Data Retention Gets a Second Look

How much data is too much? New e-discovery rules burden IT with searching archived information.

Trouble Ticket

  • Issue: New e-discovery rules have implications for data retention.
  • Action plan: Consider doing a lot less, or come up with a plan for searching through it all.

I was called to our general counsels office to discuss electronic-discovery laws that went into effect last year. I was glad, since addressing this topic is long overdue for us.

Top executives often come to recognize important issues in ways that are less than ideal. In this case, our attorney had attended a dinner conference sponsored by a vendor that suggested to its guests that its product was the answer to their e-discovery worries. The attorney described it as an elegant dinner you would expect fine wine, but he apparently had drunk the Kool-Aid.

We are not required by any current industry certification, attestation or regulation to retain data, other than our financials, which is a Sarbanes-Oxley Act and IRS requirement. But we nonetheless retain a lot of data, and e-discovery regulations are a good reason to re-evaluate our retention policies.

Im not a lawyer, but heres what I understand about the e-discovery amendment to the Federal Rules of Civil Procedure. Say, for example, that an employee accuses a supervisor of harassment. The human resources and legal departments could then anticipate that there might be some sort of legal action. Under the new rules, the IT department would have to begin collecting all digital communications that the parties involved had sent or received. We would take similar action if the company was subpoenaed and ordered to collect relevant communications.

There are many more instances that could trigger the e-discovery provisions, but the key thing is that retention is not required before some triggering event occurs. But if you have retained data, that is also subject to e-discovery.

So, if we didnt have a retention policy, we wouldnt have any archived data to search and provide to the authorities. We wouldnt have to expend resources to search through archived data. And were talking about a lot of resources, both in time and money, with the money going to pay for a product like the one our general counsel had heard about at the dinner. Thats why we need to decide whether to adjust our data retention policy.

Retention Issues

As I said, we retain a lot without being required to do so. And our company is hardly unique. We back up certain data repositories source code, design documents, service manuals and device configurations to handle various disaster recovery and business continuity issues.

Of course, we also provide our employees with e-mail and a home directory: a dedicated drive share on a Windows file server for storing business- related data. Those 8,000 home directories and email accounts get backed up every night. But while e-mail is stored on a server, mail relays also contain information related to the receipt of e-mail. We use IP telephony, and voice-mail messages are stored as .wav files on a server, but they can also be sent to an employees e-mail.

Any or all of that data could become subject to e-discovery. And we need to fully understand where all of our discoverable digital data resides so that we could act accordingly if and when we were presented with an e-discovery request. Searching through it all would be a great burden on IT. Within the coming weeks, I will be talking with our IT, HR and legal departments. We will discuss how much data we will retain. If we decide to continue retaining data in volume, we will need to draw up a plan for sifting through it when the need arises.

Of course, we could solve a lot of problems by turning back the technological clock. The courts distinguish between information on paper and digital records. For paper information, its simple: Point the lawyers to the file cabinets and tell them to have a good time.

This weeks journal is written by a real security manager, Mathias Thurman, whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@ yahoo.com.

Join In

To join the discussions about security, go to computerworld.com/blogs/security.

Related:

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon