With changes now enforced by the GDPR, many firms are evaluating the processes to defensibly dispose of data for which there may no longer be a business or legal basis for retention. A legal hold is a process initiated when a legal department believes there is a requirement to preserve data, usually due to a pending litigation, audit or regulatory matter. The data types preserved by a legal hold vary and are dependent upon the nature of the issue addressed. Legal holds overrule standard retention policies or impact the retention (or disposal) of data relating to regulations such as the GDPR. At the point a hold is lifted, the data reverts to the retention period defined by the firm’s record taxonomy. Preservation is one step in the eDiscovery Reference Model (eDRM), commonly used by legal departments to define the end-to-end process of managing data and evidence.
In this interview, Citihub Consulting Partner, Matt Gall, discusses the increasing focus around effectuation of legal holds, the desire for defensible disposal and their relevance in a GDPR world.
Stay current on your favourite topics
What is a legal hold?
To understand legal hold, we should learn a little about how legal departments operate. Many new requests or work packages are initiated by a “legal matter”. This can be a new request initiated outside of the legal department, such as an HR case or a whistleblowing report, or directly from the legal department, for example by litigation. A subset of legal matters requires firms to preserve data. Legal hold is the term given to the need to preserve data for a potential future legal need, for example, keeping data for a potential court case. This might include any type of data, from emails, to trading instructions, to good old-fashioned hard copy. Legal hold is therefore concerned with the preservation of data, ensuring that data is not disposed of and is tamper proof.
What kind of data is preserved and for how long?
The starting point of a legal hold preservation process is to define the scope of the preservation requirement. Often, preservation requirements are segregated into two categories:
- Relating to a custodian or individual.
- Relating to a client.
In each category, there could be multiple types of data to be preserved. If the legal hold relates to a custodian (individual) then the preservation will likely require the preservation of email and chat records (for example). If the preservation relates to a client, then it might require keeping all transactions between the firm’s legal entities and the client during a set period. Custodian data is often defined as unstructured – email, chat, voice and shared drive contents are good examples of this. Client data is typically more structured – trade histories and archives – which usually reside on databases or other structured systems.
Once the legal matter is resolved, firms can lift the legal hold and subsequently the preservation notices on any data associated with the case, which can then be released to its underlying retention cycle. This means that the data can be deleted, if there is no legal basis to retain it.
One of the key challenges with achieving defensible disposal is that a custodian’s data may be subject to more than one legal hold. A firm can only dispose of that data once the last applicable legal hold has been lifted. Since individuals and legal holds have a many-to-many relationship, one legal hold can apply to multiple custodians and any given custodian can be subject to multiple legal holds. Firms must track the legal holds relevant to each custodian. Once the number of legal holds related to a certain custodian or data object is zero, then a firm can return the held data to its normal retention period. All this must overlay record management policies, since outside of legal holds, data is subject to business as usual retention policies in order to comply with privacy regulations, such as the GDPR. The path to an effective defensible disposal solution is complex to define and difficult to automate.
Why are legal holds and defensible disposal so important?
A number of high profile court cases have resulted in significant fines, e.g. Zubulake vs. UBS Warburg (2003-2005).
Once a firm has been publicly identified for failing to keep data, it is tempting to take a very conservative view around data disposal, in the most extreme cases leading to a complete reluctance to delete any data, ever. Legally, this is termed “preservation through suspension of disposal”, but in practice this means data stewards suspend the deletion of data, even data which in theory should be subject to the firm’s disposal policies. A 10-year retention period is not uncommon in financial services, but over the years, the cost of storage required to retain this data has become impossible to ignore. Combined with the GDPR, there is a compelling reason to drive towards defensible disposal, since the GDPR requires the disposal of data for which there is no legal basis for retention. The potential effects of enforcement action, along with mounting storage costs, is tipping the scales and forcing firms to reconsider retention policy and processes.
Historically, firms have developed extensive data retention policies. Data disposal policies may also have existed, but Citihub Consulting’s experience within financial services suggests that many firms fail to define or implement data disposal procedures. The GDPR defines a framework for the legal basis for retention, but it also means firms must dispose of data and will have to do so. In addition, firms must action requests to amend (or remove) data where there it is inaccurate or there is no legal basis for retention.
What are the storage challenges teams are dealing with?
There are three discrete challenges. Firstly, the use of immutable storage has been driven by a desire to minimise the risk of data loss. Some regulations (e.g. MiFID II) are specific about requirements for the reconstitution of order records but not the technical means. Others (e.g. SEC 17a-4) are prescriptive about the requirements for immutable electronic storage. On the whole, the industry has favoured immutable storage to prevent accidental deletion or tampering and this represents a significant challenge within the context of the GDPR or where other legal requirements for deletion exist.
Secondly, most financial services firms have built tape libraries of a size that could not have been imagined even ten years ago. These libraries have been assembled as an insurance in a rapidly evolving and increasingly onerous regulatory and legal environment– if in doubt, archive it. In some cases, firms have tens of millions of tapes and many of these in formats that would be difficult to read, index or restore in full. The conflict here is that (a) just because tapes can’t easily be restored, it does not mean that the data is not needed; (b) wholesale disposal of tapes might result in the destruction of data that is required in future; (c) the process of reconstituting so much data to a new archive and then performing partial deletions would be almost impossible for large firms.
Thirdly, many firms have an identical challenge with paper records, with some firms having millions of cartons of paper records in secure storage.
Aside from the exponential costs associated with these ever-expanding repositories, there is tension between the desire to retain records to ensure against future legal or regulator actions and the enforcement of privacy regulations.
Surely a legal hold is just notifying employees not to delete data needed for a court case? Where is the complexity?
Most financial services firms have thousands of IT systems. Each one will need to be assessed and, potentially, adapted to preserve and delete personally identifying information to comply with the GDPR. This is a significant task. Fundamentally, the financial services industry has forgotten how to dispose of data.
The two most common preservation approaches are
- preserve in place
- collect to preserve
When data is preserved in place, notifications must be sent to system owners not to dispose of data required for legal hold purposes. These systems should set flags to preserve data and acknowledge that it is done. When the legal holds relevant to that data are released, the system hold flag is reset. In order to ensure chain of custody for a legal case, and to avoid spoliation (alteration or destruction), data will typically need to be preserved on an immutable store (i.e. unable to be changed in the normal course of processing) for the duration of the hold. Without the guarantee of immutability, it is insufficient to assume that there can be no change or deletion of the data – accidentally, or otherwise.
Collect-to-preserve requires data to be copied from a source data system to a dedicated archive, usually for the purpose of meeting the requirements above. Most systems in use do not have true “preserve in place” capability, hence the need to copy any data required for legal hold purposes to a separate store for the duration of the hold. This allows the underlying source system to continue with a BAU disposal process, while the data under legal hold is retained on an immutable store until all relevant legal holds are released (at which point the data can be deleted from the legal hold archive).
Stay current on your favourite topics
When a legal hold notice is issued, part of the process is to provide notifications to prevent data deletion. Typically, this is performed by email and should be one of the first steps of the legal hold retention process. As part of the data record assessment of the underlying preservation request, firms must consider data stores as either authoritative (single golden source) or duplicative (multiple stores none of which are considered trustworthy from a legal hold perspective). Records for legal hold purposes should be residing on authoritative systems or data sources. Once this is achieved, firms should be able to delete data from duplicative stores with impunity. Ideally, firms should be aggressively deleting duplicative data secure in the knowledge that data for legal hold is already on authoritative stores.
The difficulty arises when users prefer using duplicative data stores from operational systems because these have the tools to make data mining accessible. For example, to find historic trades in many front office trade booking systems, users do not typically go to archive stores. This is because archive stores do not make trade data available in a native format to end users and may not provide them with appropriate data access tools. Lawyers and eDiscovery teams often prefer to use operational systems than archives because they lack query and search tools. However, these operational systems may not have the data required for legal hold purposes, or that data may be altered, breaking the chain of custody. The tension between authoritative and duplicative stores should force authoritative systems to make data accessible for everyday operations. The message to users should be that duplicative sources are not trustworthy.
Complexity for most financial firms lies in the sheer volume of systems, underpinned by hundreds of unique operating processes. IT systems often have different support teams in different locations, often with different rules about how data must be stored or accessed. The ability to go to thousands of systems to preserve data in a single design pattern for a legal hold requirement is much harder to execute than a single approach for each application. For structured applications, each of which will have their own APIs and data access methods, the challenge is even harder.
Sounds like a mounting problem. What should I be doing?
Addressing the challenges of defensible disposal is a multi-year, cross-department programme best achieved through the implementation of an organisational-wide data architecture. However, there are a number of activities which can be initiated in the short and medium terms to help address the most pressing priorities:
- If not already available, create a list of all active legal holds that have been initiated by legal departments. This allows the firm to recognise which matters are currently within the scope of a legal hold.
- Build a custodian list, using the list of active legal holds. It’s possible to determine the list of custodians currently in scope of at least one legal hold using the active holds list generated above. Since many data systems (including email) can be tracked at a custodian level, this gives teams a great place to start in ensuring they can preserve records relating to legal holds.
- Further scope the preservation requirements across all data types. This can be at a custodian level or across non-custodial data sources and provides a complete view of preservation scope.
Whilst the scope of legal holds and preservations is being captured, records managers and data stewards can also be aligning the organisation to accommodate these changes:
- Review existing roles and responsibilities relating to preservation and disposal of data. It’s almost certain that the increased focus brought about by the GDPR and the other challenges described above will require some level of change to the governance and behaviour of requisite functions within the firm.
- Ensure all systems in the company have validated the requirement and current approach to archiving of records. For those who currently don’t archive, but need to, establish a remediation programme.
- Define authoritative and duplicative data sources for all record types in the company. Recognise the current reliance on duplicative data sources will lead to risk of over- (or under-) preservation.
- Identify a strategy for records archiving. This may require a consolidation of existing platforms alongside the potential search for a new strategic archiving platform.
- Decide which systems can truly offer “Preserve in Place” capabilities, and which will require a more conservative, “Collect to Preserve” approach.
Combining the legal and records management activities provides any organisation with a strong foundation on which to build a strategic defensible disposal platform. Longer term workstream required to achieve maturity in this space include:
- Define a data architecture and mapping that allows legal teams to speak the same language as records managers and data stewards.
- Migrate from existing archives and operational systems into the target platform or interim staging posts.
- Implement automated preservation tooling in support of the “Preserve in Place” and “Collect to Preserve” preservation effectuation models.
In summary, the resolution of the challenges surrounding defensible disposal is a team effort. Records management, legal and compliance teams (and their technology counterparts) need to coordinate efforts utilising a standard and consistent data architecture. The programme of work required to achieve this can be broken down into a series of discrete projects, each with its own deliverables, which when combined can meet these challenges. Firms should plan for a multi-year investment in reaching the goals of defensible disposal.