Language Requiring Deletion of Electronic Files

I received the following inquiry from Sarita Nair of the New Mexico law firm Sutin, Thayer & Browne:

I am struggling to find a concise way to limit an obligation to delete electronic records.

As you know, many contracts and letters of intent contain an obligation to destroy documents if a commercial relationship ends. In recent years, it has become common to add in a phrase like “and remove all computer files” or “destroy all electronic records” to this obligation.

As a practical matter, it is very difficult to delete an electronic record completely. Most people delete the readily accessible ersion, but back-up files, cached versions, and versions on backed-up versions of hard drives still exist. I am hoping not to have to spell all of that out in order to limit the “duty to delete.” Have you tackled this issue, or do you have ideas?

Here’s a random example, culled from EDGAR, of the kind of provision Sarita has in mind:

Aptus shall deliver all Personal Information to CBSI or its authorized designee promptly upon written request from CBSI, and shall, subject to final accounting and billing requirements, upon a written confirmation by CBSI, promptly and permanently delete the Personal Information from its own files at the expiration or earlier termination of the Agreement.

I haven’t had occasion to consider this recently. Anyone have any suggestions?

About the author

Ken Adams is the leading authority on how to say clearly whatever you want to say in a contract. He’s author of A Manual of Style for Contract Drafting, and he offers online and in-person training around the world. He’s also chief content officer of LegalSifter, Inc., a company that combines artificial intelligence and expertise to assist with review of contracts.

23 thoughts on “Language Requiring Deletion of Electronic Files”

  1. Here’s some language I’ve used for a long time: Confidential information contained in system-backup media, such as for example email backup tapes, need not be returned or destroyed so long as the backup media are maintained in confidence and are not readily accessible to users.

    This could be expanded to explicitly include caches, but I would think caches would already be encompassed by the term system-backup media.

    I’ve recently begun to think that in many cases, imposing an obligation to return or destroy confidential information isn’t worth the bother, as long as the confidentiality obligation continues in place.

    In fact, often it’s the receiving party, more so than the disclosing party, that has the greater interest in destroying confidential information — the receiving party may well not want the continuing ‘taint’ that goes along with having the disclosing party’s information in its files.

    Reply
  2. I agree that the confidentiality obligations continue, regardless of the ability to destroy backed-up information. But for organizations that won’t let go of this bone so easily, I have used language such as “information contained in back-ups shall be overwritten as such backup media is reused on its normal cycle.”

    Reply
  3. Jeff: Are system-backup media always overwritten? Would it make sense to impose an obligation to overwrite them?

    And I’d tweak your language, in that it’s in the passive voice and uses such as a pointing word (see MSCD 12.349). How about this: “Acme shall cause all Confidential Information contained in system-backup media to be overwritten in the ordinary course of reuse of those system-backup media.”

    Ken

    Reply
  4. I won’t argue the passive voice change. You’re the master. I bow to your will.

    Most backup media is overwritten. Except for the military and certain TLA agencies, I’ve never heard of anyone keeping data forever. From a purely technical perspective, there are two types of backups: full (snapshot of everything you have at this moment in time) and incremental (the delta between what you had between your last backup and this one).

    Even the backup software vendors recommend a mix of the two, incremental on the short term (daily) basis, full on the long term (weekly/monthly). The tapes/drives are labeled and kept then for a certain amount of time and then recycled. So, for example, an organization will have 4+ sets of backup media – each set can handle a month’s worth of backups. So at any moment in time, you’ll have at least 4 months’ backup.

    [Thanks for giving me an idea for another blog post… one on knowing the basics of the technologies you encounter.]

    Reply
  5. Unless I’m not thinking this through (very possible after 3 minutes of consideration), the only time this could be relevant is if there has been a breach, as Mr. Gordon notes. All one really cares about is the usage of the confidential information after the recipient no longer has the right to do so. If it sits on a tape backup, who cares if they don’t use it in violation of the agreement?

    Of course, there is the risk that it remains on a backup server (or tape media) and is ultimately discovered by a third party, so maybe an affirmative obligation to delete it from all backups makes sense(perhaps saying “in the ordinary course of business” would pick up the overwrite requirement described above).

    I’m going to think about this one…

    Steve

    Reply
  6. One point, then some sample language.

    A lot of commercial contracts now have provisions that allow one party (usually the one with the money) to audit the other’s compliance with the agreement. Often, that provision survives termination. The companies that insist most strongly on including that kind of clause are the few that actually exercise it. In my (limited) experience, it is companies that are themselves audited by government agencies. So, breach of a clause about destruction of data can come to light outside of a pre-existing lawsuit.

    Now some language. Here is what I use in our form NDA for commercial relationships.

    Promptly upon Discloser’s written request, Recipient shall, to the maximum extent that any recording, document, software, object, or other material containing, representing, reflecting, embodying, or based upon Confidential Information (each being an “Embodiment”) is within its possession or control:
    (a) ensure (as by taking an inventory and issuing written instructions) that each electronic back-up copy of any Embodiment that it made in the ordinary course of business is irretrievably erased or destroyed within 4 months of the request in the ordinary course of erasing, destroying, or re-using back-up media;
    (b) irretrievably erase all other electronic Embodiments;
    (c) irretrievably destroy all other Embodiments (including printed copies of electronic Embodiments); and
    (d) certify in writing that it has complied with this Section 10.

    There are some rhetorical flourishes in there. The word “irretrievably” should be surplus, but it makes it easier for other people to accept. Likewise, I tried to eliminate the passive voice in it, but caved in to the objection that someone other that the Recipient will be erasing an Embodiment that is in the Recipient’s control, but not possession.

    A longer version of the same, which I created mainly as a thought experiment and which has many of the same flaws as the version above:

    Section X. Destruction of Embodiments. Promptly upon the Discloser’s written request, the Recipient shall, to the maximum extent that any document, recording, software, tangible object, or other material embodying, containing, representing, reflecting, or based upon Confidential Information (each being an “Embodiment”) is within its possession or control:
    a. promptly destroy all copies of Embodiments that Section Y does not permit it to retain;
    b. ensure (as by taking an inventory and issuing written instructions) that it destroys each copy of an Embodiment promptly after the retention period that Section Y permits;
    c. ensure that any retained copies of Embodiments are used and disclosed only as this agreement permits; and
    d. certify in writing its compliance with this Section X.

    Section Y. Retention of Embodiments. The Recipient may retain each copy of an Embodiment for the longest of the following periods of time that are applicable to the copy:
    a. for any copy of any Embodiment that law requires it to retain, for a period ending when legal requirement expires;
    b. for any electronic back-up copy of any Embodiment that the Recipient made in the ordinary course of business, a period consistent with the Recipient’s ordinary course of erasing, destroying, or re-using back-up media, but not longer than four months;
    c. for copies of Embodiments that the Recipient’s written and generally applicable document retention policy requires the Recipient to retain, the period that policy requires, but no longer than (1) one year after the expiration of the longest period of retention that the law requires, (2) one year after the longest applicable statute of limitations (excluding statutes of repose), or (3) eight years; or
    d. for any copies of Embodiments that the Recipient’s written and generally applicable document retention policy requires the Recipient not to destroy because of a pending or threatened claim or investigation of wrongdoing, a period ending when either (1) the Recipient should have determined that the copies of the Embodiments are not material to the claim or investigation or (2) the end of all proceedings related to the claim or investigation.

    Chris Lemens

    Reply
  7. Chris, I would be cautious about your first clause because I am not sure that it is (realistically) possible to comply with it. If you delete a file from your computer, it can be retrived by those with the right equipment. Even if you reformat your hard drive, the data can be retrievable. The only way to be sure that you have made information that was once on a computer “irretrievable” is, basically, to incinerate the computer. This is probably excessive in most cases.

    This is of a course a separate issue to the backups, cached files and emails that may be retained in many, many people’s filing systems. In large institutions, confidential information can be sent to distribution lists with over a hundred people on them. Not ideal, but changing that kind of system is not really within the powers of your average lawyer drafting a confidentiality clause, so the drafting has to just cater for it.

    One way that I have used when I used to do a lot of NDAs is to use “reasonable endeavours”, or similar, for electronic information. It is both concise and realistic, is often accepted (when the above problems are explained in long, tedious detail) and can be preferable than getting into technical details regarding IT systems that lawyers are unlikely to be familiar enough with to be sure that what they are drafting is appropriate. The obvious disadvantage is that it is not very specific, leaving both parties slightly unsure of what it will entail, so some sticklers don’t go for it.

    Anyway, I also agree that Eric is probably right. Hardly anyone actually does this.

    Reply
  8. I agree with Eric’s and others point that this is almost always breached if read literally. But, I tend to put this in the same category that most corporate reps fall into – They’re means of assigning risks rather than actual promises that something will get done, and aren’t intended to be views of reality. In that way, they’re legal fictions used as a mechanism to assign risk.

    In a way, we don’t really care if the destruction gets done. Rather, we put the costs of failure on the party who was in temporary possession of the data. Presumably, among other things, that will motivate that party to do as much as possible to get it destroyed or keep it secret.

    Thus, I’d fight for the simple phrase (“Thou shalt destroy.”), even in the face of somebody who claims it can’t be done. (And, trust me, I know it can’t be done.) If I back away from the simple on some false premise that we can’t agree to things that are literally impossible, all I’ve done is given the other party an argument about why it is that the other party doesn’t bear responsibility for a data breach which occurred after it was all supposed to have been destroyed.

    So, Ken — Have you written on the concept of a rep that we all know can’t be complied with if read literally, but everybody knows that it’s merely a means of assigning risk as opposed to an attempt to describe reality?

    Reply
  9. I think there can be a lot of sense in seeing clauses as risk allocaters rather than literal obligations.

    In this case though, if information is not destroyed and then disclosed, the disclosing party will in any case have breached their non-disclosure obligations – the risk should be on them regardless of the destruction clause, assuming the contract is clear enough on that point. However, a lot of clients would have difficulties with the concept of a “risk allocation” breach, either because it is against some immutable internal compliance policy or because they may not want to accept the possibility of legal consequences in circumstances where all the information actually remains confidential.

    Reply
  10. Michael Fleming writes that promises such as a return-or-destroy covenant are:

    … means of assigning risks rather than actual promises that something will get done, and aren’t intended to be views of reality. In that way, they’re legal fictions used as a mechanism to assign risk.

    In a way, we don’t really care if the destruction gets done.

    This risks giving opposing counsel a free throw-away line to use in front of the jury, even in a trial about a largely-unrelated issue. The line would be something like this: Ladies and gentlemen, these folks couldn’t be trusted to honor even that one simple commitment; why would we think they paid any more attention to their other commitments?

    Worse, the receiving party could be accused of fraud in the inducement, for having never intended to honor its destruction commitment in the first instance.

    These might not be fatal to the receiving party’s case. But who needs the aggravation?

    Reply
  11. “Worse, the receiving party could be accused of fraud in the inducement, for having never intended to honor its destruction commitment in the first instance.”

    I don’t think a party could make that fraud claim with a straight face, since that would require the claimant to make a showing that it reasonably relied on the literal promise, and it would be quite difficult to show that (for the very reason that Sarita pointed out above — everybody knows it literally can’t be done, and it’s a well documented problem, so nobody could ever reasonably rely on that literal assertion).

    Would we be more comfortable if this was framed as a representation? (I’m not sure I understand any difference between making a positive assertion of destruction versus putting words like “We represent we’ll have destroyed…” in front of it. But, in defense of my original assertion, I will admit that most of those ‘legal fictions’ are usually framed as representations versus ‘shall’ clauses.)

    In any event, if I’m the one whose stuff should be protected, I’m not terribly interested in giving the party to whom I’m entrusting that information an easy defense as to why they lost my stuff. And to the degree that causes burdens on the receiving party, let it be known that this is precisely my aim! (It also suggests that prospective receiving parties might want to be more circumspect about what information they bring in, and how they store and distribute it within their organizations. Maybe if they thought about it ahead of time, and realized the difficulties they’d have in destroying it if they were called to do so if they’d taken no prior measures to limit the damage, they’d do things like keep the information in fenced networks versus the general corporate email, etc. The cost of going to that extent, and its inconvenience, might be less than the cost of getting sued for having lost it!)

    Reply
  12. Michael Fleming writes:

    I don’t think a party could make that fraud claim with a straight face, since that would require the claimant to make a showing that it reasonably relied on the literal promise, and it would be quite difficult to show that (for the very reason that Sarita pointed out above — everybody knows it literally can’t be done, and it’s a well documented problem, so nobody could ever reasonably rely on that literal assertion).

    If I were trial counsel for a disclosing party, I would make just that argument, in a heartbeat. And good luck convincing a jury of lay people that “everybody knows it literally can’t be done”; my question to the jury (as trial counsel) would be, well if that’s the case, why did they agree to it in the first place?

    Reply
  13. Michael, I am not sure that the disclosee has an “easy defence” following disclosure in these circumstances – they have breached their obligation not to disclose and so are liable. The fact that they have not also breached a destruction obligation, having used “best efforts” and destroyed almost all of the copies of the document, doesn’t change their liability unless the drafting is duff.

    I think destruction clauses are designed to be practical rather than to assign risk – it is far better to have the disclosee destroy the documents than receive compensation for a disclosure. I don’t imply that the obligations have to be easy to comply with – they may be a total pain – but they do need to reflect what will actually be done, as agreed by the parties. That is the problem with agreeing to make computer data “irretrievable” – you can’t unless you destroy the hardware afterwards, which is entirely disproportionate in almost every single case.

    Reply
  14. D.C., I respectfully disagree — Fraud wouldn’t sound here since the disclosing party could NEVER show reasonable reliance on literal compliance with that clause. Claimed naivete of how computers work is no longer a valid excuse for anybody who has failed to protect their data. (Just try that one with Visa or MasterCard someday.) Besides, what’s the difference? If I’m suing for plain breach of contract (failure to fulfill the duty to destroy) aren’t I seeking the same damages as I might in a fraud case? I fail to see the need to raise fraud here.

    And, I still say that disclosers who feel better off for having described in excrutiating detail all of the reasons that the receiving party is off the hook for having failed to destroy the data are in fact in much worse shape. Disclosers who allow receiving parties those excuses are probably also violating the disclosing party’s upward obligations to others who care about that same data (such as Visa or MasterCard), so again it makes no sense for the discloser to allow anything other than ‘destroy it all, period.’ If the receiver can’t do that, then the receiver holds the bag if it loses it, regardless of good intentions to try to actually destroy it.

    If I’m the discloser, I want something handy when the lawsuits start flying arising out of the receiving party’s undestroyed data that gives me an unequivocal right to assign the blame, the risks and the damages to the receiving party, no ifs ands or buts. If I have to go through a long analysis to see if receiving party’s duty wasn’t in fact breached because the stolen data was part of a backup tape that we all agreed might not be destroyed, I’ve potentially wiped out my ability to sue receiving party for the damages he caused.

    (In my mind, this is just as bad as accepting knowledge-clauses on IP warranties. I don’t care if you knew about it or not — What I care about is that I just got sued because of your bad stuff.)

    (And, of course, if I’m representing receiving parties, I’m just as motivated to cloud the duty to destroy as much as I possibly can, since that will give me an argument to make when disclosing party sues me someday. Nobody says that both sides in this adversarial relationship have the same motivations!)

    Reply
  15. Michael Fleming writes: “Fraud wouldn’t sound here since the disclosing party could NEVER show reasonable reliance on literal compliance with that clause.

    I guess we’ll have to agree to disagree on that. My computer expertise is limited, but so far as I know, it is indeed possible to destroy data. There’s software out there that purports to do just that, by repeatedly overwriting the storage location(s).

    In any case, I’d be extremely surprised if a receiving party could get summary judgment on that point — the disclosing party would almost surely be able to get to the jury, which means the receiving party would have to incur the expense and inconvenience of discovery, and would be rolling the dice on the outcome.

    ————–

    Michael writes: “Besides, what’s the difference? If I’m suing for plain breach of contract (failure to fulfill the duty to destroy) aren’t I seeking the same damages as I might in a fraud case? I fail to see the need to raise fraud here.

    Several things:

    1. Fraud has such a nice ring to it; as a disclosing party’s trial counsel, I’m certainly going to try to plead it so I can throw the term around in front of the jury to try to prejudice the jurors against the receiving party. (How much I actually do use the term will depend on the circumstances, of course.)

    2. Fraud opens up the possibility of punitive damages, not just conventional contract damages.

    3. Fraud potentially expands the universe of discoverable evidence that the disclosing party’s counsel can demand to crawl through.

    ———————-

    Michael writes: “If I have to go through a long analysis to see if receiving party’s duty wasn’t in fact breached because the stolen data was part of a backup tape that we all agreed might not be destroyed, I’ve potentially wiped out my ability to sue receiving party for the damages he caused.”

    Now that is indeed a legitimate risk-allocation issue. It could be addressed by providing that, if a third party improperly gets ahold of the information from the receiving party, then the receiving party will indemnify the disclosing party against any resulting third-party claims.

    Reply
  16. Recently came across these relevant clauses in the Confidentiality Agreement :

    1. The Recipient :
    1.1. shall be allowed to retain one copy of the Confidential Information to the extent required to comply with applicable law or regulation; and

    1.2. shall not be required to destroy copies of any computer records or files containing the Confidential Information which have been created pursuant to automatic archiving or back-up procedures on secured central storage servers and which cannot reasonably be deleted;

    2. In the event that any such Confidential Information is retained pursuant to Clauses 1.1 and 1.2, the terms and conditions of this Agreement shall remain in full force and effect with respect to such Confidential Information so retained for so long as such Confidential Information is retained.

    Reply
  17. The HIPAA (Health Insurance Portability and Accountability Act) Security and Privacy regulations require that health plans have data destruction language in contracts. But they add language that might be helpful in this case:

    7.5 Disposition and/or Retention of Protected Information/Data upon Completion, Expiration, or Agreement Termination.
    Upon completion, expiration, or termination of this Agreement, CONTRACTOR will return or destroy all protected information received from STATE or created or received by CONTRACTOR for purposes associated with this Agreement. CONTRACTOR will retain no copies of such protected information, provided that if both parties agree that such return or destruction is not feasible, or if CONTRACTOR is required by the applicable regulation, rule or statutory retention schedule to retain beyond the life of this Agreement, CONTRACTOR will extend the protection of the Information Privacy and Security Clause of this Agreement to the protected information not returned or destroyed, and refrain from further use or disclosure of such information for as long as CONTRACTOR retains the protected information.

    Reply
  18. Michael: By way of rounding out the discussion, I think I’m with Art on this one: The receiving party is under an obligation not to disclose, so an obligation to destroy confidential information would seem to be more a matter of reducing the likelihood of inadvertent disclosure rather than allocating risk. If that’s the case, it would make sense to have the obligation be one to use reasonable efforts. Ken

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.