This doesn't mean a company can get rid of any electronic documents it fears might create a liability. But Murphy said federal Rules of Civil Procedure give companies a so-called "safe harbor" from liability for information deleted in accordance with standard operating procedures, "as long as a legal hold process is in place to stop deletion if information may be relevant to a litigation or regulatory matter."
Murphy said that in general, "any information assets that are duplicate or have no business value would fall into the pile of 'to be deleted.'" But he said too many organizations are not yet "mature" enough to put an accurate value on information. Instead, he said, they have "time-based retention policies."
"For example, many companies delete all email in an employee's inbox after 90 days. Any email the employee wants to keep longer need to be dragged to a central archive folder where the employee can access them beyond the 90-day period."
It is better, and much more defensible, he said, to have "legal hold management," which would be enough to convince a court that relevant ESI (electronically stored information) has been preserved. The standard is reasonable effort rather than perfection," he said.
Jim McGann said he recommends that companies start small. "[It] could be with purging ex-employee data, or determining what data has not been accessed in five years and could be migrated to less expensive storage such as the cloud, or can eventually be purged," he said.
But he said it still takes setting priorities. "The highest risk data environments are typically email servers and legacy backup tapes," he told Government Technology. "Email is the most common source of evidence produced for litigation and regulatory requests. Legacy backup tapes are a snapshot of everything, including email and files."
So, he recommends creating a data map that includes things like the age of the data, last accessed or modified date, owner, location, email sender/receiver and even sensitive keywords. "A data map will deliver the knowledge required to make 'keep or delete' decisions for files and email. An actionable data map can then help you execute on these decisions and defensibly delete what is no longer required, and archive what must be kept," he said.
Read more about data privacy in CSOonline's data Privacy section.