Tory Skyers’ post about dedupe and the law jogged my memory about recent conversations I’ve had with users about data compliance and archiving. It’s become a big topic for this industry, and as stewards of data, storage managers are part of the legal e-Discovery process.
But some storage managers are beginning to draw a line when it comes to the extent of their role in that process. A discussion about compliance only goes so far these days before frustration starts to show. Someone from a municipal government shop I met at Symantec Vision last week extolled the virtues of Symantec’s Enterprise Vault for data retention and said his organization has policies for dealing with litigation. But he was clear that his role in the process involves managing bits on disk, period. “I don’t delete anything without the department that owns it giving me explicit instructions,” he said. “It’s not up to me to decide to delete data–it’s up to me to keep the storage and backups running on whatever data departments want to keep.”
This week I spoke to a storage guy from a hospital about email management and archiving, and he told me his shop deletes all email after 60 days. “We wrote policies that say we don’t keep email very long because of the storage cost,” he said, and then added that he’d been told by some vendors pushing archiving that a short enough retention period could “make him look guilty.”
“I’m not guilty of anything,” retorted the user. “I’m an IT guy trying to keep email running.”
And he’s right. As long as a company’s retention policy is clearly defined and followed scrupulously, it can be just about any length of time.
As everybody and their uncle tries to get in on selling e-Discovery products and services, new players emerge and the competition gets fiercer. It sounds to me like this is leading some vendors to use scare tactics to push sales by exaggerating how much liability the storage people have when it comes to data compliance and retention. Analysts increasingly agree that organizations of sufficient size should dedicate a liaison between IT and corporate governance to oversee policy instead of tossing legal liability onto the shoulders of IT.
The problem is, IT people remain responsible for understanding and following policies. They also may be called upon to testify as to what those policies are. While I don’t think users should have to take on the legal burden alone, I hope they’re not being pushed too far in the opposite direction, so caught up in shrugging off false expectations that they aren’t mindful of the real ones.