Is your business thinking about retiring or updating its software or systems? Where are you in the planning process? Have you even thought about what will happen with your existing applications or systems? Many organizations retire or replace old or outdated applications or systems without enough planning about the information that does not get migrated to the new system. Employees will spend more time planning for implementation of the new system or software, particularly if it is one that supports the bottom line. However, there are real E-discovery and data privacy costs organizations can avoid by taking time to understand what will be moth-balled and whether and how it will be needed later.
Retired applications or computer systems often remain with the organization because of two primary concerns: one, you will need it later or two, you must retain, not destroy, something important to the business. Over time, fading memories and employee turnover will cause slowly diminishing institutional knowledge of the information within the legacy system and how to access it. Any usefulness of the old data can quickly become outweighed by the potential costs of having it linger around.
Dealing with legacy systems after litigation has arisen can create significant expense even when handled by experienced and effective counsel. To succeed with an objection that accessing and reviewing such information is not “proportional to the needs of the case”, counsel must spend valuable time and resources trying to understand the legacy system, its data, and how to access it to define the burden against the value of the data. Legacy systems and a lack of institutional knowledge about what exists within them can create unnecessary disputes, take away from the focus of resolving the issues, and distract the attorneys with highly technical issues that may require input from multiple individuals within the client organization.
Documenting and understanding legacy systems and their data during a transition to newer systems can bring value to the company. For example, it can assist with identifying what information can migrate to the new system to help ensure the organization does not lose track of the content and location of its data collections. It can also assist with deciding to permanently destroy unnecessary data that no longer serves a business purpose. If the data serves no material business purpose and is not subject to a litigation hold, why keep it? If the data could serve an important business purpose, documenting what is there and how to access it will help the business function and counsel to manage it in litigation.
If your organization retains legacy data for business or regulatory reasons, but will not need it on any regular basis, disconnecting the legacy system from your network may help reduce your data breach risks. If legacy data needs to remain connected to your active network, consider whether anonymizing the data is necessary and possible to minimize the impact of any potential hacking effort.
Here are a few suggestions which may help prevent unnecessary costs for legacy data:
- Officially incorporate involvement of your records manager whenever you retire or replace a computer system, database or application.
- Create a log recording the key information at the time of such retirements. For example, details on the nature of the data and to the extent it will migrate to any replacement system.
- When you retire or replace items, consult with legal counsel and business leaders to determine when you can or should destroy data, and make the decision a part of your records.