The Seven Deadly Sins of Records Retention

Records retention periods are increasingly governed by regulations. Here are worst (and best) practices for securing data and documents.

One of the most potentially expensive parts of records retention is that stomach-punch moment of being served with a subpoena or notice of a regulatory audit. Having to sort individually through backup files can cost millions of dollars. Worse, not being able to access the right files can anger the judge. McNicholas, who worked for the Clinton administration, remembers this as one of the less salacious footnotes of the independent counsel's investigations into Whitewater and Monica Lewinsky.

"The Clinton White House spent more than $10 million to pull records off of backup tapes and look at them again in light of subpoenas," McNicholas says. Ultimately, the White House was investigated for failing to search certain e-mail systems and backup tapes during specific time frames, due to technical problems. (The independent counsel, Robert W. Ray, did not press charges because there was "no substantial evidence that electronic records had been intentionally withheld.")

At least during a legal discovery process, organizations have weeks, not hours, to present evidence. The SEC wants information much faster. That's why once a year, CISO Matthew Todd of Financial Engines takes part in a test of whether every single e-mail, instant message, customer record or data model that the company used to offer financial advice in the past seven years can be accessed at a moment's notice. The compliance group, pretending to be the SEC, asks Todd to pull a specific set of records about certain individuals during a set time frame.

It's a "fire drill," says Todd, who is also the VP of risk and technical operations for the $34 million company, which offers individuals advice about retirement planning, usually as part of an employee benefit program. "We have to be able to produce this stuff within 24 hours." Todd says that over time, not only have the drills helped the company be confident that it's complying with federal regulations but the process has also improved the speed and quality of information that customer service reps can access about an individual's interaction with the company. "There was never a time when the data wasn't available to us," he says, "but it used to be much more onerous to be able to interpret it quickly."

5. Having a policy you can't follow.

Whether your company decides to archive all e-mail and IM from the past five years automatically, or just rely on users to save certain documents, another key point to document retention is setting a policy that can be reasonably followed. Says McNicholas, the attorney: "A good policy does not need to retain all possible information and documents, but it has to be customized to the particular companies, to their culture and their organization and their regulatory environment."