Interviews

Delete, delete, delete?

by Mark Rowe

Time for a digital detox, writes Tracey Stretton, pictured, Legal Consultant at Kroll Ontrack.

Given the deluge of data we produce daily via email and sharing on social channels it is quite clear we are now polluting our “virtual environments”. In 2011, Atos, the IT company, with its 76,000 employees in 52 countries embarked on an ambitious plan called the Zero email (trademarked) which aimed to reduce internal emails between employees to zero by the end of 2013 by relying on other communication channels such as social media tools. Atos did not achieve zero internal email by the end of 2013 but did reduce internal email message traffic by an impressive 60 per cent, with an 80pc reduction targeted for mid-2014. During this time of email abstinence Atos’ CEO credited business success to the initiative. This was a bold and commendable move, and one that prompted Gartner to report that a cultural transformation of this kind and magnitude is very rare.
Trend spotters are also talking about the emergence of cyber-cleaning services which will help clean up our virtual environments. A key question, however, is whether anyone has the time to back track and purge or clean up data storage. It has become so cheap and easy to stash data and search across it and so hard to decide what to keep and what to throw away. Unless there is a legal reason to delete or a risk in not doing so or a clear business case for carrying out a digital detox, will it ever happen and how?

One approach reported on recently was to take drastic action. The CEO of a technology company not only deleted the entire contents of her inbox but also got rid of her email account all together in order to focus on an important internal project. She called email a “time bandit” that sucks in important stuff alongside irrelevancies.
For companies, however, and especially those exposed to legal and regulatory action, retention and deletion raises some interesting legal and technical questions.

How do you decide what to keep and what to delete?

It’s all well and good to purge the data from your mailboxes and devices but what if there is a law that impacts on your business or a litigation hold in place requiring you to keep certain data? You cannot simply delete with gay abandon and ignore legal requirements to retain certain records, company policy that instructs you to keep valuable intellectual property or document preservation obligations set out in the rules governing litigation. Blind deletion can have serious consequences including court imposed sanctions for destroying evidence when litigation is on the horizon.
The key principle of records management has always been and remains to retain records for as long as is legally necessary and until they have outlived their operational shelf life.
When it comes to what is legally necessary, there are many statutes that impact document retention requirements for UK companies including, to name but a few, the Companies Act, the Value Added Tax Act and the Finance Act. The introduction of new UK data retention laws in July this year and the recent debate about “the right to be forgotten” have thrown the spotlight once again on laws like these which regulate what data companies should keep and delete.

To have and to hold, or not?

The Data Retention and Investigatory Powers Act is an example of a new piece of legislation that imposes additional obligations on telecommunication and related companies to store data. It was introduced in the UK in July, completed its passage through the lower chamber in just one day and is currently facing a legal challenge by a civil liberties group. Under this Act “communications data” must be stored by public telecommunications operators if the secretary of state considers that this data retention is “necessary and proportionate” to help detect and prevent terrorism and other serious crimes. This affects data about telephone and internet communication (for example, the source, destination, date, time, duration and type of communication). The content of the communications itself is not affected and is protected by other laws. It is anticipated that under new rules telecom companies could be asked to comply with data retention orders and store data for up to a year whether they are based within or outside of the UK. Other companies that facilitate the creation, management or storage of communications transmitted, or that may be transmitted” are also susceptible to the DRIP Act.

At the other end of the spectrum, Article 12 of the European Data Protection Directive 95/46/EC provides a legal foundation for the right to be forgotten. Individuals have this year claimed that certain data and links to it retained by Internet search engines should be deleted so that third parties can no longer trace it. The draft European Data Protection Regulation which will supersede the directive also includes specific protection in relation to the right to be forgotten. In May this year the European Court of Justice ruled against Google in Costeja, a case brought by a Spanish man, who requested the removal of a link to an article in La Vanguardia newspaper in 1998 about an auction for his foreclosed home, for a debt that he had subsequently paid. The court ruled that search engines are responsible for the content they point to and Google was ordered to comply with EU data privacy laws.
Whichever sector you are in, another legal reason to retain data that cuts across all businesses is the need to avoid sanctions or other court-imposed penalties for inadequate document disclosure in legal actions. The failure to retain documents may also negatively impact a party’s ability to bring legal claims within the stipulated statutory limitation periods. The task of crafting a compliant records management programme is consequently complex and requires specialised legal expertise.

How do you get to the data to delete it?

Technical expertise is also important when it comes to data cleansing. You may find is easy to delete posts on your company’s chatter tool or on Google Docs but you can only really delete what you can see and that is just the tip of the iceberg. Data that you cannot see exists but is hard to get to and to delete. How do you persuade your IT department to deep cleanse their archives or sift through a mountain of backup tapes, delve into them and delete certain categories of data? In fact, computer forensic experts will tell you that you cannot selectively delete data from backup tapes. Situations do arise when companies literally have thousands and thousands of unlabelled tapes which their computer systems cannot read anymore. These are simply stored and a legal hold is put on them as a precaution because no-one is sure any more what is on them and no-one is prepared to take the decision to destroy them. There are ways of sampling the data on massive tape collections like this allowing some reliable decisions to be made about the likelihood that they contain relevant data that must be preserved. Why would you do that? It is expensive for lawyers to trawl through the data on mounds of tapes just because you have them when a legal action arises and of course when offices close or relocate the “tape mountain” needs to be moved or stored somewhere. For change to be effective, it also has to be dramatic!

Routine detox
Of course, the best way to avoid situations like this from arising is to routinely delete data and in accordance with a company’s retention and deletion policy. Many companies have policies but very few implement them. One way of raising awareness about this would be hold a data detox day every six months so that deletion becomes a part of a company’s culture and its routine, good faith business procedures. If there is no reason to retain data, the message has to be delete, delete, delete.

Visit www.krollontrack.co.uk.

Related News

  • Interviews

    Cyber Reservists proposed

    by Mark Rowe

    Cyber crime continues to grow and has the potential to undermine confidence in the internet. Hence among other things a Government proposal…

  • Interviews

    Cyber insurance doubt

    by Mark Rowe

    New insurance products launched to protect businesses from suffering the losses of cyber-attacks have been met with great scepticism, it’s suggested. A…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing