IT and records managers should team up on data retention policies

"We need those e-mails for court by next week! How could we lose those backup tapes?"

"What do you mean the engineering workstation files were deleted when the employee left? Those were the only records of the project!"
"The auditors are coming on Monday. Why do we still not know which electronic records they want us to retain and provide?"


These kinds of anxiety-inducing statements are becoming common in corporate boardrooms across the nation. Unless someone plans ahead to prevent these credibility catastrophes, negative media attention and falling investor confidence will eventually become some CEO's nightmare.

All organizations today have dangerously growing volumes of desktop computer files, shared directories, application data and aging Web content that must be appropriately managed over time. A complex question for both IT staff and corporate records managers is, "How long do we retain business information, in what data format and within which electronic repositories?"

The IT staff is charged with planning and managing data systems and networks that support corporate applications. They must be able to assure digital information is available and protected from loss, compromise or corruption. Corporate records managers are responsible for assuring electronic business records are properly retained to be available for audits, litigation or compliance investigations, as well as meet any IRS, Sarbanes-Oxley or HIPPA records retention mandates. They must continually create new strategies to prevent electronic records management preservation calamities. It is becoming increasingly clear to both IT and records managers that sharing information systems planning and technology management strategies is required if their organizations are to survive.

Favorite target: E-mail
The realities of aggressive lawsuits, potential regulatory compliance failures and the loss of documented intellectual capital drive many corporate records managers when they try to chart a clear information retention strategy for corporate environments. In an increasingly paperless business world, it's become vital to properly protect and retain electronic information in digital format. For example, electronic mail has become a favorite target during the discovery phase of litigation, and it must be produced just like any other document in digital or paper format — if not, courts may levy million-dollar fines.
Records managers have traditionally worked with legal counsel to produce documents during litigation. However, when it comes to coordinating the production of electronic records such as e-mail, they also need to work in conjunction with IT, which is in charge of the backup tapes that may contain incriminating e-mails, as well as the servers on which many active e-mails reside.

In the recent case of Morgan Stanley, failure to address this problem resulted in a cumulative fine of $1.4 billion. IT staff is rarely skilled or knowledgeable about information retention requirements and the consequences of compliance failures. Records managers often have difficulty pinpointing the exact location of electronic records in technology applications. For this reason, IT and records managers must reach out to each other to discuss data retention issues in order to avert corporate information compliance disasters.

This is particularly true when SANs are used to migrate aging data to lower cost media or if e-mail archiving software is used to offload e-mail from servers for performance reasons. It's also true when content management software provides a long-term electronic document repository operating without formally developed retention policy and procedures.

In each of these cases, the legally researched records compliance directives manifested in the organization's records retention schedule may be violated by ongoing record-keeping practices initiated by IT or by users. It is very common for IT to archive growing volumes of data without significant classification or assignment of metadata that would otherwise enhance information retrieval. They also may not build in the functional ability to query systems and produce specific records mandated for retention.

10-17-05_diagram1.gif



It is also common for PC users to attempt to evade e-mail policy guidelines by saving vast quantities of messages in Outlook.pst files or in personally created Microsoft Exchange directories.

Which data, which media?
Records managers today must continually appraise enterprisewide record-keeping policies and procedure that influence technology-based systems. Although inactive data can technically be moved from PCs, applications, databases, e-mail servers and Web sites to more efficient storage repositories, there is an increasing internal competition for IT funds and resources to implement data backup solutions, SANs, e-mail archiving systems and electronic content management repositories.

As an example, when a corporate information retention policy directs that "correspondence" be retained for three years, it raises the question of whether this includes e-mail, instant messages, word processing documents or even database-generated forms. In fact, all these formats may be considered correspondence based on legal, auditing or regulatory interpretation.

Thus, it becomes critical for IT and records managers to collaborate on creating storage solutions that resolve the dilemma of identifying data required for retention. In more traditional content management repositories, such as those offered by EMC/Documentum, IBM, Hummingbird, Open Text, FileNet, Stellant and others, electronic documents have typically been "indexed" with metadata, and formal retention rules have been applied. Software may conform to electronic record-keeping standards such as those offered by the U.S. Department of Defense's 5015.2 STD.

In these environments, it's very feasible to create an electronic document retrieval system based on a formal retention policy. With e-mail archiving software such as KVS, Legato or Zantaz, a basic set of business rules can implement rudimentary records retention policy for a limited scope of e-mail data types.

The special case of SANs
Centrally coordinating data retention according to well-designed policies offers much hope in those environments. However, it is far more challenging to identify data required for retention in database-driven applications, which is the usual province of SAN systems planning. Data identification, classification and the linking of content to corporate retention policy is critical to information lifecycle management. The records management records retention policy and ILM retention policy must be synchronized with respect to retention time frames and records identification. Teams of coordinated records management and IT systems personnel should decide on retention durations, systems locations and which media to use for information preservation.

As aging data in relational databases, undifferentiated file shares and compiled data warehouses is moved to increasingly less available SAN media, it's possible for information to be erased in advance of required retention timeframes, simply due to the inactivity of the data. This potential violation of corporate records retention policy may result in regulatory non-compliance or even spoliation of evidence. As with the case of Arthur Andersen, even the appearance of improper destruction of records can create a total loss of public and customer confidence in the management of an organization.

Thinking long term
No organization wants to make an IT data capacity strategy decision that saves a few hundred thousand dollars, only to be accused later of data destruction and fined $10 million. This can be avoided if IT and records managers work together to develop system backup policies, data life-cycle management procedures and media selection decisions that will assure long term electronic records preservation.

Engineering drawings, word processing documents, Web pages, electronic mail and data in databases are often backed up to off-line tapes, migrated across SANs or otherwise left in digital format with no paper counterpart created or stored. The goal of corporate records managers today is to assure data is retained according to prescribed policy and preserved on readily accessible media and technology platforms.

Most importantly, records managers want to be able to assist their organizations' legal counsel and IT personnel in responding quickly, efficiently and effectively to requests such as, "We would like to review all the information, data and business records related to the individual named in the legal proceedings by Monday morning!"

John Phillips is an independent electronic records management consultant at Information Technology Decisions and a member of the board of ARMA International.

Related:

Copyright © 2005 IDG Communications, Inc.

  
Shop Tech Products at Amazon