Organizations have been over-retaining electronic information for decades and then failing to dispose of it in a legally defensible manner, even when both the business and the law will allow them to.
And it is a problem—a monster problem. The best way to address this problem is to break it into more tractable sub-problems: day-forward information disposition and historical informational disposition. I won’t go into day-forward information disposition here, but suffice it to say that it’s a much easier problem to solve. Let’s therefore stipulate that it’s taken care of, and focus here on disposition of the pile of historical information.
- First, note that the problem is likely to be large. You may have hundreds of terabytes or even several petabytes (that’s 1,000 terabytes) lying around waiting to cause you problems. It may take you years to fully address that pile, but you should start soon and you should plan to take many smaller steps, rather than just a few big steps.
- Second, I’m going to focus here on just the methodology that’s specific to defensible disposition. I’m going to talk about four specific steps in the defensible disposition methodology, but these four steps should be embedded in a larger, ECM-type program and project methodology.
Here, then, is how to do defensible disposition. It primarily consists of developing and then executing four pieces:
- The Defensible Disposition Policy
- The Technology Plan
- The Assessment Plan
- The Disposition Plan
In this post, I’ll focus on the first two pieces: the Defensible Disposition Policy and the Technology Plan. Check back for the last two pieces in my next post. (Hey, this is a big nut to crack!)
- Develop Your Defensible Disposition Policy
The first step is to develop your defensible disposition policy. This is the design specification that states very clearly the objectives that your methodology will fulfill. You should be able to defend your actions by pointing at your policy for defensible disposition, which shows what you intend to do, and then showing that you are following it. Here’s how to develop the Policy: First, recognize that you must satisfy four demands, three of which concern retention:
- You have Regulatory retention requirements
- You have Hold retention requirements
- You have Business retention requirements
- And then you must address the negative or positive Cost impact of anything you do
Second, note that everything you do has an impact, whether you do nothing at all or take action aggressively. The impacts result from 1) what you do, and 2) the effects of what you do. In the defensible disposition scenario, there are two relevant types of activities. You can sort your files (or assess them; same thing). And you can dispose of your files. Disposition here means the two extremes, in the range from “purge immediately” to “keep forever”, with many points in between. You can now state your mission in two equivalent ways:
Records Management Version: Your mission is to assess and dispose of your organization’s information in order to satisfy your retention demands (numbers 1 through 3, above) while also minimizing bad cost impact (number 4).
IT Version: Your mission is to assess and dispose of your organization’s information in order to maximize good cost impact (number 4) while also satisfying your retention requirements (numbers 1 through 3).
The two mission statements mean the exact same thing, depending on how you specify what the terms mean, but lawyers and records managers like the Records Management Version more than the IT Version, because it focuses attention on satisfying retention demands. Conversely, IT folks like the IT Version more than the Records Management Version, because it focuses attention on reducing costs and increasing savings.
Note that your mission statement still needs to be a lot more specific. You need to determine the extent of your regulatory, hold, and business retention requirements. (To pick just one example: Is your company clear on what’s a record, versus a high-value non-record, versus a low-value non-record?) You also need to determine what “satisfy your retention demands” really means for your organization, considering things like your regulatory and litigation profiles. And you need to clarify what your organization means by bad or good cost impacts.
You don’t have to write down specific dollar amounts, but you do have to be pretty clear about, for instance, when the costs of storage or a deeper level of document classification are burdensome. The good news is that you don’t need to be perfect; you don’t have to perfectly satisfy your retention demands. You do need to use the Principle of Reasonableness and act In Good Faith.
As Jim McGann and Julie Colgan explain, Courts do not ask, expect, or necessarily reward organizations for perfection. Courts do expect, however, that whatever information management tactics an organization undertakes are appropriate to how that particular entity is situated (size, financial resources, regulatory and litigation profile, etc.). So clarify the vague parts of the mission statement and you have your defensible disposition policy.
To review, the policy is the design specification that lays out very clearly the objectives that your methodology will fulfill. The next four pieces of your methodology succeed or fail solely by how well they together fulfill the policy.
- Develop Your Technology Plan
Using technology for the heavy lifting in the file assessing and disposing processes is absolutely necessary. But there are two sources of complexity in finding and using the right tools that make it a challenge: First, the “analysis, classification, and disposition” market is young and a mess. The relevant vendors and products come from file analytics, content analytics, content classification, ECM, e-discovery, search, document capture (yes!), data loss prevention, and storage management. The delivery channels include products and modules you install at your site, hosted solutions, and service providers who may use a variety of products. The variety of vendors includes IBM, HP/Autonomy, EMC Kazeon, Kofax, Equivio, Rational Retention, StoredIQ, Recommind, Index Engines, and many others. Most of these vendors have a sweet spot (or spots) where they can succeed, but it’s not easy to locate that spot and successfully match it up with your needs. And that leads to the second complexity.
Second, you typically have to use a variety of different techniques and thus tools to efficiently assess a significant pile of files, since the tools have different sweet spots. There is no universal assessment technique and thus no universal assessment tool. This means that you need a Technology Plan that fits the right tools to your Assessment Plan and Disposition Plan, the last two pieces of this four-step approach, both of which I’ll discuss in my next blog post.
So stay tuned, boys and girls. Like I said, this is a big nut to crack.