Do You Know Your Data Retention Requirements?

There have been several interesting news reports recently about data retention proposals, plans, practices and laws in the U.K.
Currently there are proposals to require emails to be retained for a full year, but critics contend that sloppy data retention practices will result in actual retention periods much longer, if the emails even ever get deleted.
This is an important point; when it comes to data retention, the requirements are rarely, if ever, followed by some organizations…

Do you know what all the data retention requirements are for your organization? Do you know if you are even in compliance with them?
There are a wide range of issues to consider when establishing your data retention program.
As food for thught, here are the first couple of sections from the second article, “Miscellaneous Data Retention Considerations,” in my August IT Compliance in Realtime Journal.

Over the years, I have found it quite interesting that in most large organizations, data and records retention issues are often managed and handled by a department in a completely different part of the enterprise from the information security department.
What is rather scary is that the records retention department often never communicates with the information security area to determine whether or not what they are doing supports, or is in compliance with, applicable information security and privacy policies, laws, regulations, and industry standards. What is also very scary is that these retention issues are typically not discussed with the entities and vendors to whom organizations outsource certain portions of their business processing and auditing.
Outsourcing Questions
When addressing regulatory requirements and emerging security threats, organizations must consider the policies and procedures necessary for proper retention of audit reports, papers, and logs. Outsourcing is now commonplace for most organizations; when you entrust business partners with your company’s information, you place all control of security measures completely into their hands. But when you do this, your organization is still ultimately responsible for that information, including data retention practices they are using:

  • Do you know what they are doing with the logs generated as a result of the activities you outsource to them?
  • Do you know what they are doing with the reports that relate to your business?
  • Do you know their records retention practices?
  • As an effect of many recent laws and regulations, it is also common to have third parties perform audits, risk assessments, or vulnerability assessments:
  • What happens to these reports following the audit or assessment?
  • How long is it reasonable for the third party to retain your report?
  • What do regulations require with regard to retention?

What can complicate the answers to all these questions is digitization of paper documents. Consider the U.S. E-Government Act of 2002. Many documents remain digital throughout their entire life cycle, and paper documents are scanned and stored in digital form. Although digitization has generally made government processes more efficient, and has arguably saved a large amount of paper, the related records retention policies and practices have largely remained stuck in the pre-computer era and often address only hard copies of information.
Retention Responsibilities Go Beyond Your Company Perimeter
I have done well over 150 vendor security program reviews over the past few years, and I could probably count on my fingers the number of them that included within their contracts the vendor responsibilities for retention of the digital and paper documents, both for the duration of the contract and after the relationship with the vendor has been ended. Such is the case even though the electronic documents that the vendors handle on their behalf often include text documents, spreadsheets, and even instant messages, cell phone text messages, voicemail, data from portable devices such Blackberries, podcasts, and information on social networking sites. All types of electronic data your outsourced vendor has in support of your contract could possibly be subpoenaed and required by a court. Generally, in the U.S. if your data is in your system, or within your outsourced vendors’ systems, it can be subpoenaed.


Tags: , , , , , , , , ,

Leave a Reply