On several occasions over the past few weeks I found myself asking, “why do they still have that data?” and there was never a good answer to my query. In one case, the data being sought was over 10 years old, on a server from an old network, sitting under some dusty boxes in an abandoned storeroom…but it was there. In another case, the data was in a bunch of boxes in the attic of a rental unit and was, apparently, accessible to several different groups of renters and a multitude of handymen responsible for maintenance on the property. The former data collection referred to an investigation of a remote former employee that could open the employer up to legal action and the later was a collection of medical records from hundreds of patients treated from the late 90’s to 2013, which appears to be a fairly substantial HIPAA violation.
Keeping data forever may not be in your best interest and there are sound legal reasons for purging it as soon as legally possible, not to mention the General Data Protection Requirements (GDPR) that went into effect in the EU on May 25, 2018 that are mandating destruction in certain instances. It is perplexing that many attorneys and business professionals do not comprehend that considering when to get rid of data is almost as important as securing the data currently at use in the system. Knowing when to purge data can be beneficial in many scenarios. If a business is sued and has data going back 20 years, that data may be discoverable by the opposing attorney. There are arguments regarding relevancy and the cost to produce, but not having to make the argument is a much easier way to win it.
For a lawyer, knowing when to get rid of data should be part of your analysis. Thereafter, knowing how to actually dispose of it is another issue altogether. As many people are no doubt aware, deleting something does not remove it from existence. In fact, deleting it usually means it just moved to a different area of the drive. Eventually, it might be written over, but storage capacities of computers are increasing exponentially and it is unlikely the “deleted” data is being overwritten with such sufficiency and regularity to garner it no longer recoverable and/or readable. Remember the server wipe? It takes a specialized program to write over data so successfully that it cannot be mined for information. The National Institutes for Standards & Technology (NIST) recommend some of the following methods to ensure different types of data are actually permanently inaccessible: cross-cut shredding; disintegration; pulverization and incineration. Yes, NIST recommends cross-shredding it, dissolving it, smashing it to pieces and/or burning it, so that should get your attention.
To be sure, if data is to be purged, it should be purged completely. That means a change in the server or computer network or system being utilized by any business should be evaluated and a timetable should be set for a suitable purge date. In some instances, there may be a requirement to maintain records for a certain number of years and, beyond that, there may be additional requirements for perpetual storage depending on the data and the enterprise that collected it. As counsel or a business owner, you should make a reasonable inquiry into the length of time data is required to be maintained and put policies and procedures in place that requires the absolute, total destruction of that data at the appropriate time.
As a general rule of thumb, documentation supporting individual tax returns is generally required to be retained for three (3) years from the date of the filing of the return, but most people retain IRS records for seven (7) years to support deductions and losses. For businesses, many portions of the employment records can be deleted after three (3) years, but there may be overlap with other types of records contained within those files. Employment tax records should be retained for at least four (4) years and records related to depreciated assets should be kept for seven (7) or more years depending upon the life of the asset in question. Additionally, activities such as fraud, concealment or contractual obligations can extend the time necessary for retention and many state laws may vary. In many instances, the volume of the records retained can be reduced dramatically saving administrative costs and storage fees.
Here are five things to consider for purging data:
1.Statutes of Limitations for retention.
2. When was the last time you used it.
3. Analyze who may want it and why.
4. Estimate the potential costs of keeping it.
5. Think about how it should be destroyed.
So take the time to get rid of the data you or your clients are no longer using and, once gone, make sure it cannot come back to bite you or them.
Julie-Karel (JK) Elkin focuses on IT and Health Data, Litigation (Business and Commercial, Insurance Coverage and Bad Faith) and Products Liability law in the Nashville office.
This blog contains general information about legal matters. The information is not advice, and should not be treated as such. Communication of information by, in, to or through this blog and your receipt or use of it: (1) is not provided in the course of and does not create or constitute an attorney-client relationship; (2) is not intended to convey or constitute legal advice; and (3) is not a substitute for obtaining legal advice from a qualified attorney.