This possible "safe harbor", known as Rule 37 (f), is a double-edged sword for companies governed by these regulations. The best news is that theoretically, proper awareness and care in applying data retention and deletion policies could mean that "keep everything" policies -- and the attendant growth of storage systems -- become a thing of the past.
"We expect that organizations will build more efficient information retention policies that include disposition," said Brian Babineau, analyst with the Enterprise Strategy Group. "If these policies are consistently followed, then stating that the 'information has been deleted according to our policies' will be an adequate response."
Data deletion: Proceed with cautionThe most important thing IT managers can do to help their companies take advantage of the rule, according to Thomas Allman, one of the main authors behind the new rule and senior counsel for Chicago law firm Mayer, Brown, Rowe & Maw, is to maintain an awareness of their particular company's data retention policies and how they do their jobs could affect a future litigation process, a perspective echoed by users in the highly regulated and litigious financial and medical industries.
"What folks seem to fail to realize [is] that your policy itself is disclosable, and you still have to run a business," said a legal director for a US bank who asked not to be named. "In a 'delete-everything' world, your business users suffer and will probably turn to other methodologies to store, which will [also] be discoverable."
"I have one pharmaceutical client who said, 'we don't want to back up any emails past 30 days' while another stores every email -- inbound and outbound -- on a separate server," said Tom Dugan, director of technical services for Recovery Networks, a backup outsourcing firm. "Which one has a good policy? The answer depends on the problem they're faced with."
For the IT administrator, it's also necessary to acknowledge that they could be held accountable even for backup policies enforced from above, according to experts.
"IT people in companies that are frequently involved in lawsuits have to know all the sources of information they control, and the policies that surround them," Allman said. "They have to be able to pull it all together and, in many cases, show who accessed information and when."
It may even be incumbent upon an IT manager to explain in court where data is and why it has been deleted, or is not reasonably accessible, he added.
"I can foresee a 'battle of the experts,' " Allman said, "in which a storage manager has to explain exactly what the burden, in terms of time and cost, will be in order to discover certain data and spell out the reasons why it's in the place it is in the first place to the court."
IT administrators also need to not only be consistent about following deletion and retention policies but vigilant that data doesn't escape to other areas of the enterprise, Babineau said. "Very often, deletion events do not include other copies or derivatives of the data that reside on PCs, tapes, remote offices, Universal Serial Bus (USB) drives, etc.," he said. "So, in the case where a court or requestor says that 'a defendant's deletion policies are a direct result of not wanting to produce the information,' it would not be surprising for the court to allow for further discovery requests … and the cost associated with this further discovery being split between the requestor and the defendant."
A further disadvantage for tape?One of the lessons learned from previous cases in which a faulty discovery process led to punishing judgments, according to experts, is that tape grows riskier every year. Allman referred to a case against Morgan Stanley that was finally settled in February as a "depressing instance" in which data kept on legacy tapes played a key role in a judgment for the plaintiff.
"Also, with things like write once, read many (WORM), you will have to prove why you don't have the data," said Jeff Machols, systems integration manager, technology services, for CitiStreet. "That is getting harder to do."
In the beginning of rules being enforced, Allman said, courts will continue to recognize very old backup tapes, including those where encryption keys are lost or are only readable with software that has been discontinued, as inaccessible repositories of data. But as disk-based archives become more widely available, it won't last as an excuse.
"Technology is always changing, and it's increasingly difficult to prove that it's not reasonably accessible, or that the organization shouldn't have taken more steps to make it more accessible," Allman said.