IT management has become so complex that it’s no longer just an IT issue. From general information security practices to compliance mandates and e-discovery requirements, I don’t envy anyone responsible for managing the numerous complexities.
Based on what I see when performing security assessments, litigation support and expert witness work, there’s hardly anything posing as much of a threat to businesses today as the mismanagement of data retention. Simply put, a data retention strategy is often handled as any other function of IT -- but it just doesn’t work that way.
As with most things that affect the bottom line -- supply chain management, finance, sales, etc. -- there has to be some level of accountability through checks and balances across the board. In areas such as those just mentioned, that’s usually the case. However, there’s often little to no oversight when it comes to data retention requirements. This goes for corporations, nonprofits and government agencies of all sizes.
In certain cases where a data retention program does exist, it’s often in the form of a data retention policy that’s been haphazardly thrown together. Data retention strategies such as these don’t implement what’s needed or, worse, are downloaded off the Internet without any real tweaking based on the business’s data retention requirements and specific circumstances.
Case law has shown us that data retention requirements involve so much more than traditional IT oversight. At a minimum, a thorough data retention strategy needs to involve the legal department, internal audits, human resources and executive management. It’s also important to know that a data retention strategy is more than just holding backup tapes for a certain time period. Instead, it’s a formal structure and set of processes for maintaining electronic data across the enterprise on servers, SAN/NAS systems, tapes, workstations, mobile devices -- anything capable of storing electronic data.
Whether it’s to satisfy an internal policy, business partner requirement, external audit or legal hold for e-discovery, data retention strategy is a serious business issue that deserves serious attention from the proper sta keholders. It's important to step back and re-evaluate:
- What data is being held.
- Where that data is being held.
- How long the data is being held.
- How the data is handled when a legal hold is received and maintained during an investigation or lawsuit.
By not addressing these issues now -- before you need to -- you risk unnecessary liabilities by having too much data lying around, as well as spoliation or other mishandling that can really get your business in hot water.
Unless you have people outside IT helping to call the shots on data retention requirements, it's a huge risk right under your nose -- and one the IT department will never be able to handle independently.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audiobooks and blog