Defensible Disposition Jennifer Crawford, CRM Director, Product Management

Defensible Disposition Jennifer Crawford, CRM Director, Product Management

Defensible Disposition Jennifer Crawford, CRM Director, Product Management Iron Mountain What We Will Cover What is Defensible Disposition? Defensible Disposition: Disposal (deletion/destruction) of content in good-faith compliance with legal, regulatory, privacy, and security requirements. Managing Records Does NOT Require Perfection FRCP 37 recognizes that reasonable steps to

preserve suffice; it does not call for perfection. Reasonable steps - routine, good-faith operation of an electronic information system is a factor to consider Bare Minimum Path to Defensible Disposition Tell Me About Yourselves Which of the following are true? Where is your RIM function? Compliance Finance Legal Operations/Corporate Services Risk Sourcing/Vendor Mgt Technology Elsewhere? We always consistently dispose in accordance with our retention schedule and preservations because we are

perfect. We have a retention schedule and preservation policy, but we struggle to convince legal or other stakeholders to get comfortable with destruction. We have a retention schedule and preservation policy, but we struggle to enforce individual employee adoption and/or technology implementation across the company. We need improvements to our policy/retention schedule before we can even begin to think about defensible disposition. We just do what Legal tells us to do. Why Should I Care? The Value of Defensible Disposition Exponential Growth in Electronic Data Results in Crippling Costs 90% of all information was created in the last 2 years.

44x more information will exist in 2020 than today. 650% volume increase between 2005-2015. Requires 50% more staff to manage. Most Organizations Over-Retain Information According to a 2012 Compliance, Governance and Oversight Counsel (CGOC) survey, at any given time: 1% of corporate information is on litigation hold; 5% is in a records category; and 25%has current business value. This means that as much as 69 percent of all the data stored in an organization could be defensibly eliminated, that is, disposed of without increasing the risk to the company of undercutting business initiatives or risking legal or regulatory penalties.

Save on Costs and Drama 69% of information within a company is needlessly retained far beyond retention requirements. Over-retained information is a liability and racks up costs. They cant hack what you dont have. Get rid of what you legally can to protect yourself from data breaches. Every company, regardless of size or industry, should have a current retention schedule in place. Managing Costs and Risks While the basic cost to manage a terabyte of information may be about $5,000, if that terabyte is retained unnecessarily and becomes the subject of discovery (and collection, processing, analysis, and review), that unneeded data may cost the organization an extra $15,000; i.e. $20,000 per TB. Jake Frazier & Anthony Diana, 'Hoarders': The Corporate Data Edition, LAW TECH.NEWS (Dec.

19, 2012). Data Breach Costs Data breach laws in US and Europe are increasing fines and liability for failure to protect private information maintained on individuals increasing risks of maintaining information that has outlived its usefulness. For example, EU fines can be as much as 4% of global sales or 20 million euros. 1000 respondents from around the world in 12 industries and federal and local government 70% ARMA Members 85% North America BENCHMARK REPORT: Demographics

15% Europe, Asia, Africa, Latin America, Mid East BENCHMARK REPORT FINDINGS: Transforming Info Management KEY THEMES 1 Organizations recognize IG as a business priority yet still struggle to overcome institutional and cultural barriers. 2 Automation of critical lifecycle and governance activities is elusive. 3

Lack of training and compliance monitoring continue to inhibit RIM and IG program maturity. BENCHMARK REPORT FINDINGS 2013 | 2014 2016 | 2017 WHAT THIS MEANS No forward progress in RIM and IG program maturity How Do I Get There? Implementing a Defensible Disposition Program Remember this slide?

Bare Minimum Path to Defensible Disposition INSIGHTS: Records Retention Schedules Respondents continue to seek improvements: Opportunity to Improve SIDE EFFECTS MAY INCLUDE: Fewer categories Fewer event-based periods Inconsistent retention rules for Uniformity across business like records

More up-to-date Difficult to apply to electronic Global standard records 2013 | 2014 2016 | 2017 63% 59% 67% 65% enough to

Not reacting quickly 69% changes in laws71% and regs 55% 60% 44% 32% Employee misapplication of rules to records respondents say they need no improvement Inaction20%

basedofon not knowing while in 2013 | 2014 that number was 41% when a trigger occurs Prescription For Change Take a closer look at how you can collapse classes into larger buckets for ease of use by employees and technology 35% STILL FIND IT HARD TO MAP RECORDS TO SCHEDULE (Same as in 2013|2014) Use automated tools to classify records on creation or through a workflow CHECK OUT EVENT-BASED RETENTION GUIDE Practical advice for reducing amount, capturing triggers

and more IRON MOUNTAINS POLICY CENTER Notification of changes to the Schedule as rules and regs change Global research Cloud-based for easy access across the enterprise Path to Defensible Disposition Update/refresh retention schedule every 12-18 months Be aware of and enforce privacy obligations

Make sure everyone is working from the same version of the truth Train all employees at least annually on retention/privacy obligations Enforce record code application through process and system controls, such as: Require that all electronic systems include ILM capabilities, including record code classification (automate disposal)

Require authorized record code application when creating orders to send boxes to storage (NO commingling!) Require standardization of onsite storage procedures, to include indexing and lifecycle management Update business processes to include record code classification and other lifecycle-related metadata, such as: Record Code Retention Start Date (Event Date, Create Date, Receipt Date, etc.)/Destruction Eligibility Date

Unique Identifier, Departmental Identifier, System Identifier, etc. Other best practices? Path to Defensible Disposition Central tracking/maintenance mechanism for preservation management Ensure that preservation data is current and trustworthy, with unique hold codes and specific, actionable, metadatalevel parameters (custodian, record class, application/system level, etc.) Train all employees at least annually on preservation obligations Enforce preservation/hold code application through process and system controls, such as:

Require that all electronic systems have unique identifiers/content descriptions so that holds can be placed at system level and implement controls to prohibit destruction eligibility when under preservation Apply hold codes to boxes in offsite storage, with rules that boxes with hold codes are not destruction eligible Update business processes/systems to contemplate preservation requirements and implement controls to prohibit destruction eligibility when under preservation Get rid of copies/duplicative information where Rule of Best Evidence does not apply Other best practices?

Path to Defensible Disposition Are you confident that retention has been satisfied and no preservations apply? If yes, then: Electronic Deletion: Full deletion of all content + upstream/downstream data without possibility of reconstitution

Disposition Summary vs keeping full metadata log of what was destroyed Offsite Storage Destruction (for all media): Review Destruction Eligibility Reports produced by vendor No destruction without authorization from customer central point of contact Vendor destruction chain of custody/destruction practice confidence Certificates of Destruction

Onsite Physical Records Destruction: Secured containers for disposal, emptied securely and routinely. Who has the key? Clean Desk Policy Other best practices? Path to Defensible Disposition How current is your retention schedule? When was it last updated? What changed and when? What is on hold? When was the hold established? Who established it? What are the parameters?

Was was on hold? When was the hold released? Who released it? What were the parameters? What was destroyed? (Summary/batch info may be sufficient) When was it destroyed? Who authorized destruction? When were your employees trained on retention policy? Who completed the training?

Can you demonstrate conformation to Right to Erasure data handling (and other GDPR/Privacy requirements) at the individual level? Lets talk about Privacy and the GDPR GDPR Applicability General Data Protection Regulation Does my company offer goods or services to Individuals? Does my company monitor the behavior of Individuals? Does my company have employees in the EU? Answering these three questions can help determine whether your company is impacted by the GDPR. If the answer is yes to any of these questions, the GDPR may apply to your company. Source: Essential Guide to the GDPR, TRUSTe

Major Provisions of the EU General Data Protection Regulation Scope: EU law would apply to EU citizens personal data, even if the data is collected, stored, processed, etc. outside of the EU. Definitions and conditions to consent: Data subjects would have to give explicit, fully informed consent to anyone processing personal data. Profiling: Restrictions on profiling would mandate a highly visible right to object. Right to compensation: EU citizens would have the right to seek compensation for monetary and nonmonetary damages from any data processing considered unlawful by the EU. Sanctions: Fines for noncompliance could reach 20 million euros or 4% of total worldwide annual turnover of the preceding year (whichever is higher). Schoch, Teresa Pritchard. EU Privacy Regulations Impact on Information Governance. Information Management, January/February 2016. Major Provisions of the EU General Data Protection Regulation, contd.

Permission: An organization must obtain permission from an EU DPA and inform the affected person before complying with a non-EU country governments request to disclose personal data processed. Breach notification: The notice of breach requirement is set at within 24 hours of breach. PII definition: Personally identifiable information (PII) includes personal information as any information that if combined with another available piece of information would allow the identification of an individual. Information does not need to be assimilated to be considered PII. Sensitive data definition: The EU definition of sensitive data relating to background such as religion, national origin, medical history, sexual orientation, etc. is more specific than before. Holding this type of information will require more stringent security, since the impact of dissemination is considered more egregious. Schoch, Teresa Pritchard. EU Privacy Regulations Impact on Information Governance. Information Management, January/February 2016. Impacts of Data Breaches Nonexistent Information Cannot Be Breached Lawsuits

Negative publicity Fines and penalties Damage to brand equity Loss of customer loyalty Damage to company reputation Loss of revenue Increased operations costs Erosion of share price Loss of intellectual property They cant hack what you dont have.

Get rid of what you legally can to protect yourself from data breaches. Schoch, Teresa Pritchard. EU Privacy Regulations Impact on Information Governance. Information Management, January/February 2016. GDPR High Risk Data Remember also that it is not enough to conform to data handling requirements under the GDPR your company also must be able to demonstrate that it conforms. Source: Essential Guide to the GDPR, TRUSTe GDPR Obligations Maintain the data subjects consent for collection and use Protect the data from unauthorized access Retain the data for the appropriate length of time and dispose of it subject to the EUs limitations on the length of time it can be kept House it in a manner that would allow immediate access to it and action to meet the EUs quick data breach notification requirements Schoch, Teresa Pritchard. EU Privacy Regulations Impact on Information Governance. Information Management, January/February 2016.

INSIGHTS: Barriers to Disposition SIDE EFFECTS MAY INCLUDE: Keep everything culture is impediment to exposure efficient to anUnnecessary RIM/IG breaches Cant Increasing storage costs let go of information, if eligible even Over-production

for litigation Cannot obtain approvals for destruction 2013 | 2014 2016 | 2017 78% 81% Ineffective data analytics Time consuming searches 64%

64% 37% 40% INSIGHTS: Automation Deficit to Assist with Disposition 2013 | 2014 75% 2016 | 2017 78% Lack of automation processes remains the greatest barrier to timely and consistent disposition for paper and electronic records

Scoring Your Disposition Program CONTROL Secure Destruction of Eligible Records DESCRIPTION Records eligible for destruction are securely disposed of in accordance with RIM Policy and Information Security protocols. SUPPORTING INFO Roles and responsibilities of the secure disposition process are clearly defined and

communicated in policy and procedure. Electronic data or physical record secure destruction standards are upheld consistently and audited. RATING 1. All eligible records are disposed of routinely and securely. The process is documented and regularly audited. 2. Eligible records are disposed of securely, but the process is not audited or discrepancies have been found in the process. 3. Some, but not all, eligible records are securely destroyed or there is no confirmation in writing of the secure destruction.

4. Records are not disposed of in a secure manner. Establish a consistent rating scale for all controls Records eligible for destruction are securely disposed of in accordance with RIM Policy and Information Security protocols. SUPPORTING INFO RATING 1. RATING

Roles and responsibilities of the 1. secure disposition process are Allclearly eligible records are disposed of defined and communicated routinely andprocedure. securely. The process in policy and is documented and regularly Electronic data or physical record audited. secure destruction standards are

upheld consistently anddisposed audited. of 2. Eligible records are securely, but the process is not audited or discrepancies have been found in the process. All eligible records are disposed of routinely and securely. The process is documented and regularly audited. 2. Eligible records are disposed of securely, but the process is not audited or discrepancies have been found in the process. 3. Some, but not all, eligible records are securely destroyed or there is

no confirmation in writing of the secure destruction. 3. Some, but not all, eligible records are securely destroyed or there is 4. Records are not disposed of in a secure manner. no confirmation in writing of the secure destruction. LOW Secure Destruction of Eligible Records DESCRIPTION HIGH

CONTROL 4. Records are not disposed of in a secure manner. Prescription For Change INSTITUTE A DEFENSIBLE DISPOSITION FRAMEWORK Institutionalize a consistent protocol for all to use Govern the program through ongoing monitoring and testing Identify and

address weaknesses in RIM/IG processes Provide evidence of compliance to authorities Creating Retention Schedules Records Schedules are Complex The amount of time an electronic record should be maintained by an organization depends on many factors: The record classification, The record content (e.g., does it contain private information),

Business needs, Legal holds (is the information related to subject matter relevant to an identified litigation matter?), Legal requirements imposed by local, state, federal, or global law and regulations. Developing a Retention Policy Records retention policies are, in part, subjective and are filtered through legal risk appetite factoring in: Costs of over/under retention; Risks of over/under retention; Potential conflicts among legal obligations to purge/retain; and, Impact of statutes of limitation which may extend beyond retention periods. Analyzing Conflicting Obligations in the Application

of Schedules Conflicts often arise when operations span different jurisdictions. When resolving conflicts, key objective should be good faith compliance with all laws and obligations. When this is not possible, the organization should thoroughly document its efforts to reconcile the conflict and its resulting decision-making process. When applying retention schedules, privacy, data protection, security, records and information management, risk management, and sound business practices should all be considered. The Sedona Conference Commentary on Information Governance, Sedona Conference Journal, 15 Sedona Conf. J. 125, Fall 2014 Creating Legal Records Schedules: Costly Endeavour Determining the retention schedule for a given organization through traditional methods of legal research is a labor intensive and expensive effort. In the case of a global enterprisedoing business in 130 countries could easily

exceed one million dollars. Dagan, Charles R., Its a Duty and Its Smart Business, 19 Rich.J.L. and Tech. 12 (2013), at 14. Costly Schedule Creation (An organization)could easily spend $10,000 per state jurisdiction.* Best practice requires that schedules be updated annually or every eighteen months. Dagan, Charles R., Its a Duty and Its Smart Business, 19 Rich.J.L. and Tech. 12 (2013), at 14. fn44. Affordable Retention Policy from the Most Trusted Name in Records Management COMMON BUSINESS CHALLENGES Keeping records longer than required for legal, regulatory, or business reasons

Limited resources to build, curate, and update a legally defensible, global retention schedule Inconsistent regulatory citation and change tracking that impacts legal defensibility Manual placement of the rules and regulations across your content infrastructure A retention schedule dictates how long records must be retained before they may be deleted or destroyed. POLICY CENTER STANDARD EDITION

A prebuilt legally defensible retention schedule management platform, backed by the same high quality legal research used by the worlds largest companies. Why does a prebuilt retention schedule matter to you? Annual updates provided by Iron Mountain A simple browser-based editor Faster implementation of policy Lower start up cost

Easy way to share your policy within your organization Maintaining a retention schedule through traditional methods of legal research is a labor-intensive and expensive effort. With Policy Center Standard Edition you can now Grow beyond manual, time-intensive processes to research, update, and communicate changes to retention policies Keep your retention guidelines current and compliant for all types of information

Personalize your records classes and modify your retention rules Subscribe to this prebuilt retention schedule without a large, upfront fee Policy Center Solution Suite ESSENTIAL EDITION STANDARD EDITION PROFESSIONAL EDITION ENTERPRISE EDITION

Pre-Built Retention Schedule Customizable Customizable General Business Functions Retention Schedule

Singular Multiple Multiple Partially Editable Up to 5 Unlimited 1 Up to 10 Global

Ongoing Ongoing Industry Specific Retention Schedule Custom Views Country Coverage Retention Schedule/Rule Updates Read Only 1 US or Canada US, Canada, or UK Annual

Annual Q&A 2017 Iron Mountain Incorporated. All rights reserved. Iron Mountain and the design of the mountain are registered trademarks of Iron Mountain Incorporated in the U.S. and other countries. All other trademarks and registered trademarks are the property of their respective owners.

Recently Viewed Presentations

  • Growing an Indigenous professional workforce: the national ...

    Growing an Indigenous professional workforce: the national ...

    Mr Russell Taylor, Australian Institute of Aboriginal and Torres Strait Islander Studies [Observer] Professor Peter Buckskin, Chair, NATSIHEC [Observer] ... This table shows how the sector is faring in supporting Indigenous student completions in the STEM disciplines, including Mathematical ...
  • The Rhetoric of Images - Los Angeles Mission College

    The Rhetoric of Images - Los Angeles Mission College

    Each body paragraph of your paper should have quotes or paraphrases from your sources integrated smoothly. Begin grouping quotes/info and deciding how you will group them into paragraphs so you can weave them together and with your own ideas.
  • FileNewTemplate

    FileNewTemplate

    *Longer timeframes for facilities required to close. Does not include the proposed Steam Electric Effluent Limitation Guidelines (ELG) rule. **Subject to timing of final rule. Coal units. Natural gas units. Costs to: Addresses cross-state air pollution through a cap and...
  • Computer Basics

    Computer Basics

    Remmington Rand 409 (Univac) card sorter (L) reader/punch (C), computer (R) IBM 650 front panel (L) drum (B), tubes (TL) IBM 650 IBM 650 announced1953, sold until1962 Vacuum Tube (IBM 650) Sperry-Univac AN-UYK/20 Program from toggle switches on front panel...
  • Títol - RedIRIS

    Títol - RedIRIS

    Moreno Sociometry (1934) Graph Theory (e.g. Harary 1963) Manchester School (1954-1972) American Sociology (1976) INSNA & Computers & Interdisciplinariety ARS se centra en las relaciones entre elementos (personas, organizaciones, países) más que en sus atributos.
  • The History and Scope of Psychology Module 1

    The History and Scope of Psychology Module 1

    Both photos by Walter Wick. Reprinted from GAMES . Magazine. .© 1983 PCS Games Limited Partnership. Psychology 7e in Modules. Depth Perception. Visual Cliff Experiment-Eleanor Gibson. Depth perception enables us to judge distances. Gibson and Walk (1960) suggested that human...
  • University of Salford

    University of Salford

    The basics of Defined Contribution (DC) Timeframehow longemployee is in it. Payments. amount going in from employee/employer/taxman. Net investment return. potential growth of investments less charges. Pot of money. what is the value of the pot/likely income levels. Introduction to...
  • Learn from the Experts: Open Data Policy Guidelines

    Learn from the Experts: Open Data Policy Guidelines

    Learn from the Experts: Open Data Policy Guidelines for Transit - Maximizing Real Time and Schedule Data-Legalities, Evolutions, Customer Perspectives, Challenges, and Economic Opportunities - Part II Charlene Wilder, Transportation Management Specialist, Federal Transit Administration, U.S. DOT, (Washington, D.C.)