On Thursday, August 30, 2018, the Jacksonville Chapter of ACEDS held a panel discussion on “Data Destruction Minefields and Defensibility” at GuideWell Source. The panel, moderated by ACEDS Jax Board Member, Serena Selzer, covered topics ranging from data destruction post-litigation, the risks of early destruction, and destruction protocols. Below are some of the questions and answers discussed by the panelists:
- Ana Johnson, Esq., CEDS, Of Counsel at Gunster Yoakley, ACEDS Jax Board Member
- Eric Sedwick, Records Management, Advocacy & Oversight, TIAA, Past-President ACEDS Jacksonville
- Michael Lombardi, VP of Sales and Operations at DataSavers
Post Litigation Destruction
When should a party to litigation begin thinking about document destruction, and what should they be thinking about?
Outside counsel perspective – Document destruction is part of every protective order I prepare. I like to address the subject early on and begin discussions with opposing counsel as to how materials (confidential and non-sensitive documents) will be handled at a matter’s conclusion. I agree to terms with opposing counsel up front, such as whether media will be returned, how it will be purged from their system or shredded, etc. Parties should also certify that they have complied.
In-house perspective – Also, bring in broader business considerations in addition to outside counsel’s perspective. Consider both the role of the corporation (client) before sending documents to outside counsel, and the corporation’s role in helping outside counsel with the management of their data. Utilize Master Service Agreements (MSAs) with outside counsel and any third party providers, that they must review, sign and follow regarding your company’s data.
What steps should you take after a matter concludes to make sure you comply with document destruction policies?
Outside counsel perspective – Prepare an internal protocol for the law firm. Work with IT to help with the destruction of documents on servers and backups. Work with the billing department to see which attorneys and paralegals worked on a matter. Require each attorney, paralegal or staff member to certify compliance. Also, take into account whether there is a request from opposing party to destroy their client’s records.
In-house perspective – Consider – do you want the data back, do you want it destroyed? What is the time frame?
What pitfalls have you encountered with a document destruction protocol?
Outside counsel perspective – One solution that I implement to counteract firm employees saving documents in decentralized places is the use of Naming Conventions. I have everyone create a folder on their desktop to drag and drop documents for destruction. I also have them copy a uniform folder name so IT can identify the proper folder. Another pitfall is that getting people to pay attention once a matter has concluded is difficult, but necessary.
What measures can you take to save your client money when dealing with document destruction?
Outside counsel perspective – Standardization of the process is the best approach – from the initial protective order to the document destruction protocol. Keeping it simple and straightforward saves time and resources.
Risks of early destruction vs. Risks of not destroying
Outside counsel perspective – Spoliation is a risk so you will need a robust litigation hold policy and data destruction policy. Send litigation hold letters with engagement letters to clients. Have ESI folks talking to IT people. Find out when e-mail roll off is. Find out if Data Destruction Schedules within Records Management Policies have been / are being followed and enforced.
In-house perspective – Cyber breach / Data Loss – You can’t lose what you don’t have. If you don’t need it anymore and you destroy it, then the risk of breach or loss goes down
Consider, after matter is technically ended, could data still be needed following the end of litigation? e.g. Could the lawsuit be appealed? Do you have a certain number of years a record must be kept after the conclusion of the legal matter? Do not give official copy of a record to outside counsel assuming that will cover the corporation’s requirements to maintain.
Destruction Protocols / Retention Policies
Outside counsel perspective – Issues that arise here are failure of companies to have Retention Policies in place and follow them. When a client’s records go back 30 years, that brings a lot of issues. Discuss and consider what you need to keep from a regulatory standpoint, and what you don’t need to keep. Also, failure to follow your own company protocol regarding destruction can lead to huge litigation cost
In-house perspective – Compliance with disposal component of retention schedule is based on minimums, but business can keep them longer, so they sometimes end up keeping them forever. This may lead to not being comfortable with complying with production requirements. You also need business management buy in that the corporation is going to dispose/destroy.
Use of Vendors
Vendor perspective – How do you choose an appropriate destruction vendor? Consider – What are drivers? Is a destruction vendor a commodity purchase? When and how do you consider cost? There are many things to consider in choosing a vendor and implementing actual document destruction. Is there a “Best practice” in shredding industry? What about particle size versus process control? What are Personnel security considerations involved in the destruction process? On-site versus off-site – advantages, disadvantages, risks associated with each? For example, SHRED-IT is the largest document shredding company in the U.S. and has abandoned mobile destruction (on-site). Is this a trend or fad? Can shredded documents actually be reconstructed? How? What can you to do to prevent this? Are your destruction practices in compliance with various regulations such as: FACTA, HIPAA, PCI compliance? Outsourcing vs in-house shredding. Why chose one over the other? Consider Chain of Custody and Span of Control during the destruction process such as handling, transporting, storing prior to destruction, destruction, disposal and recycling. What are risks at each touch point? What are the Social and environmental concerns when choosing a destruction provider and method of destruction? Should we be concerned about the following? Recycling, Incineration, Energy consumption, and Pollution?
And with this the ACEDS Jax Data Destruction panel presentation concluded, and the group retired to River and Post for a post-event Happy Hour sponsored by LogistiCare. All in attendance felt the value of being a part of the ACEDS community and the grass roots education and networking efforts of our local Jacksonville Chapter.