The Seven Deadly Sins of Records Retention

Records retention periods are increasingly governed by regulations. Here are worst (and best) practices for securing data and documents.

At TriWest, Pontrelli ended up with a 243-line spreadsheet put together by the team in charge of TriWest's contract with the Defense Department. It held retention requirements for everything from accident reports to years of service, with time periods ranging from one year to indefinitely. The spreadsheet laid out where the information was stored, on what medium andmuch to his relief—the department responsible for keeping it and eventually destroying it.

3. Assuming that document retention
is someone else's job.

The former CSO of the SEC can't help but think of records retention as a hot-potato issue. "Everyone gets thrown the hot potato, and everyone wants to throw it back because they don't understand it," says Chrisan Herrod, now a consultant with Scalable Software, which sells regulatory compliance and asset management products. "It's a really difficult information management problem that is not clearly owned by anyone in an organization."

Hammering out the specifics of retention requirements may be a job for the attorneys, and implementing those policies may best be left to individual business units. But it's in the CSO's best interest to be involved with the whole process for two reasons.

One is that the CSO is the organization's information protector. The regulatory environment for document retention is prompting more IT departments to move to integrated content management solutions—the (still mostly fictional) end game being one where

e-mails, instant messages, spreadsheets, word-processing documents and anything else that contains certain keywords or meets certain criteria is stored in one repository, with an underlying software that applies retention policies. (See "Achieving Automated Records Management") Sound scary? A bit.

While that repository may contain a treasure chest of information assets, the fact that it exists in one place makes it a security concern, says Brian Babineau, an analyst at Enterprise Strategy Group. "I may have to access this to provide information to attorneys, but I also need to make sure that access is denied to any unauthorized user." This is either a problem or an opportunity, depending on how you look at it.

"Can you manage one big target better than you can manage several small ones?" Babineau asks. "It might be easier to manage them together." That way, you'd have a good idea of where to encrypt data at rest.

The second reason that CSOs should care is that when the companies get served with a subpoena or notified of an inquiry by regulators, it's the CSO's door that'll be knocked on. "You can tell [the chief legal officer], 'It's not my game; I don't play in this area,'" says Timothy Gladura, former CSO of Cardinal Health, the drug and medical supply company. But if you want to extend your influence, you're better off being able to help with the investigation. Warns Gladura, who's now a divisional president at the Carco Group, which does investigative and security consulting: "If you say you're going to play, when the call comes in you'd better be able to deliver."