DEFENSIBLY DOWNSIZING YOUR DATA: WHERE TO BEGIN WITH RECORDS RETENTION AND MAINTAINING COMPLIANCE. June 5, 2015

Size: px

Start display at page:

Download "DEFENSIBLY DOWNSIZING YOUR DATA: WHERE TO BEGIN WITH RECORDS RETENTION AND MAINTAINING COMPLIANCE. June 5, 2015"

Jasmin Tyler
8 years ago
Views:

1 DEFENSIBLY DOWNSIZING YOUR DATA: WHERE TO BEGIN WITH RECORDS RETENTION AND MAINTAINING COMPLIANCE June 5,

2 Joshua J. Death TD Bank Group John Beardwood Fasken Martineau LLP Robert Fowler Jordan Lawrence AVP Legal, Intellectual Property Partner Chair, FM National Technology Law Group CIPP/US Director of Professional Services 2

3 3

4 LITIGATION COSTS 4

5 UNCONTROLLED DATA GROWTH 5

IMPACT OF RETENTION ON EMAIL & UNSTRUCTURED DATA Total Cost of Storing and

6 IMPACT OF RETENTION ON & UNSTRUCTURED DATA Total Cost of Storing and Managing Unstructured Data & File Share Volumes & Growth $4 - $25 per GB 6

7 Document Review Volume IMPACT OF RETENTION ON E-DISCOVERY COLLECTION & REVIEW COSTS 200,000 $1,131, , ,000 $705, Employees with an Average of 1.54 GB Unstructured Data 125,000 Current Volume Volume After Applying Retention Rules 7

8 Boxes IMPACT OF RETENTION COMMERCIAL VENDOR STORAGE COSTS 8

9 HEEREEE S THE PLAINTIFFS 9

10 DECIDING TO TAKE ACTION 10

IT S THE LAW - (OR SOON WILL BE) Copyright

13 WHY RETAIN? 1. Business needs 2. Legal needs Limitation periods: Retain to have doc s to bring/defend action Statutory requirements: e.g. Tax; employment; environmental Corporate law requirements Privacy requirements retain PI used to make decision about individual long enough to allow individual access to PI postdecision Copyright Jordan Lawrence 2015 All Rights Reserved 13

14 WHY DELETE? 1. Legal needs E.g. retain PI only as continue to reasonably require to fulfil the purposes 2. Business needs Maintaining unnecessary PI increases the chances of a privacy breach Excessive retention costs Excessive discovery costs Copyright Jordan Lawrence 2015 All Rights Reserved 14

PROTECT REPUTATION Sony Hack Exposed Personal Data of Hollywood Stars Breach Includes Social Security Numbers for 47,000 Employees and Actors, Including Sylvester Stallone, Judd Apatow and Rebel

15 PROTECT REPUTATION Sony Hack Exposed Personal Data of Hollywood Stars Breach Includes Social Security Numbers for 47,000 Employees and Actors, Including Sylvester Stallone, Judd Apatow and Rebel Wilson The hack at Sony Pictures Entertainment revealed far more personal information than previously believed, including the Social Security numbers of more than 47,000 current and former employees along with Hollywood celebrities like Sylvester Stallone. An analysis of 33,000 Sony documents by data-security firm Identity Finder LLC found personal data, including salaries and home address, posted online for people who stopped working at Sony Pictures as far back as 2000 and one who started in Copyright Jordan Lawrence 2015 All Rights Reserved 15

BUILDING YOUR TEAM EXECUTIVE LEADERSHIP LEGAL TEAM INFORMATION TECHNOLOGY BUSINESS PEOPLE

18 INVENTORY VS. GAP ANALYSIS A. Objectives Important to understand the difference 1. Inventory: Snapshot of current state of documents retained at an organization Rationale: organization has spent $/effort on understanding what documents it requires (legally, for business purposes, etc.) Based on premise that the existing records are what the business requires Focus: setting retention periods for those existing documents 18

19 INVENTORY VS. GAP ANALYSIS A. Objectives Important to understand the difference 2. Gap Analysis: Assess gap between what document retention is legally required, and what an organization in fact retains Rationale: organization over time may have developed gaps in meeting these requirements Based on premise that the existing records may not constitute completely what the business requires Focus: determining if any records are missing, and if so, the requirements for same 19

20 INVENTORY VS. GAP ANALYSIS B. Role of Advisors 1. Inventory: a. Jordan Lawrence: creating inventory of existing records b. Fasken: assessing legal requirements for Retention periods Location of documents (e.g. Head office? Each facility? Jurisdiction?) Media of retention (e.g. Hard copy? Electronic) 20

21 INVENTORY VS. GAP ANALYSIS B. Role of Advisors 2. Gap Analysis: a. Fasken: assessing legal requirements for Retaining records, for comparison to inventory: gaps? For those gap records, again: Location of documents Media of retention b. TD: managing scope 21

22 ISSUES IN GENERATING BOTH Issues include: 1. Highest standard nationally, or only in provinces currently located? 2. Contract complexities: a. E.g. X years after contract ends BUT: Post-termination obligations (e.g. earn-outs, indemnities, etc.) 3. Implementing retention schedules 1. Complexity of tagging 2. Importance of software 4. Environmental requirements: a. Current assessments vs. Future proofing 22

23 ISSUES IN GENERATING BOTH Issues include: 6. Versioning issues a. E.g. policies, plans, etc. 7. Reconciling document legal descriptions with document buckets in the inventory 8. Records vs. data entries a. E.g. How divisible are data entries for the time period past the retention period, from those within? E.g,. In the case of an annual log? 9. Addressing legacy document storage 10. Media requirements/choices 23

25 DETERMINING OBJECTIVES UPDATE OUR RETENTION SCHEDULE 25

26 DETERMINING OBJECTIVES 26

27 DETERMINING OBJECTIVES 27

28 DETERMINING OBJECTIVES 28

29 DETERMINING OBJECTIVES 29

30 DETERMINING OBJECTIVES LESS STUFF 30

31 ABC Company s Retention Schedule 31

32 THE CORNERSTONE WHERE PROCESSES RETENTION WHAT Records Inventory SENSITIVITY 32

33 WHAT DO YOU HAVE? Accident/Incident Records Advertising Records Benefit Records Budget Records Contracts & Agreements Coupon Records Credit Approvals Customer Information Customer Orders Employee Medical Files Gift Card Functions Payment Records Sales Receipts 33

34 WHERE IS IT?

35 WHAT ARE THE REQUIREMENTS? BUSINESS NEEDS E.G. INFO TYPES REQUIREMENTS Litigation-relevant Tax Patient Health Info. Personal Info Employment, WHSA Environmental Other Limitation Acts ITA PHIPA Privacy Laws Employment laws Enviro. Laws Other 35

36 36

37 37

38 38

39 39

40 40

41 ACTIONABLE RETENTION SCHEDULE 41

42 DELETION RULES FOR ALL INFORMATION Valid Business Records HAVE LEGITIMATE RETENTION NEEDS Operational Information RETENTION VALUE VARIES Most Information HAS LITTLE RETENTION VALUE Copyright Jordan Lawrence 2015 All Rights Reserved 42

DELETION STRATEGY FOR EMAIL (BUSINESS NEEDS) INBOX = 180 DAYS NON-ESSENTIAL COMMUNICATION SENT ITEMS = 180 DAYS DELETED ITEMS = 2 DAYS BUSINESS NEED

43 DELETION STRATEGY FOR (BUSINESS NEEDS) INBOX = 180 DAYS NON-ESSENTIAL COMMUNICATION SENT ITEMS = 180 DAYS DELETED ITEMS = 2 DAYS BUSINESS NEED COMMUNICATIONS 18 MONTH RETENTION (ALL DEPARTMENTS) DEPARTMENTAL EXCEPTIONS 6 YEAR RETENTION HR 7 YEAR RETENTION LEGAL 7 YEAR RETENTION TAX DISABILITY RECORDS 6 YEARS 43

44 LEVERAGE TECHNOLOGY RECORDS NON-RECORDS 6 Years 3 Years 18 Months 44

45 What Makes Deletion Defensible? 45

46 Show Your Work 46

47 BUILD YOUR AUDIT TRAIL Require regular policy attestation Records Retention Policy 47

48 POLICY NOTICE POLICY NOTICE When you receive a Policy Notice, it is important to read the entire document and review any attachments. The body of the and the attached documents will communicate specific instructions you are required to take

49 LEGAL HOLDS LEGAL HOLDS When you receive a hold notice, it is important to read the entire document and review any attachments. The body of the and the attached documents will communicate specific instructions or actions you are required to take. If you are not able to comply with the Hold Notice, click on the applicable link. You will be required to provide a reason why you are not in compliance. DO NOT: Forward to personal accounts Use instead of a conversation Use reply all unless absolutely necessary Attach documents when you can send a link confidential or private information Print unless it s part of a normal process Save business records in an Save in personal archives, flash drives, etc

50 ROUTINE DISPOSAL OF RECORDS ROUTINE DISPOSAL OF RECORDS When you receive a Disposal Notice it is important to read the entire document and review any attachments. THE NEW RULES WILL: The body of the and attached documents will communicate specific instructions you are required to take. If you are not able to comply with the Disposal Notice, click on the link. You will be required to provide a reason why you are not in compliance. Ensure records and information tied to a hold are protected from destruction

51 TRAINING ABC COMPANY S RECORDS MANAGEMENT TRAINING 51

52 Adverse Inference Penalties Fines Breach E-Discovery Costs Return on Investment Distracts IT from Primary Focus Reputational Harm 52

POTENTIAL SAVINGS Offsite Records Storage Apply Retention Rules Eliminate Over Five Years 60% Over Three Years Electronic & Email Initial Volume Correction Manage Growth by

53 POTENTIAL SAVINGS Offsite Records Storage Apply Retention Rules Eliminate Over Five Years 60% Over Three Years Electronic & Initial Volume Correction Manage Growth by Enforcing Policy 30% Over Three Years E-Discovery Reduce Volume of Redundant Discoverable Info 25% Per Event System Performance Less Data to Process Retire Legacy Systems Significant 53

54 Joshua J. Death TD Bank Group John Beardwood Fasken Martineau AVP Legal, Intellectual Property Partner Chair, FM National Technology Law Group Robert Fowler Jordan Lawrence CIPP/US Director of Professional Services 54

Information Governance Roadmap

Information Governance Roadmap Mitigating Privacy Risks, Reducing Costs And Meeting Obligations Speakers Heather Buchta Quarles & Brady Partner Rebecca Perry Jordan Lawrence CIPP/US/G Director of Professional