By John Goff, FTI Technology

Organizations face mounting challenges in managing legacy data across siloed and outdated systems. In parallel, meeting evolving legal and compliance demands continues to be a moving target that becomes more difficult to hit the more an organization’s data stores go unchecked.

Maintaining these platforms — which can include backups, outdated archives, file shares, customer relationship management systems, productivity suites, email accounts no longer in use and more — typically requires between 60% and 80% of an organization’s IT budget. Meanwhile, up to 70% of the data stored within these platforms is left unused. Often, organizations aren’t aware of the scope and content of their legacy platforms and the redundant, outdated and trivial (ROT) data stored within them.

When organizations don’t take steps to defensibly dispose of legacy data and uphold rigorous deletion and retention practices across all information sources, an array of risks can quickly accumulate. These risks span legal, compliance, financial and operational issues, all of which make an organization more vulnerable to crisis incidents, IT failures, e-discovery exposures and other negative business outcomes.

The most common risks that result from unaddressed legacy data include:

• Excess costs. IT budgets are often consumed by maintenance costs for legacy systems and steep storage rates for the unnecessary data they retain, cannibalizing funds that could otherwise be allocated to value-add and risk mitigating initiatives and technology.
• Legal hold and e-discovery issues. Large data volumes make legal hold and other e-discovery functions difficult. When legacy data and systems aren’t fully mapped or managed, defensibility of preservation is difficult to uphold and verify, which may lead to spoliation issues. E-discovery costs can increase exponentially if an organization doesn’t know what data it has, where it’s located or how to access it. Additionally, e-discovery costs rise significantly if information has been kept longer than required for legal, regulatory or business purposes. Keeping 10 or more years of data as opposed to following retention policies will inevitably result in significant costs for collection, processing and review of the data.
• Compliance challenges. Highly regulated organizations, such as those in the financial services, life sciences and energy industries, are required to meet very specific retention guidelines for what data they may store, how they may store it and for how long. However, legacy data, whether known or hiding in the shadows, may be in violation of those requirements or otherwise undermining the organization’s compliance policies.
• Creation of data silos. Unmapped, poorly managed and disparate data environments also face ownership ambiguity, with no group willing to take accountability for the associated risks or the work required to remediate. Siloes also create barriers to effective retention enforcement.
• Operational inefficiencies. Legacy systems are inherently at an increased risk of failures in their hardware or supporting software, especially if they are no longer supported by the technology vendor (i.e., the provider has sunset the product). They are also difficult or impossible to integrate with modern systems, which hampers access to data and efficiencies for incident response and other business needs. More, teams may waste excess time trying to parse through ROT data to find the data and documents that they do need, creating additional pressures on time and resources.

Another downside is overly complex environments, which may contain multiple email systems, data archives, etc., making the process of maintaining and navigating required data for preservation and collection more risky and costly. Simplifying the environment and centralizing information into a single source of truth where possible will reduce risks, costs and increase efficiencies.

• Innovation stagnation and impaired decision making. When excess data is spread across legacy environments and not centrally managed, it’s difficult to use it for insights and strategic business decisions. A company’s data can be a valuable asset, but only if it’s accessible, known and useable.
• Increased vulnerability. Many legacy systems have weak security protections that do not stand up to modern data protection standards, exposing an organization to increased risk of a cybersecurity incident or data breach. They also make it more challenging for organizations to fulfill their data privacy obligations, especially regulations that require rigorous security measures and data handling processes.

Organizations must bridge the gap between legacy data and best practices, through the creation and enforcement of defensible deletion policies and processes. By transforming scattered legacy information into clean, structured and compliant data, organizations can reduce risk and lay a foundation for deriving value from their data.

The key is to be proactive in pursuing a defensible disposal initiative and an ongoing retention and defensible deletion program. Stakeholders from across an organization, including business units that work with various data systems in their day-to-day work, should partner to address legacy systems and data before an incident or legal issue occur.

While each organization is unique in how it will need to tackle defensible disposal, common phases and steps for a successful outcome include:

• Conduct a policy review and refresh to assess current retention policies, storage quotas, e-discovery response plans, security protocols, acceptable use, backup and other key policies. Working across stakeholders to refresh these policies so they are “future proof” and work in harmony is essential.
• Data mapping, classification and categorization to develop a data map of information assets across business units, including cloud applications. Teams should also develop, implement and monitor an ongoing data classification and categorization strategy.
• Data migration, collection and disposition to defensibly dispose of redundant or obsolete data and safely migrate only necessary data from an legacy application to a more modern platform. Establishing an enterprise repository capable of applying security and governance controls such as retention, preservation and disposal is also key.
• Continuous application and improvement to implement systems and processes for applying policies on an ongoing basis, including flagging noncompliance and enabling teams to act as issues arise. This helps to ensure continuous improvement as laws and technology change.

Legal, IT, compliance and information governance stakeholders can collaborate with business users to understand data practices, needs and areas where processes and technology can be effectively streamlined. Breaking down organizational and data siloes and holistically disposing of legacy data significantly reduces cost and risk for organizations and establishes a resilient foundation for defensible e-discovery and future data needs.