Column summary: This month's column by consultant Randy Kahn focuses on data management guidelines and records retention policies. While data retention is necessary for e-discovery and litigation purposes, it's important not to keep all data on file forever. Read about the four issues that pop up if you retain too much unnecessary data, and how to determine what data you should keep.
In my first column on implementing information governance in your data storage shop, I stated a truism you've likely heard before: "You can't keep everything forever." Allow me to clarify. You can . . . but you shouldn't. Even if that strategy didn't create a lot of data storage management trouble, it still wouldn't be a wise decision from a legal standpoint. Why is this so hard for data storage managers to comprehend?
Just about every large company has shared drives packed full of information, much of which hasn't been accessed since it was created. And this stockpile of documents, digital data and junk is sitting in sanctioned and unsanctioned spots.
The core belief driving responsible information management is that information will be properly managed, secured, classified and stored to augment retrieval when needed for business or legal purposes. At the heart of any records management program or policy we develop for our clients is a records retention schedule. This documents the legal requirements, legal considerations and business needs of various classes of information so it's kept the requisite period of time, after which it will go away in the "ordinary course of business" (that's a lawyer's term for getting rid of the stuff according to policy). By following the approved data management guidelines, an IT executive or data storage manager can "clean house" and not worry about being hauled off to jail for destroying evidence.
Disaster recovery (DR) backup is an essential, albeit very different, activity. First, it's called "backup," so it's presumed that another copy of the record exists in another location in the enterprise for record-keeping purposes. Second, there's generally no legal requirement to "retain" backup (unless you're part of certain regulated worlds like the brokerage community) for a specified period of time. However if you're using backup media for records retention purposes or have to do discovery for a lawsuit on backup media that still exists, that changes the analysis.
Four records retention issues to address
When tackling data retention, you need to address four related records retention issues: access, cost, risks and productivity. If you take a methodical look at each of these issues, you'll soon realize why keeping everything forever isn't a smart business decision.
Access. According to IDC, we will create 1,800 new exabytes of data this year. (Note: One exabyte is roughly the data equivalent of 50,000 years of continuous movies.) Last year, users created approximately 50% of that amount of new data. But having readily available access to old information is already a challenge, even with today's more robust search tools. Rapidly growing volumes of data will make finding an essential business record an even harder task. If business success in an information economy is based on information access, your old school thinking is hamstringing your organization. Fight the urge and be proactive.
Cost. Data storage costs may be going down, but that's only one of the factors in an overall cost analysis. If the average worker spends nearly a month every year looking for needed business records, that's one-twelfth of all salaries wasted on data searches. From new boxes to data migration, hiring technical experts, and paying for software licenses and electricity, the hard and soft costs of keeping all your data needs to be calculated. So just because the unit cost of storage is getting cheaper, doesn't mean your organization is spending less and keeping more.
Risks. Keeping everything forever means that when you need to find certain business information to satisfy a customer inquiry or a regulator's request, there's a greater likelihood you won't be able to find it in a timely fashion or get your hands on all the associated material. In a litigation context, keeping everything means e-discovery will be more expensive and riskier. For example, say there's an on-going product liability lawsuit in which a draft document from years earlier is the key evidence in the case. If the records retention policy was done right and followed, the draft document would be long gone. Now the old pre-empted document that a drafter has testified was not their final thinking on the topic is playing center stage in a drama that need not exist.
There are lawyers that will advise you to keep all data for a lawsuit. But unless a court or regulator mandates such action, keeping everything until the end of a lawsuit puts the organization in a situation that risks it being forever pre-empted from cleaning house. For example, a few years ago there was a company that was punished for destruction of evidence from such a situation. In lawsuit A the firm decided to freeze the recycling of outdated backup tapes. Then lawsuit B was filed before lawsuit A was over. Instead of looking to see if any information preserved for lawsuit A was relevant to lawsuit B, the company disposed of the information. Because they didn't look to see if anything was relevant, the court held them responsible for destruction of evidence. Once you start the "preserve everything" mode, it's hard to unwind.
Productivity. Wasted time babysitting old unnecessary data, whether by an IT professional or any employee, takes time away from core business activities. Making your business as efficient and streamlined as possible means you have the information you need and get rid of the rest.
But making no decision about what information needs to exist and for how long can translate into major costs and risks you may not think about, which certainly won't be in the best interests of your organization.
I heard from some of you regarding my last column. Thanks for that. If you have comments or questions, please don't hesitate to email me at firstname.lastname@example.org.
About this author: Randy Kahn is the founder of Kahn Consulting Inc., and author of the Information Nation blog. He's the leader of a team of information management, regulatory compliance and technology professionals who serve as consultants and advisors to major institutions around the world. He speaks several times a year to corporate and government institutions about legal, compliance and policy issues regarding information technology. Randy Kahn can be reached at email@example.com.
This was first published in March 2011