Published: 11 Aug 2008
| When it comes to record retention and deletion, IT pros are expected to figure it out on their own. Some sweeping legislation (Sarbanes-Oxley, for example) simply isn't helpful when it comes to providing rules for records keeping; for example, it requires you to set and follow a policy so you don't delete things willy-nilly after an ediscovery request, but it doesn't tell you how to set that policy. And SEC, IRS, FRCP, HIPAA, SAS 70 and OSHA regulations, as well as state legislation, can all impact the same data.
The confusion can sometimes lead to extreme measures, says Bob Barrett, CIO at Babcock Power Inc., a Worcester, MA-based utility company. "I had a CTO a few years back who had an interesting approach, but I'm not sure I have the guts to pull it off," says Barrett. "He had a filter that deleted every email he sent every two weeks." Of course, a company-wide policy on deletion is tough to enforce and something you have to get your in-house legal team to approve. Currently, Barrett is looking into EMC's Email-Xtender and IBM's CommonStore as possible options for archiving and searching emails.
"The whole thing is kind of fluky to say the least," says Barry Brunetto, VP of IS at Blount International Inc., an industrial and power equipment company in Portland, OR. "We have certain financial data that's required by IRS regulations," he says. "We have other data that's retained for so many years for the SEC. Now, we don't want a blanket retention policy on all that data because we don't want to store and manage all that. And with ediscovery laws and requests, we want to be specific. You don't want to give people stuff they didn't even ask for."
Brunetto's company does have a policy of deleting emails after two weeks. But that doesn't mean it's gone forever. "Email is backed up with tape and that tape lasts two weeks," says Brunetto. "But if you archive an email, don't delete it or send it to 10 people who don't delete it, it's going to exist in the system. We don't go and delete emails. We aren't destroying. We're saying our policy is that we aren't keeping the backup tapes for email forever." Barrett and Brunetto agree that the burden is on IT to seek out legal counsel and in-house auditors to help establish record-retention policies.
Brian Babineau, senior analyst at Enterprise Strategy Group, Milford, MA, says many firms are overwhelmed by varying retention requirements, and they should probably go shopping soon for archiving software. "If organizations are meeting record-retention requests by printing things out or using tape, then managing multiple retention policies is going to be a nightmare," he notes.
| There's a family of firms that provide document policy compliance and classification capabilities--FileTek, MessageGate, NextPage and Orchestria, among them--that compete in the same sphere to meet the needs of companies with complex retention policies. An ediscovery request can spiral out of hand if too much data has been stored, says Babineau. One large firm recently spent $12 million sorting through records--57% of them kept past their retention period--during a request, he says.
"There's no reason why people should keep everything, and no reason why they should keep it past the requirements," says Babineau.
Tory Skyers, principal at New Jersey-based consultancy Sashacompany, says he fields a lot of questions from IT shops at small- and medium-sized businesses that are struggling with retention policies. "People are confused as to which way they should go," says Skyers. "I feel like people are running very, very hard in both directions at the same time. They're deleting things right away they probably shouldn't or saving everything.
"Saving everything is the biggest pitfall," says Skyers. "It costs money and you have to manage it. And just because you have everything, doesn't mean you can find it."