The Seven Deadly Sins of Records Retention

Records retention periods are increasingly governed by regulations. Here are worst (and best) practices for securing data and documents.

Gladura, echoing that statement, posits that a company could dictate that every e-mail be deleted after seven days. "But if you do that, you'll be deleting information that people may need, and they'll find workarounds," he says. "They'll drag it onto their hard drive or a thumb drive, and then you really won't be able to control what happens to it. It's better to have a loose policy that you can follow than a strict one you couldn't." For instance, it would be better to have a three- to six-month retention policy with an automatic clean-up function for e-mails not subject to retention requirements.

6. Failing to offer guidance on how to destroy old records.

Once the retention period ends, the CSO's real work begins. Business units will need guidance on how to get rid of information. This is where classification schemes are useful. At energy giant Chevron, for instance, Global Information Protection Architect Jay White is establishing an information classification system and setting up destruction standards based on information type.

When what's considered "public information" outlives its usefulness, users or administrators can just delete it, White says. For business information, users or system administrators can again hit the delete key, but when the drive is retired, it needs to be degaussed—a process of demagnetizing so that information is destroyed. If the information is deemed classified or confidential, it must immediately be shredded, burned, degaussed or overwritten to a Department of Defenselevel standard.

These standards, though, are more about protecting the information, period, than destroying the record. Experts we spoke with did not know of any instances where prosecutors used forensics tools to try to recover records that were deleted as a normal course of business. Of course, a judge who is frustrated with your company's inability to produce records could issue a subpeona for them.

Carco's Gladura likens the situation to the paper world and says it would depend on how a subpoena was written, and also whether a company was compliant with its own policies. "You don't have to get out the shredder bag and piece things together in a normal situation," he says, "but you may have to if you're under investigation. For a document retention policy, it's typically enough just to delete. It's not reasonable for me to go back and recover things that were deleted as part of a retention policy."

7. Telling people to delete information at the wrong time.

Finally, it's not enough to do all this if you tell people to delete things out of turn. Just ask anyone who use to work for Arthur Andersen. Or ask Frank Quattrone, the former Credit Suisse First Boston banker who spent three years fighting obstruction-of-justice charges after he forwarded the document retention policy to other employees and instructed them to "catch up on file cleaning"this when the company was going to be under investigation. (Charges were dropped last month.)