Protect Yourself Through Remediation – ROT Can Lead to Legal and Regulatory Violations  

When it comes to enterprise data, the sheer volumes that are collected and stored are staggering. Not all data is valuable, though, and ROT (Redundant, Obsolete, and Trivial information) can build up, even if we’re diligent. Sure, ROT can place drains on storage capacity, and create difficulties for search and retrieval, but the problems can be much more serious. Retaining ROT can be risky and expose the business to regulatory and legal violations.  

How do you mitigate this risk? The fix is to develop a remediation strategy that allows you to identify, manage and eliminate ROT quickly, efficiently, and safely to prevent these violations.  

Get to Know the Risks 

ROT is data that is no longer useful but continues to occupy valuable storage space, as well as causing inefficiencies in management, usage, search and retrieval, reporting, and productions.  Most organizations’ data storage comprises 40-50% ROT, which can mean millions of dollars of excess storage expense. But beyond the hard costs of storing ROT, retaining it directly puts the organization in danger of compliance, regulatory, and attack risks.  

Data Privacy 

There are numerous data privacy laws that most large organizations are subject to, including GDPR, HIPAA, and CCPA, for starters. Excess ROT puts organizations at risk of noncompliance, due to their failure to reduce instances of personal data to only that which must be retained to conduct normal business operations (a concept often called “Data Minimization”).   Exceeding the minimum use mandates can expose them to penalties and fines. Further compounding the risk is when the over-retention of ROT directly violates the company’s own records retention schedules, indicating not just sloppy data management, but willfulnegligence.  Most courts and regulating agencies look down on practices that knowingly violate an organization’s published data management policies and control, and if the violations are serious enough, they can result in substantial penalties, not to mention exceedingly poor press and reputation damage.  See this stunning example in which Morgan Stanley was fined $35M for failing to properly delete customer data in accordance with its own records destruction policies. 

Security 

ROT increases an organization’s risk for security and data breaches. Put simply, the more data you hold, the larger the attack vector!  Given that most organizations are storing 2-3x excess ROT data, that’s almost twice as much “attackable” data than it should be!  Cybercriminals often use ROT as an opportunity to enter a larger system, in part because they know insiders are not typically focusing on it. Furthermore, cybersecurity reports often cite that the likelihood of a breach increases with the volume of data stored. IBM’s Cost of a Data Breach Report (2024) reported that companies with poor data management practices saw breach costs 20% higher than those with good data governance.  Even more disturbing, organizations with excess data often face longer detection and response times due to the increased complexity of monitoring systems. The same report found that breaches took 277 days on average to identify and contain in companies with ineffective data management.  The good news is that organizations that reduce ROT data through effective data management can typically reduce their breach likelihood by 30-40% and cut compliance and legal costs substantially. 

Litigation 

Organizations are required to produce certain records during litigation or investigatory proceedings, which can be overly difficult because of ROT. Typically, the obligation is to produce information that is responsive to the request and not privileged in nature.  To determine the produce/not produce status of enterprise data, there is a lengthy and expensive document review process, which is compounded and exacerbated by the presence of excess ROT.  To be complete and accurate in their eDiscovery productions, attorneys will want to “turn over every stone” and the more ROT there is, the more stones they will need to turn over to satisfy their obligations.  Just the simple act of timely removing identical duplicates can significantly lower eDiscovery review costs, often by 50% or more! 

That said, it is also critically important not to delete any data that is currently (or reasonably anticipated to be) under legal hold, even if it is past its retention date and/or trivial in nature.  Thus, ROT remediation efforts have to be aware of and responsive to changing legal hold requirements over time.  ROT removal cannot happen in a vacuum. The goal is to create a remediation strategy that eliminates ROT without destroying crucial data. 

Contractual 

ROT mismanagement can cause organizations to become noncompliant with their own, internal policies for data retention and destruction guidelines and policies, as well as with contractually agreed upon data handling requirements with suppliers, customers and patients.  Data mismanagement can create serious contractual compliance issues. For example, many contracts and service agreements call for businesses to manage the data according to government, industry and organizational best practices, many of which are published by organizations such as NIST, ISO, FDA and SEC.  Maintaining excess ROT data can inadvertently trigger contractual nonconformance or set the stage for termination for cause statutes. 

Intellectual Property  

Sometimes there is a sense that if data is ROT in nature, it is, by definition, of low value.  That is not always true.  It may be of high value, but simply duplicative in nature.  ROT can leave the organization vulnerable to information leaks because even though it is ROT, some of this data may contain sensitive information that, if leaked, can cause serious implications for the business. These include accidental exposure of sensitive emails, confidential documents, and even trade secrets. These leaks can have serious legal consequences.   

Similar to information leaks or breaches, organizations need to consider which internal (or external) systems have access to enterprise data, ROT or otherwise.  For example, are there enterprise search engines or data loss prevention tools that are routinely scanning through the data?  What about AI Large Language Model (LLM) training algorithms?  What is the impact, efficacy and performance of these systems if they are training on ROT data, rather than high-value, best-option data?  Keeping excess ROT data degrades the value of these tools, reducing their ROI, efficacy, and ultimately their value to the company.  Remediating ROT enhances their value, and ultimately boosts both productivity and ROI. 

ROT Remediation Best Practices 

Should you identify that your organization has an issue with ROT, you’ll need to develop a remediation strategy that mitigates these risks. A good strategy is multifaceted and includes the following best practices:  

• Files & Content. You’ll need to consider file types and content types, and not just look for dupes, dates, et cetera. You should examine the nature and purpose of each file’s content and discover why the content was duplicated and by whom. You’ll also want to understand where your past-retention data is and what authorizations you’ll need to remediate it. 
• Involvement. You’ll need to involve different departments in your organization in the ROT discussion such as business units, legal teams, compliance, and IT, to make sure everyone is on board.  
• Benchmark Processes. How long does it take you to fulfill a DSAR request or litigation cull? It’s helpful to audit these processes as they currently stand so that you can articulate how they’ll need to be fixed. Auditing also gives you a clear comparison benchmark to document the ROI of your ROT remediation efforts after they are implemented. 
• Respect Requirements. You’ll naturally need to respect legal requirements, such as legal holds and permanent records designations. Note that you can’t remove ROT associated with these tags, even if they are past retention, thus making the proper handling of ROT tricker than it may first appear. 
• Tombstone. You’ll want to make it easy for your colleagues to adapt to remediated data stores.  One such technique is to “tombstone” deleted data with a pointer to the new location or remediated status of a file.  Although ROT remediation can cause internal frustration, providing clear instructions on how to find deleted/migrated files will make things easier.