Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Cybersecurity Law & StrategyFeaturesCybersecurityPrivacyTechnology Media and Telecom

Synchronizing Legal Hold Requirements With Consumer Requests for Data Deletion

By Mike Hamilton
July 01, 2020

The biggest challenge with any legal hold process is ensuring that potentially relevant data is actually preserved. There are myriad routes you can take to ensure defensible preservation of data, starting with the following three options:

  1. Preservation by Legal Hold
  2. Preservation by In-Place Preservation (aka, locking down data in place)
  3. Preservation by Collection

But with evolving requirements for how data is managed by new data privacy laws like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), it's become harder to secure data by simply sending a legal hold and assuming the custodian will do their duty to preserve it.

|

Data Privacy Laws Pose New Risks to Defensible Preservation Practices

Key features of the CCPA and GDPR grant consumers and employees unprecedented rights — including the right to request to know what data a business holds on them and ask that it be deleted. But what if that data requested under these regulations is already required to be saved under a legal hold?

Obviously, deleting data that is this potentially relevant to anticipated or pending litigation (civil or criminal) can have devastating consequences. Therefore, it's imperative that e-discovery professionals collaborate with their privacy colleagues on processes for harmonizing their organizational legal hold obligations with these conflicting data privacy regulations.

The question becomes, "how do you go about squaring a customer exercising their right to have data deleted with the litigation requirements that that same information be saved?"

|

How to Harmonize Legal Holds with Data Privacy Requirements

Considering the speed at which many privacy professionals are trying to, in many cases, delete data (45 days, as required by the CCPA, or 30 days, as required by the GDPR), it's not hard to see how mistakes can happen if processes aren't connected and people aren't communicating across the legal department.

Because many legal departments may still be siloed in their processes across sections (privacy, litigation, business, etc.), the following four steps can help e-discovery/litigation professionals ensure processes around preserving data are defensible.

  1. Step #1: Automate legal hold notifications. Automated systems track who has acknowledged the hold and escalates the notice to a non-compliant custodian's manager without intervention from the hold administrator. That system also tracks which custodians have been interviewed and has an interactive method for asking interview questions so administrators can identify both other candidate custodians and the location of corresponding responsive ESI. With this automation, streamlined actions can be taken to ensure the defensible preservation of custodian data via data collection.
  2. Step #2: Maintain an up-to-date Data Map/Inventory. It's more important than ever that Legal has a universal source to evaluate data retention policies, legal hold obligations and data privacy requirements all in one place. Data maps can not only help find requested data quickly but can also offer up a comprehensive overview of any retention obligations (data privacy, data retention, litigation) specific data may have on it, therefore preventing inadvertent deletion or preservation of data.
  3. Step #3: Minimize irrelevant ESI. After it's been verified that the data is no longer under a legal hold and doesn't serve a relevant business purpose, it's time to delete it. If there's a serious concern that the data might be relevant later, either don't delete it or review the data that is "quarantined" prior to full deletion. This step is important since the data that may have been requested to be deleted based on a consumer request must now be subsequently deleted after the matter is closed.
  4. Step #4: Document the process. Documentation is arguably the most important part of the process because if there's no proof of the process, it's nearly impossible to prove why an individual did or did not do something. Courts look for a reasonable process, rather than a perfect one, and documentation goes a long way to demonstrating reasonableness when complying with these numerous obligations certain data may be under.

Unfortunately, defensibly managing data in accordance with all these legal requirements is only going to get more complex. Numerous states are crafting their own data privacy legislation — many with the same consumer rights features as the CCPA or GDPR. It's imperative that e-discovery/litigation professionals have a plan in place to ensure that data on legal hold is not inadvertently deleted because of other data privacy regulation obligations.

*****

Mike Hamilton is the Director of Marketing at Exterro. With a legal and business background, Mike is experienced and passionate about creating thoughtful, out-of-the-box educational resources that help keep legal teams interested and on top of emerging need to know e-discovery issues.

 

|

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.