When a law requires data to be retained for X time, risk-averse companies interpret this as an instruction to immediately delete said data as soon as time X passes, and use automated tools to this end. Sadly, these tools tend to be ad-hoc software written and maintained by internal teams, and thus about as buggy as you'd expect.
I've worked in such places, and - in addition to all the other issues - the continuous collective loss of corporate knowledge makes life pretty miserable.
Additionally it looks like they farmed out the project to a third party that was working with FINRA to ensure compliance, apparently that consulting agency failed at their task miserably.
big companies like JPM just don’t have the secret networks of bad actors at an administrative level to carry out nefarious activities like this without someone blowing the whistle.
We're in the early days of building this over at phaselab.co. We've been taking more of a data privacy angle, but the product helps folks operationalize all of their data lifecycle / governance tasks. There are some existing players who work with email/comms, but for internal technical systems & user data most orgs are rolling their own deletion pipelines.
When a law requires data to be retained for X time, risk-averse companies interpret this as an instruction to immediately delete said data as soon as time X passes, and use automated tools to this end. Sadly, these tools tend to be ad-hoc software written and maintained by internal teams, and thus about as buggy as you'd expect.
I've worked in such places, and - in addition to all the other issues - the continuous collective loss of corporate knowledge makes life pretty miserable.