In Depth

The Seven Deadly Sins of Records Retention

Records retention periods are increasingly governed by regulations. Here are worst (and best) practices for securing data and documents.

By Sarah D. Scalet

July 01, 2006CSO

Sure, you're thinking, records retention can be deadly. Deadly dull. "I don't want to own that," TriWest Healthcare CSO John Pontrelli said to himself when people came poking around about it—this after the U.S. Department of Defense, TriWest's only customer, announced it was going to audit the company's document retention practices.

"It's just one of those thankless kinds of jobs," Pontrelli continues, noting that he'd rather keep his security staff focused on its core business. "I can't become the retention police."

Records retention has always been about as sexy as Birkenstocks with socks. Even the nomenclature, retention, has an unsavory connotation, something better left to the clinically uptight. But recent legal actions have made document retention programs not just boring but risky. One wrong step can cost a company. Just ask the latest poster child, Morgan Stanley, which in May said it would pay a record $15 million to the Securities and Exchange Commission for failing to properly retain or produce e-mails related to several investigations. And the regulatory environment is unlikely to soften anytime soon, with Internet service providers now under particular scrutiny, as the government seeks access to customer information for child pornography cases.

To avoid having anyone hit a $15 million delete key, some companies have concluded that they should archive, forever, anything and everything—boring and unboring, sexy and unsexy, damning and defensible—just to err on the safe side. But that's not quite right either.

In records-retention land, there is no "safe side." Keeping too much information is a risk too. "If you retain [a record] for too long, it's very expensive, you expose yourself to litigation risks, and you might be violating privacy rights," says Edward R. McNicholas, a Washington, D.C.-based partner at the law firm Sidley Austin.

Sound like you're damned if you do, damned if you don't? We're here to help you avoid either extreme, by offering seven common mistakes—dare we call them deadly sins?—and strategies to avoid them.

1. Not keeping your records straight from your backup.

First, the basics. The first step to a good records management program is simply identifying what a record is. Sure, the e-mail servers and network drives get backed up at the end of the day or week. You need those backups to keep the business running. But a record, technically, is something that you need to keep around for a set period of time, either for regulatory, legal or business reasons. Records encompass both structured information, like financial transactions stored in the company's enterprise resource planning system, and unstructured information, like financial spreadsheets exchanged by e-mail that might eventually feed into the ERP system (or just sit on someone's desktop computer indefinitely). Records probably don't encompass e-mails exchanged by two accountants about whether to lunch on Thai food or Mexican.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Efficient - Flexible - Compliant

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Understanding Data Location is Imperative for Data Loss Prevention

Secure your virtual and physical environments with the same software

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

How Are Open Source Development Communities Embracing Security Best Practices?

Digital Identity Protection and Data Security Get Personal

Simplify your data center with Juniper Networks. View the webcast

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously

Any company can promise identity protection. Only Debix can prove it

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage

5 Steps to Secure Outsourced Application Development