close up of a foosball table

Forget About Being Right, Focus on Being Defensible

6 minute read
Joe Shepley avatar
Shouldn't the defensibility of a process for managing information require designing the process with info mgmt best practices in mind? Short answer: nope.

I recently took part in a working session with the legal team from a Fortune 100 firm and their outside counsel to finalize a process for deleting content that belonged to employees who had left the company. As you might expect, a major part of the session was concerned with whether the process would be defensible, i.e., whether it would survive scrutiny in a court of law. But what you might not expect was we spent exactly zero time discussing whether the process was “right,” i.e., whether it represented a best practices (or even good practices) approach to information management.

To those of you involved in information management, this may seem strange. After all, wouldn’t the defensibility of a process for managing information require a company to design that process with information management best (or good) practices in mind?

The short answer is nope.

Try Your Best

The somewhat longer answer is that legal defensibility fundamentally requires four things, none of which have very much to do with being right — at least not in the way that most normal people (i.e., non-lawyers) mean it:

  • Good faith effort that guides your decisions about what you’ll do.
  • Policies that define what you’ll do based on your good faith effort.
  • Procedures and processes that define how you’ll do what your policies said you’ll do.
  • Audits that demonstrate that you did what you said you’d do, in the way you said you’d do it.

All four of these elements could very well be in service of information management practices that are less than optimal according to ARMA, AIIM and others. Let’s consider an example.

Related Article: A 4-Step Methodology for Defensible Disposition

A Mountain of Tapes Is No Solution for Information Management

Imagine your organization made the unfortunate decision 15 years ago to conflate backup for disaster recovery and business continuity and archiving for records retention. Every week, IT backed up the shared drive environment to tapes and put those tapes on a shelf. The next week, they popped in new tapes and did the same thing — week after week, month after month, year after year. Which means you now have 15 years worth of tapes that are not only potentially discoverable, but most likely difficult (if not impossible for the older ones) to restore and read.

Understandably, you want to get rid of as many of these as you can (and change your IT process so backups only go back a short amount of time — like a week — and then are overwritten, while a separate process handles long-term archiving for records retention).

If you followed information management best practices, you’d want to figure out what’s on each of these tapes, evaluate whether it’s on legal hold, a record, needed by the business, ROT, etc., and dispose of it based on that analysis … and you’d die trying, either because of how long it would take to do or because management would have your head for how much it would cost to complete.

If you wanted to tackle tape clean up from a defensibility perspective, however, the task is much simpler. First, create a policy that says that backups are for the purpose of business continuity and disaster recovery only and will be maintained with one week’s worth of data. Further, the policy should state that any tapes created and stored previous to the publication of this policy that are out of compliance with the policy (e.g., because they contain data that are older than one week) will be destroyed (unless they are specifically on legal hold). Second, define a process for evaluating the age of data on tapes and for destroying tapes that are out of compliance with the policy. Third, follow the process. Finally, audit the process to document that it was followed.

Learning Opportunities

Related Article: What You Need to Know About Microsoft Retention and Security Labels

Forgiveness, not Permission

What if a court doesn’t agree with the approach to information management that drives your policies, procedures and auditing? This will be different case to case and judge to judge, but, if recent cases are any indication, the fact that your organization took a deliberate, policy-driven, repeatable and auditable approach will likely be more important than if the judge would have done it exactly as you did. They may very well give you guidance on changes to your policy and process if they vehemently disagree, and you will thank them for the feedback and make the changes.

But, in the example of the tapes, what won’t happen is having to perform discovery on hundreds (or thousands) or tapes, because you’ve disposed of them — defensibly, i.e., in accordance with policies and procedures, rather than a capricious or arbitrary effort that could be construed as negligence or spoliation.

Related Article: Your Riskiest Data Is Often Hiding in Plain Sight

Defensibility Only Goes So Far

The principles of defensibility we’ve looked at here will only go so far. You couldn’t use them to “defensibly” do something obviously illegal: for example, just because you have a policy that says you will delete all emails related to litigation rather than hold them doesn’t make this approach defensible. In contrast, however, if you had a policy that allowed you to delete content that you couldn’t determine was on legal hold or not (after following a defined process a good faith effort), you absolutely could do so with the expectation that a court would consider it defensible.

Lawyer Up

A final caveat: there’s only so much you can learn from a blog post, so before you go rewiring your information management program to focus on defensibility, get legal involved. After all, they are the ones who ultimately will be on the hook for the defensibility of your information management practices. So they need to be on board and comfortable with what you do — and once they are, your focus on defensibility can make much more progress and add much more value than a focus on being right ever would.

About the author

Joe Shepley

Joe Shepley is a strategy consulting professional living and working in Chicago. In his current position as Managing Director at Ankura he focuses on helping organizations improve how they manage Privacy risk through improved processes and technology.