What you will learn from this tip: Information security expert Kevin Beaver outlines 13 retention mistakes storage...
administrators frequently make, and what you can do to avoid them.
There are endless regulatory requirements for information retention, and it seems like there are more unknowns in this aspect of storage than there are in the entire field of medicine. Based on what I'm hearing, this has confused, frustrated or otherwise caught many storage administrators off guard. There is so much ambiguity, people don't know where to start, what technologies to implement and whether they're even in compliance.
If you've fallen into this legal black hole, you're not alone. Even the lawyers and regulators who have written these "rules" acknowledge confusion associated with what electronic information to keep and what to destroy. There are so many variables involved and the rules are often open to interpretation. One thing is for sure though -- if you're creating or trying to manage an information retention strategy, there are some definite "gotchas" that you need to be aware of to keep yourself out of the boardroom hot seat and your managers out of the regulators' crosshairs. Keeping in mind that this isn't legal advice -- rather, real-world observations and experiences -- here are my unlucky 13:
- Don't forget that e-mail and instant messaging are business records -- a common oversight, especially in smaller organizations that still have to comply with the same regulations as the big dogs.
- Don't overlook other information that may be considered business records as well such as policies, procedures and audit reports.
- Don't believe the myth that you if you just destroy everything after it's no longer needed, you'll be fine. The organization may very well need it in order to defend itself in future audits and litigation.
- Don't assume that the retention requirement for all business-related information is the commonly-quoted "7 years." There are a lot of variables depending on the industry, type of organization and type of information. Based on my informal research, most lawyers that understand information retention agree that business records need to be kept indefinitely.
- Don't ever assume that you or the IT department has the capacity (manpower, knowledge, budget, etc.) to solely manage such a critical function. Information retention is a business issue and needs to be treated as such. That's why getting legal -- and ideally an overall IT governance committee -- involved is a must.
- Don't assume that limiting share space, size of user mailboxes, etc. will enforce retention or avoid any problems that may crop up related to it. Users will almost always adapt and find ways around your controls.
- Don't ever assume or expect that users can be trusted to do the right thing -- especially when it comes to complying with and helping enforce your organization's information retention policy.
- Don't make the mistake of leaving current retention procedures in place (such as suspending tape or disk backup rotations) in the event of a pending investigation, audit or other litigation. This can lead to unwanted charges of destruction of evidence.
- Don't assume that just because your retention policy says that everything is destroyed after a certain period of time that it actually is. Employees, auditors and others may have their own archives that can come back to help or haunt you in the future.
- Don't assume that just because you have access to archived information that'll you're going to be able to restore it within a reasonable amount of time. You need a solid set of procedures, so that you can meet legal demands as quickly and efficiently as possible while juggling all your other storage administration duties.
- Don't take a "delete everything" stance -- it's too risky and it's hard to prove you're not trying to cover something up. On the other hand, don't necessarily take a "save everything" stance. Not all information is equal. Saving everything can certainly help ensure that you've covered all your bases, but it can open up your organization to discovery risks, and perhaps worst of all, massive expenditures storing and administering everything long term. Find a middle ground when possible.
- Don't go to your lawyer, ask for a retention policy and accept that he or she will know what to draw up for you. I've seen way too many cases in which lawyers who are not IT and compliance-savvy use a generic template that has absolutely no bearing on what the organization actually needs. This stresses the need to find legal counsel who knows this part of the law for your specific industry and business type.
- And finally,
- Don't overlook the five tenets of information retention:
- It's not just laws and regulations you've got to worry about -- it's also dealing with lawsuits and discovery requests
- You really do need an information retention policy
- You need to create and be able to demonstrate that you've got secure storage environment for your electronic business assets
- Information needs to be searchable and retrievable in a timely manner
- Time equals money: discovery costs (especially those related to e-mail or other business assets archived on backup tapes) can be huge and information often takes a long time to retrieve and sort through. This is especially true if you don't have the proper retention and archiving tools in place.
The lawmakers may have had good intentions when developing information retention requirements, but I'm convinced they didn't think about the long-term complexities involved and costs associated with what it really takes to do this. The reality is that the laws and regulations are here and we've got to learn to manage them. If you keep in mind what I've outlined above, survey your organization's legal landscape to determine what's really required and team up with the right people to manage information retention, you can sleep at night knowing that you're at least going to save some skin off your back.
Do you know...
About the author: Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver @ principlelogic.com.