The Seven Deadly Sins of Records Retention

Records retention periods are increasingly governed by regulations. Here are worst (and best) practices for securing data and documents.

1 2 Page 2
Page 2 of 2

Carco's Gladura likens the situation to the paper world and says it would depend on how a subpoena was written, and also whether a company was compliant with its own policies. "You don't have to get out the shredder bag and piece things together in a normal situation," he says, "but you may have to if you're under investigation. For a document retention policy, it's typically enough just to delete. It's not reasonable for me to go back and recover things that were deleted as part of a retention policy."

7. Telling people to delete information at the wrong time.

Finally, it's not enough to do all this if you tell people to delete things out of turn. Just ask anyone who use to work for Arthur Andersen. Or ask Frank Quattrone, the former Credit Suisse First Boston banker who spent three years fighting obstruction-of-justice charges after he forwarded the document retention policy to other employees and instructed them to "catch up on file cleaning"­this when the company was going to be under investigation. (Charges were dropped last month.)

Once a company learns that it is under discovery or being auditedor learns that it's about to be audited or served with a subpoenadestroying anything could make you look like you're hiding something.

A policy can help you keep records in order so that, if needed, you'll only have to trawl through a reasonable amount of information. At American Savings Bank, where Kenneth Newman reluctantly accepted responsibility for records management, the security group sends out quarterly e-mail reminders about certain records that need to be destroyed. "We issue a reminder that if you have these types of documents in any format"—paper or electronic­—"the time has come to arrange for their destruction," says Newman, VP of security for the $371 million Honolulu-based bank.

For instance, if a certain loan file has a seven-year retention requirement, his group would send a notice in the first quarter of 2006 that "any of these loan documents that are older than Q1 1999 can be deleted." He follows up as best he can. For papers stored with an offsite provider, it's easier to track. For electronic records, however, he depends on business units to follow through.

The system can be complicated or simple, automated or centered around users. The important part is establishing a system that you can describe, follow and stand behind. It can make your head hurt, says Herrod, the former SEC CSO. "You want to give up. But at the end of the day, you have to have some sort of written policy around it."

Copyright © 2006 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies