the eDiscovery market.Rational Retention provides its customers with a suite of software solutions which enables information governance and compliance by tracking user content on desktops and in file shares, email, and content management systems, resulting in fully visible and controllable documents.  For more information on Rational Retention, please visit:  www.rationalretention.com.

Exterro: Exterro, Inc. is the pioneer and leading provider of workflow-driven eDiscovery software for corporations and law firms. The proven Exterro Fusion® platform delivers a 360⁰ view into the critical data and workflows required for defensibly and cost-effectively managing e-discovery across the EDRM spectrum. The innovative suite of e-discovery applications built on the Fusion platform unifies all phases of eDiscovery – from identification, legal hold and Early Case Assessment (ECA) to collection, processing, analysis, review and production. Fusion’s open architecture integrates seamlessly with existing business processes and enterprise infrastructures. For more information about Exterro and its products and services, please visit: www.eterro.com.

Conclusion
We all know that the volume of ESI for most enterprises continues to grow, overwhelming knowledge workers from an operational standpoint, increasing legal liability and costs. Historically known as data retention policy, most enterprises now realize that the priority in 2013 should be to actually develop and implement comprehensive and defensible ESI destruction.  The technologies and services listed in this article will be a good place to start.

About Charles Skamser
Charles Skamser is an internationally recognized technology sales, marketing and product management leader with over 25 years of experience in Information Governance, eDiscovery, Machine Learning, Computer Assisted Analytics, Cloud Computing, Big Data Analytics, IT Automation and ITOA. Charles is the founder and Senior Analyst for eDiscovery Solutions Group, a global provider of information management consulting, market intelligence and advisory services specializing in information governance, eDiscovery, Big Data analytics and cloud computing solutions. Previously, Charles served in various executive roles with disruptive technology start ups and well known industry technology providers. Charles is a prolific author and a regular speaker on the technology that the Global 2000 require to manage the accelerating increase in Electronically Stored Information (ESI). Charles holds a BA in Political Science and Economics from Macalester College.