A variety of industry research analystshave indicated that 3 of the top 10 priorities for IT in 2013 will be initiatives focusing on BYOD, cloud computing and business analytics obtained via Social Media. While these initiatives provide clear business benefits, they will challenge data retention and records management policies for most organizations.
BYOD, cloud computing and social media have a common thread – they all create data repositories that have been geared towards the non-IT consumer, where governance, management and retention have taken a backseat to ease of use. With the introduction of these technologies into the enterprise, companies are obligated to develop backup, archiving, and classification strategies to ensure that relevant data is available in the event of litigation and a discovery request.
The Federal Rules of Civil Procedure state that the moment a company receives a legal hold request they must not dispose of data without having a clearly defined and demonstrable retention and disposal policy. These policies cannot be developed and implemented in the midst of litigation as an opposing litigant could claim that destruction of data was intentional, resulting in damages and penalties awarded to the opposition.
In the article, eDiscovery Rules Applied to Social Media: What This Means in Practical Terms for Businesses, statistics show that the FRCP rules are being enforced— sanctions were ordered in 50% of the cases where sanctions were sought, with a few resulting in large monetary penalties. Needless to say, companies are compelled to comply.
While many companies have chosen the pack-rat approach – save and archive all of the data they manage, including customer data, personal data, etc., this approach is not practical due to everincreasing volumes of data, especially when considering the information generated by mobile devices and social media.
In the event that a company does need to develop a defined retention policy that takes these initiatives into account, their requirements should be part of a larger blueprint for securing their data, linking their retention strategies with governance and accessibility. These 6 steps provide some basic guidelines:
- Determine the age at which each type of data that has not been accessed would be considered stale – 1 year? 2 years? 5 years?
- Implement a solution that can identify where stale data is located based on actual usage (not just file timestamps)
- Automate the classification of data based on content, activity, accessibility, data sensitivity and data owner involvement
- Automatically archive or delete data that is meets your retention guidelines
- Automatically migrate data that is stale but contains sensitive information to a secure folder or archive with access limited to only those people who need to have access (e.g. the General Counsel)
- Make sure your solution can provide evidence (e.g. reports) of your defensible data retention and disposal policy