Data Retention Is A Policy Challenge

Establishing a policy on how long data must be retained seems easy enough. It isn't. For starters, not all data is the same.

Trouble Ticket

At Issue: It's time for the company to set a new policy on data retention.

Action Plan: Normally, our manager would want to write it. But this time, it's better to let the lawyers take charge.

I got lunch in the company cafeteria last week, and we may end up saving over $40,000 a month as a result.

That's because I bumped into our head legal counsel while waiting in line. "When," I asked, "are we going to drop the requirement to retain all data?"

For several years, we have been forbidden to overwrite any data related to e-mail, home directories, financial systems and several other document repositories and systems. This ban arose from a stock-options grant investigation, now long concluded. Being barred from overwriting backup tapes comes at a cost; we're spending about $40,000 a month just for new tapes. More costs arise because we are prohibited from overwriting the hard drives of departed employees. At least that cost was alleviated recently with a new initiative to capture images of those hard drives before reassigning them to other employees.

Couldn't we relax the retention policy and get back to a normal state of affairs? I asked him. Yes, we could, he said, but not until we create a comprehensive data-retention policy. You could help, he said.

Data retention policies are fairly straightforward documents that establish how long information must be kept on hand, unaltered. Sounds simple, right? The problem is that different types of data must be retained for different lengths of time. Most data-retention policies open with a policy statement, followed by a retention schedule that lists every possible type of information that the company could have in its stores and the required retention period. There are also special instructions for archiving and for the ultimate destruction of the data, once the time limit has been exceeded. The policy is also likely to include procedures for retaining information when litigation is under way.

This week, I went to a meeting called by the head attorney. He started off by explaining that he had hired external legal counsel to help define the new policy. At first I felt somewhat offended, since I had expected to be responsible for developing the policy. By the end of the meeting, though, I felt more than happy to simply assist while leaving all the heavy lifting to the third party.

Data Everywhere

You see, a comprehensive data-retention schedule requires a considerable amount of data-gathering. For example, we need to know the general nature of all data held in servers, in storage, on backup tapes and on individual PCs. That includes both active data -- e-mail, chat logs, Unix system logs, and firewall and VPN logs, for example -- and inactive data such as documentation related to sales, service, legal and finance.

Another complication arises from being a global organization. That means taking Europe's stringent privacy laws into consideration. And, of course, other legal and regulatory requirements, business needs or personal considerations come into play. For example, current Securities and Exchange Commission regulations require certain financial documents to be retained for seven years. Sarbanes-Oxley mandates that certain access logs be retained for one year. Other regulations extend to e-mail messages containing price negotiations. And users might have their own ideas about how long to hold on to e-mail and other data. But we also need the policy to keep employees from deleting data that they think would hurt the company if discovered.

All in all, this will be a complex effort. Just identifying the various data custodians will be a challenge, especially since our recent layoffs have left many data repositories without owners. While I look forward to the day when we can stop wasting all that money on backup tapes, I'm glad that this is one policy that isn't primarily my responsibility.This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join In

To join in the discussions about security, go to


Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon