Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Cybersecurity Law & StrategyFeaturesCybersecurityPrivacyTechnology Media and Telecom

Synchronizing Legal Hold Requirements With Consumer Requests for Data Deletion

By Mike Hamilton
July 01, 2020

The biggest challenge with any legal hold process is ensuring that potentially relevant data is actually preserved. There are myriad routes you can take to ensure defensible preservation of data, starting with the following three options:

  1. Preservation by Legal Hold
  2. Preservation by In-Place Preservation (aka, locking down data in place)
  3. Preservation by Collection

But with evolving requirements for how data is managed by new data privacy laws like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), it's become harder to secure data by simply sending a legal hold and assuming the custodian will do their duty to preserve it.

Data Privacy Laws Pose New Risks to Defensible Preservation Practices

Key features of the CCPA and GDPR grant consumers and employees unprecedented rights — including the right to request to know what data a business holds on them and ask that it be deleted. But what if that data requested under these regulations is already required to be saved under a legal hold?

Obviously, deleting data that is this potentially relevant to anticipated or pending litigation (civil or criminal) can have devastating consequences. Therefore, it's imperative that e-discovery professionals collaborate with their privacy colleagues on processes for harmonizing their organizational legal hold obligations with these conflicting data privacy regulations.

The question becomes, "how do you go about squaring a customer exercising their right to have data deleted with the litigation requirements that that same information be saved?"

How to Harmonize Legal Holds with Data Privacy Requirements

Considering the speed at which many privacy professionals are trying to, in many cases, delete data (45 days, as required by the CCPA, or 30 days, as required by the GDPR), it's not hard to see how mistakes can happen if processes aren't connected and people aren't communicating across the legal department.

Because many legal departments may still be siloed in their processes across sections (privacy, litigation, business, etc.), the following four steps can help e-discovery/litigation professionals ensure processes around preserving data are defensible.

  1. Step #1: Automate legal hold notifications. Automated systems track who has acknowledged the hold and escalates the notice to a non-compliant custodian's manager without intervention from the hold administrator. That system also tracks which custodians have been interviewed and has an interactive method for asking interview questions so administrators can identify both other candidate custodians and the location of corresponding responsive ESI. With this automation, streamlined actions can be taken to ensure the defensible preservation of custodian data via data collection.
  2. Step #2: Maintain an up-to-date Data Map/Inventory. It's more important than ever that Legal has a universal source to evaluate data retention policies, legal hold obligations and data privacy requirements all in one place. Data maps can not only help find requested data quickly but can also offer up a comprehensive overview of any retention obligations (data privacy, data retention, litigation) specific data may have on it, therefore preventing inadvertent deletion or preservation of data.
  3. Step #3: Minimize irrelevant ESI. After it's been verified that the data is no longer under a legal hold and doesn't serve a relevant business purpose, it's time to delete it. If there's a serious concern that the data might be relevant later, either don't delete it or review the data that is "quarantined" prior to full deletion. This step is important since the data that may have been requested to be deleted based on a consumer request must now be subsequently deleted after the matter is closed.
  4. Step #4: Document the process. Documentation is arguably the most important part of the process because if there's no proof of the process, it's nearly impossible to prove why an individual did or did not do something. Courts look for a reasonable process, rather than a perfect one, and documentation goes a long way to demonstrating reasonableness when complying with these numerous obligations certain data may be under.

Unfortunately, defensibly managing data in accordance with all these legal requirements is only going to get more complex. Numerous states are crafting their own data privacy legislation — many with the same consumer rights features as the CCPA or GDPR. It's imperative that e-discovery/litigation professionals have a plan in place to ensure that data on legal hold is not inadvertently deleted because of other data privacy regulation obligations.

*****

Mike Hamilton is the Director of Marketing at Exterro. With a legal and business background, Mike is experienced and passionate about creating thoughtful, out-of-the-box educational resources that help keep legal teams interested and on top of emerging need to know e-discovery issues.

 

 

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
Overview of Regulatory Guidance Governing the Use of AI Systems In the Workplace Image

Businesses have long embraced the use of computer technology in the workplace as a means of improving efficiency and productivity of their operations. In recent years, businesses have incorporated artificial intelligence and other automated and algorithmic technologies into their computer systems. This article provides an overview of the federal regulatory guidance and the state and local rules in place so far and suggests ways in which employers may wish to address these developments with policies and practices to reduce legal risk.

Is Google Search Dead? How AI Is Reshaping Search and SEO Image

This two-part article dives into the massive shifts AI is bringing to Google Search and SEO and why traditional searches are no longer part of the solution for marketers. It’s not theoretical, it’s happening, and firms that adapt will come out ahead.

While Federal Legislation Flounders, State Privacy Laws for Children and Teens Gain Momentum Image

For decades, the Children’s Online Privacy Protection Act has been the only law to expressly address privacy for minors’ information other than student data. In the absence of more robust federal requirements, states are stepping in to regulate not only the processing of all minors’ data, but also online platforms used by teens and children.

Revolutionizing Workplace Design: A Perspective from Gray Reed Image

In an era where the workplace is constantly evolving, law firms face unique challenges and opportunities in facilities management, real estate, and design. Across the industry, firms are reevaluating their office spaces to adapt to hybrid work models, prioritize collaboration, and enhance employee experience. Trends such as flexible seating, technology-driven planning, and the creation of multifunctional spaces are shaping the future of law firm offices.

From DeepSeek to Distillation: Protecting IP In An AI World Image

Protection against unauthorized model distillation is an emerging issue within the longstanding theme of safeguarding intellectual property. This article examines the legal protections available under the current legal framework and explore why patents may serve as a crucial safeguard against unauthorized distillation.