Enterprises are swimming in data — but few are willing to jettison data that they know is probably obsolete because they fear they might need it for legal actions and e-discovery. Are there limits that can be placed on how much and what kinds of data must be retained?
The answer is yes — there are limits — but depending upon the state or country you’re operating in, the industry you’re in, and the regulatory compliance standards that your company is subject to — these data retention limits aren’t set in stone. This is what makes data retention for e-discovery so challenging for IT and legal departments.
Data accessibility, safekeeping, and compliance requirements can vary, depending on whether your company operates wholly in the US, where data retention guidelines are likely to be stated in the Federal Rules of Civil Procedure (FRCP), or in Europe, where the GDPR (General Data Protection Regulation) governs — and if your company operates in both geographies, it’s likely to have a duel set of e-discovery data retention requirements to meet.
This plot further thickens in highly regulated industries like finance and healthcare.
Let’s take healthcare as an example:
HIPAA (Health Insurance Portability and Accountability Act) requires that healthcare general records data be retained for six years from date of creation or date of effect (whichever date is later), but it has no stipulation for the retention of patient medical records. Instead, it is the state that a medical entity is operating in that specifies the length of time that patient medical record data must be retained, and this varies state by state. So, for instance, a hospital operating in Arkansas might be required to retain patient medical records for a period of 10 years, but only for a period of seven years if it is operating in Florida. Consequently, a hospital system that runs facilities in both Arkansas and Florida must adhere to two different medical record data retention requirements.
Getting a Grip on E-Discovery Data Retention
It’s small wonder that companies struggle with data retention for e-discovery, given the variations in regulations. Nevertheless, there are certain guidelines and practices that seem to ease the pain. Here are five of them:
1. Define a storage strategy for emails, documents, and other types of electronic information
Data multiplies exponentially for organizations, so there must be a strategy for storing it. Recently acquired or acted upon data is stored in active data repositories, while data that hasn’t been used for long periods of time is removed from production systems and archived. It’s up to regulators, auditors, IT and the business to determine the rules for maintaining and archiving data. Once these policies are decided, storage must be effectively architected to house the data — whether it is solid state storage for up to the minute data, standard disk storage for active production data, or slower, cold storage disk that archives older data in the data center or on the cloud. Data storage services and media should also be regularly checked and maintained to avoid media corruption or device failure that can lead to data loss.
2. Don’t overlook non-electronic data
Law offices, healthcare clinics, manufacturers, and others still use paper documents and artifacts. These items must also be preserved for e-discovery and hopefully targeted for future digitalization so the paper copies can be eliminated.
3. Dedupe your data and make it relevant
There are emails between doctors and patients that are highly relevant, and emails that hospital employees send out for the annual holiday party. Then, there are duplicate emails, documents and records in the system that can be cleaned up (deduped) and removed from storage altogether, so storage costs can be reduced. eDiscovery is easier to do when the data it works with is clean.
4. Keep up with regulations
Different countries and states vary in the e-discovery record keeping requirements that they have, and statutes of limitation for legal actions and admissible evidence can also vary by state or by country. It’s important to retain legal counsel or use the company’s internal legal department for assistance in keeping up with the latest data safekeeping requirements for e-discovery that pertain to all of the jurisdictions that your company operates in. Outside auditors can also assist with guidance on e-discovery regulations. One rule of thumb that works pretty well and that can simplify e-discovery data safekeeping for companies operating in multiple jurisdictions, is to take the most stringent data safekeeping requirement for e-discovery data (e.g., a jurisdiction that requires 10 years for maintaining medical records) and simply apply it across the board for all data, even if you have jurisdictions that require fewer years to maintain the data.
5. Consider using e-discovery vendors
There are e-discovery data search and store sites on cloud that are staffed by legal and IT experts. These vendors can both store your e-discovery data and develop the most effective search engines into the data for purposes of eDiscovery. There are also commercial tools available for e-discovery that can automate the classifications and search indices for data, based upon the key data entities and topics that lawyers are likely to need. It’s a great move to take advantage of these services — because you don’t want to have to do the job from scratch.
