More Data Retention Tips And Considerations

Here are some more data retention tips and considerations as a follow-up to my Tuesday blog post

There is the remainder of the second article, “Miscellaneous Data Retention Considerations,” in my August IT Compliance in Realtime Journal.
Download the Journal PDF to get a much nicer-looking version.
Often-Overlooked Retention Issues
When working with your records retention department and your vendors, make sure that you consider the following often-overlooked types of retention issues.

  • How does your organization store electronic messages? How do your vendors store the electronic messages they send and receive on your company’s behalf? E-discovery and litigation issues make storing electronic messages in their original form a critical consideration. Many organizations convert email messages and documents captured from a messaging server to SMTP and RTF documents; this eliminates metadata in a way that could significantly weaken the value of the records to your organization.
  • How long do your organization and your vendors store the electronic messages sent and received on your company’s behalf? There are many retention time requirements for different types of information. You need to be sure that your company and vendors are retaining your information and data, in all forms, according to your organization’s applicable legal and regulatory requirements.
  • On what type of media do your organization and your vendors store electronic records? Organizations subject to regulations such as the U.S. SEC Rule 17a-4 require records to be archived on non-erasable, non-volatile storage. If this law covers your organization, you must ensure your organization, as well as your outsourced vendors, are in compliance for the data you and your outsourced vendors are processing, storing, or otherwise handling on your organization’s behalf.
  • See U.S. SEC Rule 17a-4, “Final Rule: Applicability of CFTC and SEC Customer Protection, Recordkeeping, Reporting, and Bankruptcy Rules and the Securities Investor Protection Act of 1970 to Accounts Holding Security Futures Products” at
  • What happens to the electronic message headers as they are forwarded or sent outside the organization? Oftentimes, distribution lists are lost from electronic messages depending upon how they are forwarded or replied to. There may be legal obligations for your organization to accurately preserve a list of all individuals who send and receive messages. If messages are sent using distribution lists, they may not fulfill this type of legal obligation.
  • Does your organization have records retention policies and procedures that cover record retrieval and deletion? Do your outsourced vendors? Documented policies and procedures are a necessity to ensure consistent data retention actions throughout your entire enterprise and within your outsourced vendors. Supporting procedures should explain how to document all actions taken related to archival and deletion. These documented procedures, and resulting documentation from retention activities, will allow your organization to explain and validate record handling actions if an investigation takes place.
  • Do your policies and procedures cover internal enterprise communications, external enterprise communications, and records within applications such as electronic order entry records or purchase orders? Do your vendors’ policies and procedures cover these issues? Internal communication is basically any type of message–such as email and instant messages–as well as any other shared documents–such as memos, reports, HTML forms and so on–sent and exchanged within your organization, regardless of whether they cover business issues.
  • Does your organization, and your vendors, record the version and release of the application that created or manipulated electronic communications? If you don’t, these communications could eventually become unattainable.
  • Does your organization, or your vendors, have retention standards based upon job responsibilities and communications intent? Communications not related to business functions should be retained or deleted as determined by those responsible for establishing the retention requirements. For example, in a manufacturing company, the internal business electronic messages of an individual responsible for IT network planning may be determined to need deletion after 6 months. However, you might need to retain the electronic messages from a stockbroker or CFO within a financial services organization for 6 years. Whatever the retention needs, all your decisions need to be formally documented and consistently implemented and followed.
  • Are your organization’s and vendors’ electronic communications and documents retained in a way that is consistent with the retention practices for your paper documents and communications containing the same information? All communications should be retained using procedures that are consistent with paper documents containing the same types of information.
  • Has your organization, or your vendors, determined which versions of messages and communications need to be retained? Communications usually are forwarded multiple times across systems and to many different individuals. They often contain duplicate information, including attachments. Establish a policy and supporting procedures to cover the versions of communications that will be archived.
  • Has your organization, or your vendors, determined how communications that reside on many different types of individual systems will be collected and archived? Are you going to make each individual responsible for creating the archive, will you set up an automated archive system, or will you use some other type of procedure?
  • Have you included retention requirements into your information security policies and effectively communicated them to all your personnel? Have your vendors?Once you have created appropriate policies, it is important to understand that they will not be effective unless they are communicated and enforced. For example, if one of your workers is using your network (or your vendors’ networks) to download and distribute child pornography, not only is the system archiving huge amounts of this data but also your organization is putting itself at risk of a potential lawsuit or even possibly a felony charge. If your organization archived the pornography and then did not do anything to enforce compliance or prevent the activity from continuing to occur, it could possibly not only damage your organization’s reputation but also have significant impact on your organization’s business and financial position

The bottom line is that your organization’s records retention policy needs to be comprehensive, formally documented, well communicated, and cover issues such as outsourced arrangements and non-business system use.

Tags: , , , , , , , , ,

Leave a Reply