The Seven Deadly Sins of Records Retention

Records retention periods are increasingly governed by regulations. Here are worst (and best) practices for securing data and documents.

Sure, you're thinking, records retention can be deadly. Deadly dull. "I don't want to own that," TriWest Healthcare CSO John Pontrelli said to himself when people came poking around about it—this after the U.S. Department of Defense, TriWest's only customer, announced it was going to audit the company's document retention practices.

"It's just one of those thankless kinds of jobs," Pontrelli continues, noting that he'd rather keep his security staff focused on its core business. "I can't become the retention police."

Records retention has always been about as sexy as Birkenstocks with socks. Even the nomenclature, retention, has an unsavory connotation, something better left to the clinically uptight. But recent legal actions have made document retention programs not just boring but risky. One wrong step can cost a company. Just ask the latest poster child, Morgan Stanley, which in May said it would pay a record $15 million to the Securities and Exchange Commission for failing to properly retain or produce e-mails related to several investigations. And the regulatory environment is unlikely to soften anytime soon, with Internet service providers now under particular scrutiny, as the government seeks access to customer information for child pornography cases.

To avoid having anyone hit a $15 million delete key, some companies have concluded that they should archive, forever, anything and everything—boring and unboring, sexy and unsexy, damning and defensible—just to err on the safe side. But that's not quite right either.

In records-retention land, there is no "safe side." Keeping too much information is a risk too. "If you retain [a record] for too long, it's very expensive, you expose yourself to litigation risks, and you might be violating privacy rights," says Edward R. McNicholas, a Washington, D.C.-based partner at the law firm Sidley Austin.

Sound like you're damned if you do, damned if you don't? We're here to help you avoid either extreme, by offering seven common mistakes—dare we call them deadly sins?—and strategies to avoid them.

1. Not keeping your records straight from your backup.

First, the basics. The first step to a good records management program is simply identifying what a record is. Sure, the e-mail servers and network drives get backed up at the end of the day or week. You need those backups to keep the business running. But a record, technically, is something that you need to keep around for a set period of time, either for regulatory, legal or business reasons. Records encompass both structured information, like financial transactions stored in the company's enterprise resource planning system, and unstructured information, like financial spreadsheets exchanged by e-mail that might eventually feed into the ERP system (or just sit on someone's desktop computer indefinitely). Records probably don't encompass e-mails exchanged by two accountants about whether to lunch on Thai food or Mexican.

"You have to boil it down to, what are your storage requirements versus your legal requirements to retain business documentation?" says John Petruzzi, director of enterprise security for Constellation Energy, a $17 billion company based in Baltimore. The two things can be very different. For instance, while backup media may be in a continual state of being written and overwritten, records that must legally be retained (more on that in a minute) often need to be stored on immutable, nonrewritable storage, and should be either very well-organized, very easily search­edor both.

2. Expecting the legal department to produce a rule of thumb for how long to store records.

About those legal requirements: If you're waiting for an easy answer, keep breathing.

Take Constellation, for instance. As an energy company with trading operations—and one that's currently in the midst of an acquisition by the rival FPL Group­—Constellation has pretty extreme retention requirements. "You're under a microscope with everything that's said," says Petruzzi, who can talk only generically about records retention because of the merger.

As a publicly held company, for instance, Constellation has to answer to the SEC, which under various regulations, including the Sarbanes-Oxley Act, enforces retention periods of two, three, four or seven years, depending on the company and type of record. Then there's the Federal Energy Regulatory Commission, which has its own set of requirements­­, including one that changed in May, extending from three years to five years the time companies need to keep certain types of pricing information. The U.S. Department of Labor's Occupational Safety & Health Administration requires that some health-related records be kept for either 30 years or the duration of a person's employment plus 30 years. Employment law enforced by the U.S. Equal Employment Opportunity Commission stipulates that documents about job applicants and personnel records be kept from one to three years. For companies in the health-care industry, things get even trickier. Under the Health Insurance Portability and Accountability Act's Privacy Rule, for instance, the Department of Health and Human Services requires that certain records be held for six years.

You get the drift. And that's not addressing various state and local regulations.

"For a Fortune 50 company with 20 lines of business, you may have 50 or 60 different laws that apply to document retention," says the attorney McNicholas, who specializes in information law. He refused to even hazard a guess about how long most business records need to be kept on hand. "You have to start with an accurate survey of the information that's in the organization," McNicholas says—what he calls a data map.

At TriWest, Pontrelli ended up with a 243-line spreadsheet put together by the team in charge of TriWest's contract with the Defense Department. It held retention requirements for everything from accident reports to years of service, with time periods ranging from one year to indefinitely. The spreadsheet laid out where the information was stored, on what medium andmuch to his relief—the department responsible for keeping it and eventually destroying it.

3. Assuming that document retention is someone else's job.

The former CSO of the SEC can't help but think of records retention as a hot-potato issue. "Everyone gets thrown the hot potato, and everyone wants to throw it back because they don't understand it," says Chrisan Herrod, now a consultant with Scalable Software, which sells regulatory compliance and asset management products. "It's a really difficult information management problem that is not clearly owned by anyone in an organization."

Hammering out the specifics of retention requirements may be a job for the attorneys­, and implementing those policies may best be left to individual business units. But it's in the CSO's best interest to be involved with the whole process for two reasons.

One is that the CSO is the organization's information protector. The regulatory environment for document retention is prompting more IT departments to move to integrated content management solutions—the (still mostly fictional) end game being one where

e-mails, instant messages, spreadsheets, word-processing documents and anything else that contains certain keywords or meets certain criteria is stored in one repository, with an underlying software that applies retention policies. Sound scary? A bit.

While that repository may contain a treasure chest of information assets, the fact that it exists in one place makes it a security concern, says Brian Babineau, an analyst at Enterprise Strategy Group. "I may have to access this to provide information to attorneys, but I also need to make sure that access is denied to any unauthorized user." This is either a problem or an opportunity, depending on how you look at it.

"Can you manage one big target better than you can manage several small ones?" Babineau asks. "It might be easier to manage them together." That way, you'd have a good idea of where to encrypt data at rest.

The second reason that CSOs should care is that when the companies get served with a subpoena or notified of an inquiry by regulators, it's the CSO's door that'll be knocked on. "You can tell [the chief legal officer], 'It's not my game; I don't play in this area,'" says Timothy Gladura, former CSO of Cardinal Health, the drug and medical supply company. But if you want to extend your influence, you're better off being able to help with the investigation. Warns Gladura, who's now a divisional president at the Carco Group, which does investigative and security consulting: "If you say you're going to play, when the call comes in you'd better be able to deliver."

4. Not being able to respond quickly to a request.

One of the most potentially expensive parts of records retention is that stomach-punch moment of being served with a subpoena or notice of a regulatory audit. Having to sort individually through backup files can cost millions of dollars. Worse, not being able to access the right files can anger the judge. McNicholas, who worked for the Clinton administration, remembers this as one of the less salacious footnotes of the independent counsel's investigations into Whitewater and Monica Lewinsky.

"The Clinton White House spent more than $10 million to pull records off of backup tapes and look at them again in light of subpoenas," McNicholas says. Ultimately, the White House was investigated for failing to search certain e-mail systems and backup tapes during specific time frames, due to technical problems. (The independent counsel, Robert W. Ray, did not press charges because there was "no substantial evidence that electronic records had been intentionally withheld.")

At least during a legal discovery process, organizations have weeks, not hours, to present evidence. The SEC wants information much faster. That's why once a year, CISO Matthew Todd of Financial Engines takes part in a test of whether every single e-mail, instant message, customer record or data model that the company used to offer financial advice in the past seven years can be accessed at a moment's notice. The compliance group, pretending to be the SEC, asks Todd to pull a specific set of records about certain individuals during a set time frame.

It's a "fire drill," says Todd, who is also the VP of risk and technical operations for the $34 million company, which offers individuals advice about retirement planning, usually as part of an employee benefit program. "We have to be able to produce this stuff within 24 hours." Todd says that over time, not only have the drills helped the company be confident that it's complying with federal regulations but the process has also improved the speed and quality of information that customer service reps can access about an individual's interaction with the company. "There was never a time when the data wasn't available to us," he says, "but it used to be much more onerous to be able to interpret it quickly."

5. Having a policy you can't follow.

Whether your company decides to archive all e-mail and IM from the past five years automatically, or just rely on users to save certain documents, another key point to document retention is setting a policy that can be reasonably followed. Says McNicholas, the attorney: "A good policy does not need to retain all possible information and documents, but it has to be customized to the particular companies, to their culture and their organization and their regulatory environment."

Gladura, echoing that statement, posits that a company could dictate that every e-mail be deleted after seven days. "But if you do that, you'll be deleting information that people may need, and they'll find workarounds," he says. "They'll drag it onto their hard drive or a thumb drive, and then you really won't be able to control what happens to it. It's better to have a loose policy that you can follow than a strict one you couldn't." For instance, it would be better to have a three- to six-month retention policy with an automatic clean-up function for e-mails not subject to retention requirements.

6. Failing to offer guidance on how to destroy old records.

Once the retention period ends, the CSO's real work begins. Business units will need guidance on how to get rid of information. This is where classification schemes are useful. At energy giant Chevron, for instance, Global Information Protection Architect Jay White is establishing an information classification system and setting up destruction standards based on information type.

When what's considered "public information" outlives its usefulness, users or administrators can just delete it, White says. For business information, users or system administrators can again hit the delete key, but when the drive is retired, it needs to be degaussed—a process of demagnetizing so that information is destroyed. If the information is deemed classified or confidential, it must immediately be shredded, burned, degaussed or overwritten to a Department of Defenselevel standard.

These standards, though, are more about protecting the information, period, than destroying the record. Experts we spoke with did not know of any instances where prosecutors used forensics tools to try to recover records that were deleted as a normal course of business. Of course, a judge who is frustrated with your company's inability to produce records could issue a subpeona for them.

1 2 Page 1
Page 1 of 2
The 10 most powerful cybersecurity companies