Many storage managers see data retention as a "big company" problem, something that goes hand-in-hand with e-discovery and data compliance. The reality is that SMBs are affected and governed by data retention laws and regulations as much as larger enterprises. But the execution of data retention is often lacking in SMBs. Based on what I see in my work and what I hear storage managers saying, SMBs have about as much control over data retention as they do security and privacy compliance. Because of budget constraints or management oversight, data retention is the ideal situation that many organizations aspire to have in place, but often lack.
Part of the problem is that there's so much ambiguity in regards to data retention. It's one thing for large enterprises to have in-house legal counsel and dedicated compliance managers. However, most people don't have that luxury in the SMB environment. Storage managers don't know where to start, and their lawyers are often not very helpful because they're not aware of the latest data retention requirements. If you've fallen into this legal and regulatory black hole, you're not alone. To keep your business out of potential hot water and stay on the good side of your regulators and auditors, here are some key data retention principles you do not want to overlook:
- Know what data you have and where it's located on your network, standalone systems and storage devices. This is where most organizations fall short. Business managers and even storage administrators often have no clue to how much intellectual property and sensitive customer information they have stored in every nook and cranny of their networks. There are tools that can help with this from vendors such as Kazeon Systems Inc. and StoredIQ. However, if you don't need the all-out e-discovery benefits of those tools you can use data search tools. For finding personal data, use Identity Finder, and for finding intellectual property, use FileLocator Remote.
- Work with your lawyer to determine what's required for your type of business and for the type of data you store. It may be safe to assume that anything electronic, such as emails, instant messages, documents, spreadsheets, etc. is a business record. However, the variables depend on the industry, type of organization, type of data and any applicable regulations you're up against.
- Document your data retention policy and make sure everyone, from managers to janitors, knows about it. A good policy will outline exactly what's done and what's expected. Here's a proven security policy template you can use to get rolling.
- Be careful of what you delete and when you delete it. Also, be careful of what you save and how long you save it. Taking a "delete everything" stance can be risky and may make it difficult to prove you're not trying to cover something up if you get an electronic discovery request. On the other hand, a "save everything" stance may not be healthy either. Not all data is equal. Saving everything can certainly help ensure that you've covered all your bases, but it can open up your organization to discovery risks, and perhaps worst of all, massive expenditures storing and administering everything long term.
- Ensure that the business is not simply relying on its employees to enforce your data retention policy. Employees and network users are not reliable for ensuring that policies are enforced. Put the right processes and technical controls in place with your backup systems and storage management applications to make this as transparent as possible. This will vary based on your environment, but this is where you put your data retention policy into action. For example, you could set retention schedules for your tapes within your backup software, or even create a file purging script to dump emails, files, etc. after a certain time period. Even with the right awareness, processes and controls in place, certain data will get deleted prematurely or hang around too long. This is part of the retention nightmare for SMBs, and something that can be molded and fine-tuned over time. After six months or so, perform an audit to see how things are working, what's being overlooked, what's being left out, and continually revisit this on an annual basis.
Keep in mind, just because you retain business data doesn't mean it's going to be easily accessible or even accessible at all. You might have to meet the demands of a discovery request or a business partner's auditor pretty quickly. A solid set of procedures and technical controls, including testing the integrity of your backups, can help with those demands. Furthermore, if your live or retained data is encrypted, you will need to access to the passphrases and/or encryption keys so they can be considered as well. You could easily find yourself in a data breach situation that state laws cover. If you can't access the encrypted data or otherwise prove it was encrypted, your business could be in a world of hurt. When it comes to data retention, it's not just compliance that matters. Data retention also deals with other issues related to HR, business partners, lawsuits and so forth. This is a highly complex area -- even for SMBs. If there's ever been a situation where SMBs need to operate like large enterprises, it's with data retention. It will behoove you and your business to learn more about this subject and what is required of you. If your attorney doesn't know the ins and outs of data retention, find another one who does.
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years experience in the industry and specializes in performing independent information security assessments revolving around compliance and information risk management. Kevin has authored/co-authored seven books on information security including the ethical hacking books Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com.