In Depth

The Seven Deadly Sins of Records Retention

Records retention periods are increasingly governed by regulations. Here are worst (and best) practices for securing data and documents.

By Sarah D. Scalet

Page 2

"You have to boil it down to, what are your storage requirements versus your legal requirements to retain business documentation?" says John Petruzzi, director of enterprise security for Constellation Energy, a $17 billion company based in Baltimore. The two things can be very different. For instance, while backup media may be in a continual state of being written and overwritten, records that must legally be retained (more on that in a minute) often need to be stored on immutable, nonrewritable storage, and should be either very well-organized, very easily search­edor both.

2. Expecting the legal department to produce a rule of thumb for how long to store records.

About those legal requirements: If you're waiting for an easy answer, keep breathing.

Take Constellation, for instance. As an energy company with trading operations—and one that's currently in the midst of an acquisition by the rival FPL Group­—Constellation has pretty extreme retention requirements. "You're under a microscope with everything that's said," says Petruzzi, who can talk only generically about records retention because of the merger.

As a publicly held company, for instance, Constellation has to answer to the SEC, which under various regulations, including the Sarbanes-Oxley Act, enforces retention periods of two, three, four or seven years, depending on the company and type of record. Then there's the Federal Energy Regulatory Commission, which has its own set of requirements­­, including one that changed in May, extending from three years to five years the time companies need to keep certain types of pricing information. The U.S. Department of Labor's Occupational Safety & Health Administration requires that some health-related records be kept for either 30 years or the duration of a person's employment plus 30 years. Employment law enforced by the U.S. Equal Employment Opportunity Commission stipulates that documents about job applicants and personnel records be kept from one to three years. For companies in the health-care industry, things get even trickier. Under the Health Insurance Portability and Accountability Act's Privacy Rule, for instance, the Department of Health and Human Services requires that certain records be held for six years.

You get the drift. And that's not addressing various state and local regulations.

"For a Fortune 50 company with 20 lines of business, you may have 50 or 60 different laws that apply to document retention," says the attorney McNicholas, who specializes in information law. He refused to even hazard a guess about how long most business records need to be kept on hand. "You have to start with an accurate survey of the information that's in the organization," McNicholas says—what he calls a data map.

records retention

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors