Unless you live under a rock, you likely know that the European Union ruled in May that people in its jurisdiction have the right -- under certain conditions -- to ask search engine operators to remove links to information.
Data that is "irrelevant" or "outdated" may be a candidate for removal, said the EU's highest court. Known as the right to be forgotten, the decision has sparked a global debate about how to balance free speech and personal privacy -- and, by extension, when it's OK to erase your business data.
The persistence of (computer) memory
The first thing to remember is that there's no such thing as "erased" in the digital world. Clicking Delete on your laptop simply removes a pointer to the file you want to erase, and leaves intact the bits and bytes that represent the file in question. Your hard disk can be wiped clean to prevent the file's recovery, but what about the copies of that file that exist on backup tapes and in the inboxes of anyone to whom you emailed it? You've got a lot less control -- if any -- over them, and no place to hide should their existence become problematic.
The same, of course, is true of social media posts and other online content, which may be taken down from their original sites but can't be "unseen" by anyone who's viewed them. And in the context of the EU's ruling, removing a link from a search engine's results page doesn't cause the content to which it links to disappear from the original host -- it just makes it harder to find.
Visibility + accountability = content and records management
These waters become murkier as they flow into the twin corporate realms of visibility and accountability, which ultimately spill into content and records management. When you get right down to it, these disciplines were created in large part to ensure organizational information can be readily found and will not be disposed of according to the whims of whoever is in charge at the moment. So, properly approached, the issue of deletion or erasure within organizations is never addressed according to some arbitrary policy or timeline.
The deletion or erasure issue, of course, falls under the heading of either compliance or governance -- or both -- and whether it is mandated by the federal, state or local government, industry practices, or internal mandate, the idea is to adhere to specific retention and disposal procedures in order to satisfy regulatory requirements, minimize potential legal exposure, safeguard customer privacy and/or reduce information "clutter."
Erase at your own risk
Thanks in no small part to the recent spate of high-profile data breaches, it is now widely known that getting caught for being noncompliant comes at a cost.
For instance, in December 2013, write Peter J. Isajiw and John C. Vázquez of Cadwalader, Wickersham & Taft on mondaq.com, "the Financial Industry Regulatory Authority (FINRA) fined one member bank $3.75 million for failing to maintain emails, instant messages and other electronic documents in a format that would prevent their deletion or alteration." Similarly, in a decision rendered in August 2013 and commented upon by Michael Hoenig of Herzfeld & Rubin, PC, a judge penalized a plaintiff for the wrongful deletion of emails.
With these examples in mind, let's now imagine the not-so-distant day when your employees begin using apps and applications -- some of which you may even have given them -- that automatically destroy information after a set period of time. Wittingly or not, these users can land you in compliance jeopardy by causing records-worthy information to disappear. And for the evildoers out there -- well, just think of the impunity with which they'll believe they can ship sensitive information to their homes or to your competitors. After all, these apps are designed to help cover their tracks!
These self-destructing utilities are especially problematic for organizations in regulated industries like financial services and healthcare, where failing to achieve visibility and accountability can be quite expensive. And if the whole scenario sounds far-fetched, realize that consumer apps already exist to provide this functionality, and in an era of the consumerization of IT, it can be a small step from the living room to the boardroom.
Will the right to be forgotten lead to disaster?
Could the right to be forgotten come to the U.S.?