Co-authored by Diana Fasching, Kevin Brady, and Adam Nodzenski

In the wake of restructuring, there is data debris.  As the company is moving forward financially, do not forget that there can be trailing risk created by excess data.  Excess data is expensive, and it creates both substantive risks (content) and security risks (data breach).  Restructuring often exposes caches of data, so while they are fresh in everyone’s mind, now is the time to plan for defensible disposition.

Look for opportunities in the following areas:

1. Data belonging to legal hold custodians.  One of the simplest steps a company can take is releasing legal holds as litigation concludes.  Proactively identify and act on releasing legal holds, including notifying legal hold custodians.  Just as importantly, resume your company’s standard retention and deletion practices for custodians’ data.  Of course, those standard practices should ensure that the custodian is not on legal hold for any other matters before deleting their data.
2. Data associated with enterprise and business-unit applications.  Do not forget also to identify and notify technical and business application owners about released legal holds.  Resume your company’s standard lifecycle management of data associated with enterprise and business-unit applications as soon as practical following the conclusion of restructuring activities and associated litigation.  If your company held off on decommissioning applications that reached the end of their useful life because of its focus on restructuring, take time now to retire these applications.  Before doing so, be certain to assess whether your restructured company needs to preserve any of the data for regulatory or legal hold purposes.  If so, take steps to preserve and ensure the retrievability and usability of that data before dismantling the application’s hardware and software infrastructure.
3. Data living with third parties.  Board materials, deal documents, and financial documents are routinely requested, collected, reviewed, and produced in restructuring-related litigation.  As matters conclude, take steps to ensure appropriate disposition of all copies of documents held by other parties so your company can return to normal as quickly as possible and stop paying unnecessary litigation and data-hosting costs.  Your company’s data may live with law firms, eDiscovery vendors, court reporters, trial/demonstrative vendors, courts, experts, or other third-party service providers.  Copies of your company’s data may live on Secure File Transfer Protocol (SFTP) sites created for the restructuring and related litigation, original media used to transfer collected documents, and third-party storage and review systems and backups of same.  Instruct these third parties to destroy their copies of your company’s data and confirm compliance by sending Certificate(s) of Compliance or Destruction.  Taking steps to remediate these copies of your company’s data (a) reduces the large volume of data “out there” that is vulnerable to data-breach risks; and (b) often results in significant cost savings.
4. Data associated with divested business units.  If your company divested part of its business during restructuring, your restructured company likely has data it does not need and should not keep.  It is a given that the buyer asks for and obtains data necessary for its acquired business operations.  Often the buyer and seller forget or do not have time to deal with historical data associated with the divested business.  Your restructured company may no longer carry the record retention and legal hold obligations for this historical data.  But your restructured company faces risk by keeping but not transferring this historical data, or inadvertently deleting this historical data without notice to the buyer.
5. Data that restructuring renders legacy or orphaned.  With restructuring comes reorganization.  Take measures to assess and defensibly delete or destroy legacy and orphan data (including backups!) that your restructured company no longer needs for its “new normal” business operations and no longer requires for retained record retention and legal hold obligations.  Assign ownership for the remaining data so that your restructured company does not carry the risks associated with data that no one is governing and managing.  Update your company’s application inventories and/or data maps to accurately reflect what no longer exists, as well as what remains and where it is located.  Dealing with legacy and orphaned data is an already challenging and daunting task that only becomes harder to tackle the longer your company defers remediating this data debris.  What your company knows about this data now is the most it is ever going to know.  Knowledge will continue to dissipate with every passing day, but the cost and risk of keeping data debris will only escalate.

As you begin to take stock of your company’s data debris, it may feel overwhelming.  Doing nothing, however, is worse than doing a little something.  Start by inventorying and prioritizing your data debris by risk, by cost, by ease of disposal, or by whatever criteria makes the most sense for your restructured company.  Look for lower-hanging fruit or big wins.  If your company has been stockpiling data of legal hold custodians and is in a post-restructuring position to release legal holds, do it.  Also take action to delete their data, provided it is no longer needed for business, records retention, or other legal hold obligations.  If your company will save $300K annually in hardware and software licensing costs by remediating one legacy enterprise application, focus your attention there first.

Once spurred to action, it is important not to act indiscriminately.  Make sure your company is following a standard and documented protocol for remediating data and applications.  If your company does not have a requisite protocol, then pause and create one first.  Such a protocol should include, for example, minimum documentation requirements, assessing the company’s ongoing records retention and legal hold obligations, and approval workflow.  You put your restructured company at greater risk if you do not take care in determining and documenting why the company no longer needs data and applications. 

The bottom line is to think, plan, and act strategically to gradually decrease the risks that your restructured company is carrying.  For more information, or for help in the inventory, prioritization, and defensible disposition process, we invite you to contact Diana Fasching, Managing Director, at dfasching@redgravellp.com, or your regular Redgrave LLP contact.

Download Article PDF