This article can also be found in the Premium Editorial Download "Storage magazine: Betting on an enterprise-level virtual tape library (VTL)."
Download it now to read this article plus other related content.
When it comes to record retention and deletion, IT pros are expected to figure it out on their own. Some sweeping legislation (Sarbanes-Oxley, for example) simply isn't helpful when it comes to providing rules for records keeping; for example, it requires you to set and follow a policy so you don't delete things willy-nilly after an ediscovery request, but it doesn't tell you how to set that policy. And SEC, IRS, FRCP, HIPAA, SAS 70 and OSHA regulations, as well as state legislation, can all impact the same data.
The confusion can sometimes lead to extreme measures, says Bob Barrett, CIO at Babcock Power Inc., a Worcester, MA-based utility company. "I had a CTO a few years back who had an interesting approach, but I'm not sure I have the guts to pull it off," says Barrett. "He had a filter that deleted every email he sent every two weeks." Of course, a company-wide policy on deletion is tough to enforce and something you have to get your in-house legal team to approve. Currently, Barrett is looking into EMC's Email-Xtender and IBM's CommonStore as possible options for archiving and searching emails.
"The whole thing is kind of fluky to say the least," says Barry Brunetto, VP of IS at Blount International Inc., an industrial and power equipment company in Portland, OR. "We have certain financial data that's required by IRS regulations," he says. "We have other data that's retained
| for so many years for the SEC. Now, we don't want a blanket retention policy on all that data because we don't want to store and manage all that. And with ediscovery laws and requests, we want to be specific. You don't want to give people stuff they didn't even ask for."
Brunetto's company does have a policy of deleting emails after two weeks. But that doesn't mean it's gone forever. "Email is backed up with tape and that tape lasts two weeks," says Brunetto. "But if you archive an email, don't delete it or send it to 10 people who don't delete it, it's going to exist in the system. We don't go and delete emails. We aren't destroying. We're saying our policy is that we aren't keeping the backup tapes for email forever." Barrett and Brunetto agree that the burden is on IT to seek out legal counsel and in-house auditors to help establish record-retention policies.
Brian Babineau, senior analyst at Enterprise Strategy Group, Milford, MA, says many firms are overwhelmed by varying retention requirements, and they should probably go shopping soon for archiving software. "If organizations are meeting record-retention requests by printing things out or using tape, then managing multiple retention policies is going to be a nightmare," he notes.
This was first published in August 2008