Storage and the law

Information Age: What is currently dominating legal thinking on the storage, management and accessibility of corporate data?

Jeff Rodwell: The biggest driver in the UK has, perversely, been the US’s Sarbanes-Oxley Act, because that imposes very strict rules on the storage of data, its destruction and so on. That has created a huge interest in the document retention policies that are necessary for the proper preservation of records – and the need to make them accessible.

In the US, one of the big drivers is the desire not to retain old data that you don’t need because of the related litigation risk. Overall, that data may or may not be adverse to you but in the nature of things, there is sure to be some adverse material in there.

Jeff Rodwell, Reed Smith

Document retention is all about keeping the information you need to keep and destroying what you don’t need to keep. That has been driven worldwide by the dominance of American multinationals and also through the development of best practice models by organisations such as The Sedona Conference.

The other legislative driver in the private sector has been data privacy regulation. That, of course, says that you must destroy personal data once it is no longer required. More than just for the avoidance of litigation, it is a mandatory obligation to destroy such data once it is no longer needed.

IA: How sophisticated are organisations’ retention policies today?

JR: By far the most common policy is ‘keep everything’. The reason organisations are doing so is that it is dirt cheap to store material. But with that lack of sophistication comes the danger that you are keeping material that is adverse [to your interests].

What organisations are not realising is that it is very expensive to access. It is not satisfactory to look at the mere storage [system] costs. Storage by itself does not do anything; you are storing data for the purpose of possibly accessing it in the future. And even one access request can become very expensive.

Bear in mind that under the Data Privacy Act you have an obligation on the request of the data subject and their payment of the princely sum of £10 to produce all information related to that person that is reasonably accessible. What is ‘reasonably accessible’ is going to vary court by court, but there is a good argument that if you are storing it electronically it is reasonably accessible because it is searchable.

But still getting a whole load of material from your archive tapes, running it through a search tool and finding all the occurrences of the [requesting individual] is not going to be a trivial exercise.

IA: To what extent have those levels of accessibility been used by lawyers looking for a ‘smoking gun’?

JR: We rub hands with glee. There may well be material in the defendant’s files that are favourable to him, but his obligation is to turn over all the material. Despite sophisticated tools, it is still a huge amount of work to go through archives of email, for example. But, particularly in the US, it can have an enormous impact: one email can turn the case.

If a lawyer doesn’t take advantage of all those avenues, they are running a serious risk of being negligent. There is a lot of material to be found in stored data and, particularly, in emails, especially as people are a little bit more relaxed about what they write in emails. They truly write some terrible things, and even if they think they have deleted them all, the material can still be obtained from the server.

So it is really dangerous for an organisation not to proactively and aggressively deal with its data storage policies.

Pete Swabey

Pete Swabey

Pete was Editor of Information Age and head of technology research for Vitesse Media plc from 2005 to 2013, before moving on to be Senior Editor and then Editorial Director at The Economist Intelligence...

Related Topics