Google Plus’ shutdown brings up ethical, legal questions about companies’ data retention obligations
Illustration by Sara Wadford
Like Friendster, Windows Live Spaces and Pownce before it, Google Plus is about to go extinct.
In April, Google’s consumer-facing social network will shut down because of lackluster user numbers and numerous security breaches. While there will be plenty of time for the tech giant to conduct a post-mortem into what went wrong, the more pressing issue will be what to do with all the data stored in Google’s failed social network.
Keep it too long, and it takes up space or becomes a target for hackers. Delete it too soon, and it could run afoul of discovery rules requiring data to be retained for a certain amount of time.
As technology comes and goes, there is a question of whether an app will stay around or whether it will retain your data into perpetuity, creating a need for data retention systems. Not only is this important for litigation purposes, but also business continuity. Since most data and software do not disappear overnight, technologists and attorneys recommend data archival and contractual strategies to avoid losing important data.
Take the case of the Browns. When Robert and Christine Brown sued their ex-employer for age discrimination, they didn’t realize their case would revolve around data storage. But that’s exactly what happened.
According to a 2011 filing in the U.S. District Court for the Southern District of Ohio, Robert, then 54, and Christine, then 51, were making tens of millions of dollars in sales for cash-management company Tellermate before they were fired.
Discrimination, they argued, was the only possible reason for their dismissal.
In response, Tellermate said the firing was business-related and denied the sales claims made by the Browns.
However, during a yearslong discovery period, the company was unable to produce the historic sales data from the Salesforce.com database the company relied on to track such information. At one point, Tellermate told the plaintiffs to ask Salesforce for the data instead.
To Tellermate’s surprise, the software company did not retain customer data longer than six months. While there was a litany of discovery abuses in the case, U.S. Magistrate Judge Terence P. Kemp wrote that the failure to preserve this data was the most serious.
“Significant problems arose in this case for one overriding reason: counsel fell far short of their obligation to examine critically the information which Tellermate gave them about the existence and availability of documents requested by the Browns,” Kemp wrote in a 2014 opinion.
Ultimately, Kemp found Tellermate in violation of federal discovery rules, sanctioned the defendants and counsel for negligence and bad faith, awarded attorney fees to the plaintiffs for discovery-related costs and precluded Tellermate from using evidence to make its strongest defense during trial: that the Browns were let go for poor sales. After four years, the suit was settled out of court.
Into THE CLOUD
The lost data to Tellermate is “not a whole lot different” from a sunsetting application that contains electronically stored information, according to Barry Schwartz, senior vice president at BIA, an e-discovery service provider. The lesson from the case is that “if you are using a data resource that you aren’t going to be using any longer, you have an obligation to think about what the implications are.”
When the data is the user’s obligation, “you have to back it up,” he says.
Companies and firms should approach sunsetting software and data retention methodically. For example, archiving can store specific data in a secure environment.
Gary Patterson, senior director of product management at Informatica, a software development company in Redwood City, California, says that a data archive can be secure, protect sensitive information, create flags for data related to legal proceedings and allow for auditing—all while taking up less space due to its compressed format.
With the proliferation of cloud-based storage services, this solution is less expensive and onerous than purchasing physical servers, a benefit particularly felt by smaller firms, Patterson says. Even so, he notes that it’s still important to research the security of off-premises cloud storage. (Read more: “Cloudy Ethics,” April 2018, page 30.)
Beyond where a data archive is stored, there are considerations of what to store, Patterson says.
For example, those in the health care and finance industries have federal- and state-level obligations regarding data retention. Regardless of industry, preserving data for litigation purposes is also an obligation. However, a company would only be expected to store data if litigation was ongoing or reasonably foreseeable, Schwartz says.
George Florentine at Flatirons Digital Innovations in Boulder, Colorado, says the legal and financial impact of archiving data is “huge.”
In one example, he worked with a health care provider that had 18,000 data servers. Without a system, the company did not know what was stored where. This left the company unable to fulfill a routine Medicare audit, which led to a six-figure fine.
“Scale and complexity equal risk” when it comes to security, he says.
In another instance, a client was paying $2.5 million a year for a human resources platform it wasn’t using. Sunsetting the platform and storing the data cost an initial $600,000 and had an annual upkeep of $40,000—a significant savings.
TRANSITION TO NEW VENDOR
Beyond technology, Jen Salyers, a partner at Context Law in Minneapolis, says to think about sunsetting when contracting with a new software vendor.
Because software vendor contracts don’t provide perpetual support, she recommends adding contractual terms that require the vendor to provide support services for a term of years. She adds that appropriate refund language can open the door for future damages if the vendor stops providing that contracted support.
Not all companies will be able to do this, however. Salyers often negotiates these contracts for large businesses that have leverage. For others, she recommends that organizations build a contingency plan in case the software or service sunsets. This should include knowing whether data can be exported in a neutral format, making it easier to use the same data on a different platform.
While the right approach will be based on an organization’s need, firms won’t know which is best for them until they start to investigate their data situation.
“It’s kind of an esoteric topic,” Schwartz says, “because you don’t know what you don’t know until you ask.”
This article was published in the April 2019 ABA Journal magazine with the title "Off Into the Sunset."
