Most companies have struggled to dispose of unnecessary data accumulated over the last decade and find themselves retaining excess data, applications, servers and backup tapes that no longer have any utility and significantly add cost and risk to the company. Even though a company may have a long-standing records management program, these programs traditionally rely on a complex classification scheme and voluminous schedules, which can be very difficult for employees to interpret and apply. Such programs also typically fail to extend to electronically stored information, which may be governed by a separate set of policies and procedures. This disconnect results in considerable overgrowth in the volume of data being stored and managed, an elevation of overall IT costs, and a corollary increase in the costs and risks for information security and electronic discovery programs.
Much like IT costs, e-discovery costs are largely a function of data volume. As volume grows, it outpaces the IT and storage budget, overwhelms governance processes, and creates operational complexity that, in turn, increases compliance and financial risk. The more data that must be identified, collected, processed and reviewed, the greater the overall expense. Excess e-discovery costs can also lead to poor settlement dynamics by overshadowing the value of litigation, while lack of insight or visibility to true e-discovery costs can lead to late settlement decisions and excess run rate costs. Excess data also increases production timelines and the risks of inadvertently missing key evidence, both of which can result in sanctions. Historically, keeping more data was perceived as an effective risk mitigation strategy by counsel, but for most organizations, this is no longer true.
Similarly, unchecked data growth appreciably impacts information security programs. Much of the data stolen by hackers was orphaned, left sitting on file servers and nobody knew was it out there. These may include spreadsheets with payroll information or passwords saved by former employees, or copies of personal, health, financial, or proprietary information that has been derived from secure systems but is now unmanaged on an abandoned SharePoint site. The increased volumes also proportionally increase potential litigation damages which are often calculated by record counts. Media headlines commonly use the same counts as a means of reporting magnitude. Retaining old, obsolete and redundant records within a company’s data systems increases both the potential legal and PR exposure should one of these systems be compromised.
Information management is no longer just an administrative service; it has become an organizational endeavor in asset management and compliance. Over the next several months, I hope to use this column to explore the impacts of unchecked data growth on corporate compliance and review the steps that can be taken to significantly reduce the compliance risk.
Published January 31, 2016.