While everyone has heard of the Sarbanes-Oxley Act (SOX), and most people have heard of the Health Insurance Portability and Accountability Act (HIPAA), there are many other laws and regulations governing retention of electronic records that are less familiar, including the Gramm-Leach-Bliley Act and Security and Exchange Commission (SEC) Rule 17a-4.
Not all of these rules apply to all enterprises, nor to everyone within an enterprise, but they all have one thing in common: Not having the required documents when the lawyers or regulators come calling can be an expensive, embarrassing nightmare.
Don't assume backups can do the job
Traditionally, companies have relied on backups for record retention. But backups are for recovery from a crash or accidental deletion, not for records management. Sometimes your regular backups will be adequate for the additional job, but in a lot of cases they aren't.
Trying to recover certain records for legal or compliance purposes from conventional backups can be anything from time consuming to a nightmare. This is especially true if only a few records are needed out of thousands or tens of thousands already backed up. Emails are the classic example. The entire backup may have to be examined to produce relatively few documents. Since several years worth of records often have to be combed, this is a major task. According to the Securities Industry Association (SIA), one large broker estimated the cost of going through three years of email backups to produce specific messages for the SEC to be between $250,000 and $350,000.
Don't try to do it yourself
Deciding which records to keep is not an IT function. It's a legal, compliance and accounting function. That means that all the appropriate groups need to be involved in deciding which material to preserve and how to preserve it.
Ideally, top management should set up a committee representing all the involved departments to work out a corporate records retention policy. IT needs to be represented, but it probably shouldn't take the lead in formulating the policy.
Whether you have a formal committee or not, the first step is to get an inventory of which regulations apply to which departments in your company. From that domain, experts (lawyers, accountants, etc.) can develop lists of what kinds of records, such as emails, instant messages, etc., need to be preserved and for how long.
Keep in mind that from a legal standpoint, retaining too much, too long is almost as bad as not keeping enough. Your policy should specify appropriate "sunset" times for electronic records and the procedure for destroying them.
The policy should also consider critical issues, such as how quickly copies of the records will be produced and the resources required to implement the policy.
Consider how you'll get it back
When records are needed because of a legal or compliance issue, they are often needed quickly. The company may be under subpoena to produce them within a specified time, and legal and other departments will need time to review them.
You need a process that can recover the records cost effectively within the policy's time frame. This may involve additional software or even an entire parallel archiving system, depending on the volume and needs.
Pay close attention to email
From an IT standpoint, email is one of the thorniest problems in records retention. Laws, like SOX, require that specific kinds of emails from corporate officers and certain other employees be retained.
Email and instant messages are a problem because of the combination of volume and the inflexibility of backups. A number of companies, such as Sherpa Software (www.sherpasoftware.com) and Open Text (www.opentext.com), offer document management software that handles email.
Do you know…
About the author: Rick Cook has been writing about mass storage since the days when the term meant an 80 K floppy disk. The computers he learned on used ferrite cores and magnetic drums. For the last 20 years, he has been a freelance writer specializing in storage and other computer issues.