DATA: To Have and Not To Hold


Can secure communication tools and a renewed focus on information governance systems help legal professionals and IT departments combat an increasingly pervasive threat vector?

lawyers blog image

Jennifer DeTrani, Wickr General Counsel
August 27, 2018

How do legal professionals view end-to-end encrypted and ephemeral collaboration platforms?

My team at Wickr works with colleagues including in-house lawyers and outside law firms on defining best practices for adopting stronger data security using our best-in-class technology. In the past year or so, the conversation has largely centered around the risk-benefit assessment of using end-to-end encrypted and ephemeral communication tools. But more often than not, particularly in light of the intensifying threat environment that lawyers operate in, the consensus has been: only keep what you need. In other words, in the absence of legal or regulatory requirement to store data, don’t keep data that serves no purpose.

This data minimization trend is not new. For years, legal experts have relied on and advocated for the so-called defensible data disposition approach, wherein legal and IT teams proscribe proactive information governance and records management protocols to ensure that appropriately designated data exits stage left. Now, with legal regimes like GDPR and the California Consumer Privacy Act coming into play that prioritize data minimization, it is increasingly important to be aware of the data organizations generate and how it is retained or discarded.

Policy-based data deletion is becoming table stakes in the digital age where companies are more likely than not to be the targets of hackers prepared to launch increasingly sophisticated attacks against organizations and their stakeholders.

Legal think tank The Sedona Conference [1] recently published its Principles and Commentary on Defensible Disposition, a deep-dive into the topic of data retention/disposal to provide guidance on how companies should be thinking about retaining data. In essence, The Sedona Conference recommends expiring and discarding data when it has passed its useful life:

“[i]t is a sound strategic objective of a corporate organization to dispose of information no longer required for compliance, legal hold purposes, or in the ordinary course of business. If there is no legal retention obligation, information should be disposed as soon as the cost and risk of retaining the information is outweighed by the likely business value of retaining the information…Typically, the business value decreases and the cost and risk increase as information ages.” [2]

This undertaking was two years in the making, arising from the desire to provide specific guidance around Principle 6 of The Sedona Conference’s Commentary on Information Governance which supports reasoned data disposal as a “sound strategic objective” on the basis that “the effective, timely and consistent disposal of physical and electronic information that no longer needs to be retained should be a core component of any Information Governance program.” [3]

The courts have similarly recognized that outside of statutory or regulatory mandates and (reasonably anticipated) litigation, “effective, timely and consistent disposal of electronic information that no longer needs to be retained” may be expired or retired as part its information governance program. [4]

The reality is that many organizations struggle with the decision of how to treat their data and communications. Often, uncertainty around decision-making on whether such disposal is warranted comes down to the ability to clearly articulate the policy around the use of any new technology including encryption and sanctioned data deletion.

The teams that approach the adoption of ephemerality as a means to enforcing data security start with building the rules and protocols into their corporate information governance policy. This thoughtful and proactive approach enables both lawyers and IT professionals to rely on a well-reasoned and documented rulebook moving forward.

The landscape of information governance can pose challenges for any organization, large or small, but secure communications technologies like Wickr are built in response to a very real data security threat facing many law forms and in-house legal teams looking to address over-retention of information. Increased confidentiality, stronger information security, lower e-discovery and data storage costs are all side-effects of a strong information governance program that encompasses defensible disposition of unneeded material.

***

[1] About The Sedona Conference: https://thesedonaconference.org/aboutus

The Sedona Conference (TSC) is a nonprofit, 501(c)(3) research and educational institute dedicated to the advanced study of law and policy in the areas of antitrust law, complex litigation, and intellectual property rights. The mission of TSC is to drive the reasoned and just advancement of law and policy by stimulating ongoing dialogue amongst leaders of the bench and bar to achieve consensus on critical issues. TSC brings together the brightest minds in a dialogue-based, think-tank setting with the goal of creating practical solutions and recommendations of immediate benefit to the bench and bar.

[2] The Sedona Conference Commentary on Information Governance, Principle 6.

[3] Principle 6 of The Sedona Conference Commentary on Information Governance.

[4] See, e.g.Barnett v. Deere & Co., No. 2:15-CV-2-KS-MTP, 2016 WL 4544052 (S.D. Miss. Aug. 31, 2016) (declining to impose sanctions for the destruction of relevant documents pursuant to Defendant’s document retention policy at a time when there was no duty to preserve and, in its discussion of bad faith, noted that the court “does ‘not draw an inference of bad faith when documents are destroyed under a routine policy’”); Zubulake v. UBS Warburg LLC, 2003 U.S. Dist. LEXIS 18771, at *8 (S.D.N.Y. Oct. 22, 2003) (“It goes without saying that a party can only be sanctioned for destroying evidence if it had a duty to preserve it.”)