Content Disposition: Do You Have to Be Right to be Defensible?

I recently took part in a working session with the legal team from a Fortune 100 firm and their outside counsel to finalize a process for deleting content that belonged to employees who had left the company. As you might expect, a major part of the session was concerned with whether the process would be defensible, meaning whether it would survive scrutiny in a court of law. But we actually spent zero time discussing whether the process represented a best practices (or even good practices) approach to information management. Our focus wasn’t on the process being “right.”

To those of you involved in information management, this may seem strange. After all, wouldn’t the defensibility of a process for managing information require a company to design that process with information management best practices in mind?

The short answer is nope.

Four Requirements of Legal Defensibility

The somewhat longer answer is that legal defensibility fundamentally requires four things, none of which have very much to do with being right — at least not in the way that the average person (non-lawyer) means it:

  1. Good faith effort that guides your decisions about what you’ll do
  2. Policies that define what you’ll do based on your good faith effort
  3. Procedures and processes that define how you’ll do what your policies said you’ll do
  4. Audits that demonstrate that you did what you said you’d do, in the way you said you’d do it

All four of these elements could very well be in service of information management practices that are less than optimal according to ARMA, AIIM and others.

Clean Up From a Defensibility Perspective

Imagine your organization made the unfortunate decision 15 years ago to conflate backup for disaster recovery and business continuity and archiving for records retention. Every week, IT backed up the shared drive environment to tapes and put those tapes on a shelf. The next week, they popped in new tapes and did the same thing — week after week, month after month, year after year. This means you now have 15 years worth of tapes that are not only potentially discoverable, but most likely difficult (if not impossible for the older ones) to restore and read.

Understandably, you want to get rid of as many of these as you can and change your IT process so backups only go back a short amount of time (like a week) and then are overwritten — while a separate process handles long-term archiving for records retention.

If you followed information management best practices, you’d want to figure out what’s on each of these tapes, evaluate whether it’s on legal hold, a record, needed by the business, ROT, etc., and dispose of it based on that analysis — and you’d die trying, either because of how long it would take to do, or because management would have your head for how much it would cost to complete.

If you wanted to tackle tape clean up from a defensibility perspective, however, the task is much simpler:

  1. Create a policy that says that backups are for the purpose of business continuity and disaster recovery only and will be maintained with one week’s worth of data. Further, the policy should state that any tapes created and stored previous to the publication of this policy that are out of compliance with the policy (e.g., because they contain data that are older than one week) will be destroyed (unless they are specifically on legal hold).
  2. Define a process for evaluating the age of data on tapes and for destroying tapes that are out of compliance with the policy.
  3. Follow the process.
  4. Audit the process to document that it was followed.

Taking an Auditable Approach

What if a court doesn’t agree with the approach to information management that drives your policies, procedures and auditing? This will be different case to case and judge to judge, but — if recent cases are any indication — the fact that your organization took a deliberate, policy-driven, repeatable and auditable approach will likely be more important than if the judge would have done it exactly as you did. They may very well give you guidance on changes to your policy and process if they vehemently disagree, and you will thank them for the feedback and make the changes.

In the example of the tapes, what won’t happen is having to perform discovery on hundreds (or thousands) of tapes, because you’ve disposed of them defensibly: in accordance with policies and procedures — rather than a capricious or arbitrary effort that could be construed as negligence or spoliation.

The Limits of Defensibility

The principles of defensibility we’ve looked at here will only go so far. You couldn’t use them to “defensibly” do something obviously illegal. For example, just because you have a policy that says you will delete all emails related to litigation rather than hold them doesn’t make this approach defensible. However, if you had a policy that allowed you to delete content that you couldn’t determine was on legal hold or not (after following a defined process and good faith effort), you absolutely could do so with the expectation that a court would consider it defensible.

Partner with Your Legal Team

There’s only so much you can learn from a blog post, and certainly you should not consider this article to be legal guidance. Before you go rewiring your information management program to focus on defensibility, get your legal team involved. After all, they are the ones who ultimately will be on the hook for the defensibility of your information management practices. They need to be on board and comfortable with what you do — and once they are, your focus on defensibility can make much more progress and add much more value than a focus on being right ever would.

A Practical Methodology for Defensible Disposition of Information

Rich Medina
Joe Shepley
I’m VP and Practice Lead, focusing on developing Doculabs’ InfoSec practice and its applications in a wide range of industries.