e-discovery 2.0

It’s already a few weeks into the new year and it’s easy to spot the big lines at the gym, folks working on fad diets and many swearing off any number of vices.  Sadly perhaps, most popular resolutions don’t even really change year after year.  In the corporate world, though, it’s not good enough to simply recycle resolutions every year since there’s a lot more at stake, often with employee’s bonuses and jobs hanging in the balance.

It’s not too late to make information governance part of the corporate 2012 resolution list.  The reason is pretty simple – most companies need to get out of the reactive firefighting of eDiscovery given the risks of sloppy work, inadvertent productions and looming sanctions.  Yet, so many are caught up in the fog of eDiscovery war that they’ve failed to see the nexus between the upstream, proactive good data management hygiene and the downstream eDiscovery chaos.

In many cases the root cause is the disconnect between differing functional groups (Legal, IT, Information Security, Records Management, etc.).  This is where the emerging umbrella concept of Information Governance comes to play, serving as a way to tackle these information risks along a unified front. Gartner defines information governanceas the:

“specification of decision rights, and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archiving and deletion of information, … [including] the processes, roles, standards, and metrics that ensure the effective and efficient use of information to enable an organization to achieve its goals.”

Perhaps more simply put, what were once a number of distinct disciplines—records management, data privacy, information security and eDiscovery—are rapidly coming together in ways that are important to those concerned with mitigating and managing information risk. This new information governance landscape is comprised of a number of formerly discrete categories:

• Regulatory Risks – Whether an organization is in a heavily regulated vertical or not, there are a host of regulations that an organization must navigate to successfully stay in compliance.  In the United States these include a range of disparate regimes, including the Sarbanes-Oxley Act, HIPPA, the Securities and Exchange Act, the Foreign Corrupt Practices Act (FCPA) and other specialized regulations – any number of which require information to be kept in a prescribed fashion, for specified periods of time.  Failure to turn over information when requested by regulators can have dramatic financial consequences, as well as negative impacts to an organization’s reputation.

• Discovery Risks – Under the discovery realm there are any number of potential risks as a company moves along the EDRM spectrum (i.e., Identification, Preservation, Collection, Processing, Analysis, Review and Production), but the most lethal risk is typically associated with spoliation sanctions that arise from the failure to adequately preserve electronically stored information (ESI).  There have been literally hundreds of cases where both plaintiffs and defendants have been caught in the judicial crosshairs, resulting in penalties ranging from outright case dismissal to monetary sanctions in the millions of dollars, simply for failing to preserve data properly.  It is in this discovery arena that the failure to dispose of corporate information, where possible, rears its ugly head since the eDiscovery burden is commensurate with the amount of data that needs to be preserved, processed and reviewed.  Some statistics show that it can cost as much as $5 per document just to have an attorney privilege review performed.  And, with every gigabyte containing upwards of 75,000 pages, it is easy to see massive discovery liability when an organization has terabytes and even petabytes of extraneous data lying around.

• Privacy Risks – Even though the US has a relatively lax information privacy climate there are any number of laws that require companies to notify customers if their personally identifiable information (PII) such as credit card, social security, or credit numbers have been compromised.  For example, California’s data breach notification law (SB1386) mandates that all subject companies must provide notification if there is a security breach to the electronic database containing PII of any California resident.  It is easy to see how unmanaged PII can increase corporate risk, especially as data moves beyond US borders to the international stage where privacy regimes are much more staunch.

• Information Security Risks – Data breaches have become so commonplace that the loss/theft of intellectual property has become an issue for every company, small and large, both domestically and internationally.  The cost to businesses of unintentionally exposing corporate information climbed 7 percent last year to over $7 million per incident.  Recently senators asked the SEC to “issue guidance regarding disclosure of information security risk, including material network breaches” since “securities law obligates the disclosure of any material network breach, including breaches involving sensitive corporate information that could be used by an adversary to gain competitive advantage in the marketplace, affect corporate earnings, and potentially reduce market share.”  The senators cited a 2009 survey that concluded that 38% of Fortune 500 companies made a “significant oversight” by not mentioning data security exposures in their public filings.

Information governance as an umbrella concept helps organizations to create better alignment between functional groups as they attempt to solve these complex and interrelated data risk challenges.  This coordination is even more critical given the way that corporate data is proliferating and migrating beyond the firewall.  With even more data located in the cloud and on mobile devices a key mandate is managing data in all types of form factors. A great first step is to determine ownership of a consolidated information governance approach where the owner can:

• Get C-Level buy-in
• Have the organizational savvy to obtain budget
• Be able to define “reasonable” information governance efforts, which requires both legal and IT input
• Have strong leadership and consensus building skills, because all stakeholders need to be on the same page
• Understand the nuances of their business, since an overly rigid process will cause employees to work around the policies and procedures

Next, tap into and then leverage IT or information security budgets for archiving, compliance and storage.  In most progressive organizations there are likely ongoing projects that can be successfully massaged into a larger information governance play.  A great place to focus on initially is information archiving, since this one of the simplest steps an organization can take to improve their information governance hygiene.  With an archive organizations can systematically index, classify and retain information and thus establish a proactive approach to data management.  It’s this ability to apply retention and (most importantly) expiration policies that allows organizations to start reducing the upstream data deluge that will inevitably impact downstream eDiscovery processes.

Once an archive is in place, the next logical step is to couple a scalable, reactive eDiscovery process with the upstream data sources, which will axiomatically include email, but increasingly should encompass cloud content, social media, unstructured data, etc.  It is important to make sure  that a given  archive has been tested to ensure compatibility with the chosen eDiscovery application to guarantee that it can collect content at scale in the same manner used to collect from other data sources.  Overlaying both of these foundational pieces should be the ability to place content on legal hold, whether that content exists in the archive or not.

As we enter 2012, there is no doubt that information governance should be an element in building an enterprise’s information architecture.  And, different from fleeting weight loss resolutions, savvy organizations should vow to get ahead of the burgeoning categories of information risk by fully embracing their commitment to integrated information governance.  And yet, this resolution doesn’t need to encompass every possible element of information governance.  Instead, it’s best to put foundational pieces into place and then build the rest of the infrastructure in methodical and modular fashion.

Symantec today issued the findings of its second annual Information Retention and eDiscovery Survey, which examined how enterprises are coping with the tsunami of electronically stored information (ESI) that we see expanding by the minute.  Perhaps counter intuitively, the survey of legal and IT personnel at 2,000 enterprises found that email is no longer the primary source of ESI companies produced in response to eDiscovery requests.  In fact, email came in third place (58%) to files/documents (67%) and database/application data (61%).  Marking a departure from the landscape as recently as a few years ago, the survey reveals that email does not axiomatically equal eDiscovery any longer.

Some may react incredulously to these results. For instance, noted eDiscovery expert Ralph Losey continues to stress the paramount importance of email: “In the world of employment litigation it is all about email and attachments and other informal communications. That is not to say databases aren’t also sometimes important. They can be, especially in class actions. But, the focus of eDiscovery remains squarely on email.”   While it’s hard to argue with Ralph, the real takeaway should be less about the relative descent of email’s importance, and more about the ascendency of other data types (including social media), which now have an unquestioned seat at the table.

The primary ramification is that organizations need to prepare for eDiscovery and governmental inquires by casting a wider ESI net, including social media, cloud data, instant messaging and structured data systems.  Forward-thinking companies should map out where all ESI resides company-wide so that these important sources do not go unrecognized.  Once these sources of potentially responsive ESI are accounted for, the right eDiscovery tools need to be deployed so that these disparate types of ESI can be defensibly collected and processed for review in a singular, efficient and auditable environment.

The survey also found that companies which employ best practices such as implementing information retention plans, automating the enforcement of legal holds and leveraging archiving tools instead of relying on backups, fare dramatically better when it comes to responding to eDiscovery requests. Companies in the survey with good information governance hygiene were:

• 81% more likely to have a formal retention plan in place
• 63% more likely to automate legal holds
• 50% more likely to use a formal archiving tool

These top-tier companies in the survey were able to respond much faster and more successfully to an eDiscovery request, often suffering fewer negative consequences:

• 78% less likely to be sanctioned
• 47% less likely to lead to a compromised legal position
• 45% less likely to disclose too much information

This last bullet (disclosing too much information) has a number of negative ramifications beyond just giving the opposition more ammo than is strictly necessary.  Since much of the eDiscovery process is volume-based, particularly the eyes-on review component, every extra gigabyte of produced information costs the organization in both seen and unseen ways.  Some have estimated that it costs between $3-5 a document for manual attorney review – and at 50,000 pages to a gigabyte, these data-related expenses can really add up quickly.

On the other side of the coin, there were those companies with bad information governance hygiene.  While this isn’t terribly surprising, it is shocking to see how many entities fail to connect the dots between information governance and risk reduction.  Despite the numerous risks, the survey found nearly half of the respondents did not have an information retention plan in place, and of this group, only 30% were discussing how to do so.  Most shockingly, 14% appear to be ostriches with their heads in the sand and have no plans to implement any retention plan whatsoever.  When asked why folks weren’t taking action, respondents indicated lack of need (41%), too costly (38%), nobody has been chartered with that responsibility (27%), don’t have time (26%) and lack of expertise (21%) as top reasons.  While I get the cost issue, particularly in these tough economic times, it’s bewildering to think that so many companies feel immune from the requirements of having even a basic retention plan.

As the saying goes, “You don’t need to be a weatherman to tell which way the wind blows.”  And, the winds of change are upon us.  Treating eDiscovery as a repeatable business process isn’t a Herculean task, but it is one that cannot be accomplished without good information governance hygiene and the profound recognition that email isn’t the only game in town.

For more information regarding good records management hygiene, check out this informative video blog and Contoural article.

We’ve devoted a number of posts to the topic of ECA, ranging from a quest to define the acronym, all the way to the cost savings benefits of the ECA approach.  And, while there seems to be relative unanimity around the beneficial aspects of ECA, there still seem to be a number of myths and misconceptions.  So, ala the Mythbusters, we’ll run these myths through the gauntlet to see which survive scrutiny.

Myth #1: ECA Is Only Valuable if Performed “Early”

Certainly, ECA is best leveraged and will be most valuable when performed at the outset of litigation.  As has been stated before, it has value on two primary fronts, the first being the ability to scope electronic discovery (both in terms of cost and timelines).  The next is the more traditional value proposition where ECA is used to get an understanding of the case facts to enable the strategic decision making process.

As such, there are scenarios where an ECA methodology would still generate value even if performed “later” in the mater.  For instance, with bifurcated, class action litigation initial discovery about the class may occur months before discovery on the merits.  In this instance using a later ECA approach would still make sense since discovery about the case facts may not have been possible earlier on.  Similarly, “late” ECA may still hold value when new parties or claims are added to an existing lawsuit, or when there’s a substantial change in case direction, data, or custodians.

Myth #2: ECA Is Only Performed With Technology

Sure, enterprise grade ECA products  are an important part of the mix, but the products won’t perform an ECA by themselves.  There’s just too much subjective decision making involved in the assessment process.   Therefore, the right people are critically important — not only in terms of experience performing this analytical work, but also in their ability to capably testify about the underlying decision making process.  It’s also important to be able to follow a repeatable and defensible processes to show that the “recipe” used was aligned with industry best practices and wasn’t ginned up for a particular engagement.

Myth #3: ECA Only Works With Large ESI Volumes

Yes, ECA methodologies makes a lot of sense for large, bet-the-company matters because even modest savings when processing, analyzing and reviewing terabytes will easily approach six to seven figures.  However, smaller matters will still benefit from better budgetary insights that facilitate informed matter management.  And, in a way there’s almost more benefit from being able to quickly evaluate (fight/settle) smaller suits since the transactional costs are so high relative to the amount in controversy.  In both scenarios it’s important to view objective case data to prepare for meet & confer conferences.

Myth #4: Clients Don’t Want To Pay for ECAs

Many end clients (corporate counsel typically) have a similar litigation mindset:  i.e., the desire to avoid costs for as long as possible.  While avoiding early costs makes some sense on its face, the fact is that spending a small amount of money early on (for budgetary and case assessment purposes) will in most instances reduce the overall litigation budget.  It’s the classic, “you can pay me now, or pay me later” situation.

Counsel must understand that while some costs are incurred early in the process the benefits are crystal clear: i.e., determining customized case strategies early in the matter to decide whether to fight or settle.  Similarly, corporate clients must recognize that the benefits outweigh the costs and require their litigation counsel to include this process in every significant matter.

This illustration highlights how an initial ECA investment actually pays for itself over the life of the litigation.

Myth #5: ECAs Begin when the Complaint is Filed

Many newbie ECA practitioners may think that the timing for an ECA approach would start when the complaint is filed.  And, while this isn’t patently ridiculous, I think the better approach is to begin the clock at the time litigation becomes “reasonably likely” — versus later dates such as when the complaint is filed or when discovery is propounded.  This trigger is also the same for trigger preservation obligations and a host of interrelated activities such as ESI “identification,” which makes the matter kick-off more synchronized.

For more information about ECA, watch a recording of our recent webinar — E-Discovery MythBusters: Debunking Common Myths About Early Case Assessment.

It’s not just in New Jersey that corruption is in the news. It feels like everywhere you go, the authorities are investigating white collar crime and thus have an increasing need for electronic discovery technology.

Earlier this month, as those of you who follow my Twitter feed will know, I was visiting customers and partners in Germany. In virtually every meeting, data privacy and corruption investigations were top of mind, and with good reason. Following the Siemens case last year, German investigators have become much more active and it was easy for my hosts to list example after example of recent cases. There was the Deutsche Bahn case of management spying on its own employees, in violation of German privacy laws; the Deutsche Bank case of management spying on its own board; and, the Deutsche Telecom case of management phone tapping employees to find leaks. There were stories of price collusion among cable car companies in the Alps, and corruption investigations into the activities of German companies in Eastern Europe.

A similar focus on anti-corruption exists closer to home. I have written before about the increase in FCPA investigations and that’s been reflected in recent headlines. As the Wall Street Journal reports, Sun and Shell have recently come under the microscope, according to their public filings. And Frederic Bourke, a founder of the accessories firm Dooney & Bourke, was recently found guilty of conspiracy to violate the Foreign Corrupt Practices Act, which may result in jail time.

All indications are that the U.S. Department of Justice and its counterparts overseas are just warming up. It’s not a good time for white collar crime, wherever you are in the world.

Cheesy Successories posters aside (for an alternative take, go here), the need to work together is much more than just a cliché in today’s environment.

In its recent brief on the five major trends that will shape business technology in 2009, leading management consultancy McKinsey and Company noted one trend in particular which highlights the urgent need for an organization’s IT and legal groups to forge better, faster, and more efficient ways of collaborating on electronic discovery issues:

Regulators demand more from IT

Government scrutiny of business will intensify in many developed countries. Already, in the United States, the Office of the Comptroller of the Currency weighs in on the resiliency of banking systems, the Food and Drug Administration (FDA) requires that many pharmaceutical systems be “validated,” and Sarbanes-Oxley drives decisions about accounting systems in every industry. In the future, policy makers and regulators will probably demand that IT systems capture more and better data in order to gain greater insight into and control over how banks manage risk, pharma companies manage drugs, and industrial companies affect the environment. Government officials also will monitor many legal and business rules more closely to ensure compliance with mandates. Successful CIOs should enhance their relationships with internal legal and corporate-affairs teams and be prepared to engage productively with regulators. They will need to seek solutions that meet government mandates at manageable cost and with minimal disruption.

- McKinsey Quarterly, February 2009

The current economic environment is creating a “Double Whammy” within almost every enterprise that has ongoing or pending electronic discovery issues (and are there many organizations left out there that don’t?):

• As the McKinsey article notes, regulators will increasingly be demanding more from IT as government scrutiny of business intensifies. Just look at the just-launched recovery.gov site to see the level of transparency and accountability that the government is aiming for with regard to the stimulus package. The bailout will not directly affect every business, but there is a new sheriff in town who will likely set the tone across the entire business landscape.
• At the same time, there is relentless pressure on controlling costs. When times are tough, dollars that can be saved on the expense side are much more valuable that top-line revenue, since 100% of every dollar of cost savings goes directly to the bottom line.

The net-net: Enterprises will be forced to do more, with less.

How? With regard to electronic discovery, there is a lot of low-hanging fruit to be picked in the area of IT and legal cooperation:

• In-house legal teams should meet with IT (if they aren’t already) to help them better understand the nature of electronic discovery, particularly as it applies to the more “upstream” parts of the process (specifically, identification, preservation, and collection) which IT tends to be more responsible for. Through a better understanding of the nature of electronic discovery, IT can improve its ability find the right documents, avoiding over-collection and reducing downstream processing costs. In addition, new electronic discovery technologies are making it increasingly easy for legal to own more of the process, reducing the electronic discovery burden on IT.
• Conversely, IT should coordinate with in-house legal teams to provide advice and mentoring as legal seeks to bring e-discovery platforms in-house to assist with early case assessment, search, culling, and analysis. To many legal teams, bringing e-discovery in-house may seem like a daunting proposition, but enterprise software has been around for a long time, and learning from IT’s experiences can make the process far less intimidating.

Yes, regulators are going to be far more demanding in the future than they have been in the past. But some simple collaboration and coordination between IT and legal will go a long way toward lightening the regulatory burden, especially as it pertains to electronic discovery.

In today’s economy, controlling electronic discovery costs has taken on a new urgency.  Because the financials of many companies have deteriorated so quickly, there is great interest in finding methods to reduce any costs in the short-term.  As  a result, anyone in a company’s IT or legal department that comes up with a plan to substantially reduce their company’s electronic discovery costs in the short-term is likely to become a hero in their company.  So, what’s the best way to reduce electronic discovery costs quickly?

A natural first step is to decide where to focus.  Which electronic discovery activities are the most costly today?  Which have the greatest room for cost reductions?  The EDRM model serves as a good guide for answering such questions by breaking electronic discovery activities into Information Management, Identification, Collection, Preservation, Processing, Analysis, Review, Production and Presentation.  One thing I have noticed when interacting with enterprises is that the IT and legal departments tend to focus on different stages within electronic discovery based on their perspective.  IT managers naturally concentrate on the information management, identification, collection and preservation activities because these are the activities in which they are most involved.  Similarly, legal managers naturally look to preservation, processing, production and review.

Given these different perspectives, it’s important to take an objective approach to calculating electronic discovery costs.  Doing so is not that easy.  Costs can vary significantly depending on each company, the nature of the case, nature of the data, which vendors/technologies that are used and a variety of other factors.  Costs also come in many different forms: direct hard dollar costs, such as spending on legal discovery and electronic discovery fees delivered by third parties; indirect hard dollar costs, such as time spent by company employees; and soft dollar costs, such as increased risk that could lead to adverse judgments and sanctions.  Finally, electronic discovery costs are often buried across both legal operating budgets and IT budgets making it hard to separate these costs from the costs of other activities.

Undertaking an internal analysis to understand your company’s electronic discovery costs is a valuable activity if you want to better control these costs.  However, while costs do vary between companies, most companies will find that the same activities contribute the most direct hard dollar costs and that these are the costs that are easiest to control in the short-term.  To demonstrate this, let’s walk through a generic cost analysis of a typical case.  Fortunately, we don’t have to start from scratch in doing this.  Leonard Deutchman, an author of several excellent electronic discovery articles, has already done most of the work in a May 2007 article, “Get Ready for the Rules Changes, Part VIII“.  In this article, Mr. Deutchman walks the reader through a hypothetical litigation between an Investor and a Venture Capital firm.  He describes the typical electronic discovery activities and calculates the direct hard dollar costs for these activities including:

• Collection: Mr. Deutchman calculates that it costs $10k to collect 400GB from 8 hard drives and the data of 8 custodians on file and email servers using an outside vendor (doing it in-house can be less expensive).  Note that this excludes any collection from back-up tapes, which can be more costly.
• Culling & Processing: it costs $4k to reduce the 400GB to 90GB by removing non-relevant file types prior to processing.  Processing 90GB costs $90k at $1000/GB.  De-duplication and the application of search terms reduce the data to 25GB.
• Production: it costs $4k to produce the 4GB of data that is deemed responsive and not privileged to produce to the other side.

Mr. Deutchman doesn’t identify direct hard dollar costs for Information Management, Identification or Preservation.  These activities are typically not associated with direct hard dollar costs on a per matter basis.  Rather, they involve indirect hard dollar costs such as employee time and software licenses.  Mr. Deutchman also does not provide an estimate for the costs of review.  However, since review does contribute significant direct hard dollar costs for every matter, this gap needs to be filled in order to get a complete sense of the direct hard dollar costs.  The two big buckets of cost in review are: attorney review costs and review software costs.  In Mr. Deutchman’s hypothetical litigation one might imagine the following scenario for these costs:

• 25GB translates into 195,000 documents using the low end of the documents per GB email (9,000/GB) and documents per GB files (7,000/GB). Industry survey data that is available from EDRM.  This example assumes that 40% of the 25 GBs is email.
• The attorneys reviewing the data charge $75/hour and make 100 document decisions per hour.  This translates to approximately $146,000.
• The hosted review service costs $50/GB/month and, in this case, let’s assume we host it for 6 paid months.  This costs $7,500.

If we tabulate these costs and calculate the direct hard dollar cost shares for each stage, the clear take-away is that Processing and Review costs comprise the vast majority of direct hard dollar costs.  Collection and Production direct hard dollar costs are significantly smaller in comparison.

Now, it’s possible to come up with many arguments for why Mr. Deutchman or my estimates could be high including different assumptions for attorney hourly review costs, higher document decision rates, cheaper vendor pricing, etc.  Similarly, it’s possible to come up with many arguments for why the estimates could be low including the need to perform multiple review passes, slower document decision rates, more expensive vendor charges, etc.  In addition, each company will have their own unique circumstances that will change this picture.  However, this generic analysis strongly suggests that more customized analyses would come to the same conclusion: if you want to reduce electronic discovery costs quickly, then you need to focus on processing and review costs.  One can also imagine that even if you were to use some form of activity-based costing to allocate indirect hard dollar costs on a per matter basis, it would likely not change the importance of Processing and Review costs.

What does this mean for IT and legal managers in Corporations?  These kinds of analyses make it pretty clear that, even though they are more involved in the Information Management, Identification, and Collection phase of electronic discovery, IT managers need to focus more on helping the legal team optimize Processing and Review activities.  You are not going to get the biggest bang for your buck in the short-term by trying to reduce costs in Information Management, Identification, Preservation, and Collection.  Similarly, legal managers need to work more closely with IT in order to focus on how to reduce processing and review costs.

So, the obvious question coming out of such an analysis is what’s the best way to reduce Processing and Review costs?  We’ll discuss this issue in a future post.

In the meantime, tell me what you think by participating in our first e-discovery 2.0 poll.  See the sidebar here: Which Phase of Electronic Discovery Do You Think is the Most Costly?

For those in regulated industries like financial services, where data retention policies are mandated, every keystroke is tracked and every phone call recorded, the question of how long you should keep data is moot: you keep it for as long as regulations demand.

But for the rest of us in manufacturing, media, technology, government, and elsewhere, it remains an open question. The answer to “what should our email and document retention policy be?” is often a political hot potato, pitting legal and IT’s goal of lower costs against the broader population’s desire to hang on to all their email, just in case they need it later. In fact, the only thing harder than agreeing a retention policy is enforcing it afterwards, as corporate users habitually keep more data than allowed, unless physically prevented from doing so.The reason this matters is that many people believe creating a data retention policy is a key part of implementing an e-discovery solution. I too used to think this way, viewing retention-policy-creation as a necessary rite of passage for legal, IT, and information security people who want to lower e-discovery costs. After all, if the #1 cause of higher e-discovery costs is too much data, then a policy reducing the amount of data looks like a low cost, no-brainer solution.

But life just does not work that way. Outside of the command-and-control environment of regulated industries, retention policies simply do not work. You cannot fight human nature and force people to delete information they want to keep – especially when Gmail, Yahoo Mail, Hotmail and others are training them to do precisely the opposite (i.e., never delete, keep everything) in their personal email accounts.

So, I have changed my mind: to anyone engaged in implementing an e-discovery solution in a non-regulated industry, I say: forget data retention policies, it is a red herring. Too much data is a fact of life that will only get worse. You can no more get people to delete email and documents than you can stop someone writing them in the first place. Instead, focus on the battle you can win by putting in an e-discovery solution that enables you to do two things:

1. Collect data efficiently, so that you have a reliable (defensible) way of getting the data you need. Implementing an email archive from HP, Symantec or others is a great way of approaching this, as is leveraging forensics tools from Guidance or Access Data.

2. Analyze the data up front, so that you can cull it down to only those documents relevant to the case before a human being has to review them. Clearwell’s e-discovery solution is one approach which has worked for a large number of enterprises.

If your experiences, or conclusions, differ from mine, then feel free to post a comment. I am particularly interested to hear about successful examples of data retention policies at non-regulated companies, since I have yet to see one.