The Legal Data Intelligence Approach to Sound & Defensible Data Disposition

In 2024, a software company was served with an enforcement action by the Federal Trade Commission (FTC) after a data breach incident at the company. In its complaint, the FTC stated that the company had retained information relating to its customers “for years longer than was necessary.” In essence, the company should have securely disposed of this data long before the security incident took place. In a settlement with the regulatory agency, the company agreed to implement a data retention schedule and delete data that was no longer needed to provide its products and services.

The cautionary tales are numerous: a major telecom company had to cough up $13 million in fines after one of its vendors failed to dispose of customer data that was no longer needed.

In the past, data disposition measures were met with resistance on account of the inherent tension between data’s potential business value and the risk of retaining it. But with the emergence of electronic data and the concomitant rise of ediscovery, legal professionals were saddled with the unnecessary task of reviewing and producing data that had outlived its retention schedule—data that could have, instead, been deleted much earlier.

Further, at a time when data volumes are ballooning, threat actors are taking advantage of data’s expanding surface, and data privacy regulations are becoming more burdensome, the importance of sound disposition practices is becoming increasingly evident.

To support legal professionals in managing this complex, data-dense challenge, we introduced a new use case into the Legal Data Intelligence model: Data Disposition. The new use case, which sits under the Data Protection Compliance category, lays out a step-by-step workflow for the deletion or destruction of personal or confidential data as required by law, regulation, or agreement.

LDI practitioners can now access and download the Data Disposition use case on our website. The workflow was jointly created by founding members Briordy Meyers (Privacy Director, Capital One), Sarah Bennington (Senior Legal Counsel, Qualcomm), along with LDI Architects Joe Bartolo, Ryan Costello, Chris Haley, Michael C. Kearney, Rachel McAdams, George Phillips, Lisa Ripley, Rob Robinson, and Michael Sarlo.

Use Case In Practice: Taking the LDI Approach to Data Disposition

Here are two examples that illustrate when LDI’s Data Disposition workflow can be helpful:

Protective Order and Regulatory Compliance

During litigation, a global technology company headquartered in the Netherlands advocates for a Protective Order provision recognizing the applicability of the GDPR to custodial and non-custodial data collected, processed, and produced as relevant to U.S. discovery requests. The provision is included in a Protective Order entered by the court. Upon case closure, both parties must certify deletion and destruction of opposing party data to comply with the Protective Order. The technology company must also ensure deletion of the personal data it produced to comply with the GDPR.

Fulfillment of Contractual Agreements

A U.S.-based pharmaceutical company enters into an agreement with a U.S.-based legal technology company to provide document review technology and service support for U.S. discovery workflows. A provision in the contract requires both companies to destroy each other's confidential information within 30 days of contract termination. The contract terminated 10 days ago.

Q&A: What Makes LDI’s Approach to Data Disposition Stand Out?

We asked Briordy Meyers—one of the co-leads of the Data Protection Compliance category—to learn more about the new workflow.