MASTERING DATA RETENTION

Storing data and IT equipment can be a tricky thing to master. To start out with, you need to ensure that all unnecessary data is deleted so that you’re only storing the bare essentials. Once you’ve narrowed down the data that you’ll need to save, you need to determine which devices you’ll be retaining as well as a secure location to keep them. If this all sounds like a massive headache, don’t worry. You’re not alone.

According to NAID-Europe, plenty of business owners aren’t quite sure how to go about storing their data and equipment. Here are some fast facts that should show you how normal it is to struggle with data retention:

• Deleting isn’t the same as erasing. Many European governments showed ignorance about the differences between destroying data and moving it to the Recycle Bin. These included governmental agencies in Spain and the Netherlands.

• IT equipment needs to be secured. Of four European law firms studied, all four left their digital information in locations that were easily accessible by any member of the public willing to step into their offices.

• Planning is the key. Most of these governmental agencies not only had no data retention policy, but the vast majority (mistakenly) felt that they were at no increased security risk because of their lackluster data destruction practices.

These are just a few of the most common data retention pitfalls and, while frustrating to look at, each of them is entirely avoidable. Let’s look at why a data retention policy is crucial to the success of your organization and how you can create a plan that works for your situation.

Why Do You Need a Data Retention Plan?

According to the International Franchise Association (IFA), there are three main reasons why you’ll want to employ a data retention plan, and they can be summed up as follows:

• To keep important records and documents that may be needed in the future.

• Where people are fallible and prone to make mistakes, processes are reliable. Implementing a secure data retention plan can prevent essential information from slipping through the cracks.

• To organize any documents so that individual records can easily be found when they are needed.

If this seems like a simple enough motivation, that’s because it is. You want to clear away any unwanted records because it will make it easier to find the records that you need. Of course, there are some more specialized appeals to data retention plans, such as:

• Saving money by cutting back on the amount of data storage space your organization requires.

• Complying with regulatory standards e.g. protection of privacy, legal discoveries, etc. The IFA’s research found that holding onto information past its point of usefulness could, in many situations, be a liability for an organization during the discovery phase of a court case.

• Decommissioning old hardware with outdated records in order to resell it and invest in newer equipment.

As you can see, there are no shortages of reasons to create a data retention plan for your organization. Once you’ve decided that you’re ready to implement such a policy, then you should begin by deciding what data you’ll be retaining and what data needs to be destroyed.

Selecting Data for Destruction

When selecting what data to erase, your first priority should be maintaining regulatory compliance for your industry–in short, keeping whatever the law requires you to keep. To that end, there are several categories that information can fall under, each with its own uses and lifespan.

• Temporary Records. This subsection includes things like logs, drafts, and work copies of other short-term records. As the title suggests, you typically won’t need to worry about keeping these files around in the long-term.

• Intellectual Property. It’s easy to let intellectual property stick around past its usefulness, but don’t fall into that trap. This data is only useful until, like all great ideas, it becomes outdated.

• Permanent Records. Binding contracts, tax records, patents, etc., all of these fall under the category of permanent records and should be retained for a number of years, if not indefinitely.

These are broad categorizations, but they should give you an idea for how you’ll be breaking up your data to determine what stays and what goes. While it’s easy to accidentally delete an important file, it’s just as likely that you’ll turn into a data hoarder. To avoid both of these common pitfalls, ask yourself a series of questions when deciding what data to keep: Will I need this record in five years? Do I have a legal reason to retain this information? In what scenarios would this information be useful to me down the line? Examine the regulatory standards of your industry and see what data retention practices will be expected of your organization. By analyzing your motivations for keeping or deleting data, it should quickly become apparent which course of action you should take.

The key in this phase is to ensure that you have adequate cause to delete and store your data, because failure to correctly categorize your files can result in devastating legal ramifications. In the landmark case United States v. Andersen, Arthur Andersen LLP was found guilty of having “corruptly persuaded” its employees to delete important files, all because they were following a flawed data retention policy. This is not an issue which exists solely in abstract hypotheticals–you’ll find a reliable data retention plan to be vital to the reputation and success of your organization.

Now that you understand the severity of the situation and have decided how to allocate your data, it’s time to move on to the next step. Let’s discuss how you can effectively manage your data retention policy in a way that works for your business without draining too many of your resources.

Managing Your Data Retention Policy

Just because you know why you need a data retention plan doesn’t make it clear how it should be run, and some of the most common questions are: Who is responsible for developing the policy? Who enforces it? How can I develop a plan that’s effective without being overly complicated?

It’s always best to start at the beginning, so let’s discuss who will be creating your data retention plan. Once upon a time, when paper documents were the standard, this would be assigned to a records manager. In more modern times, however, drafting this policy falls into the jurisdiction of both IT professionals and business executives, both of whom have a vested interest in how the data retention policy is crafted.

The good news is that a data retention plan doesn’t need to be a complex and technical document, but can be broken down into a simple statement explaining which categories of data are subject to termination after select periods of time. The key, of course, is that this policy is something that your organization can feasibly enforce. For this reason, it’s best to keep the document straightforward when dictating what information must be deleted and at what times. When in doubt of how to craft the policy, let IT take the lead. As the resident technology experts, they should have a better understanding of how long data should be stored and the best processes of data destruction.

The union between IT and executives comes in when the policy is being enforced. A simple IT best practices document won’t receive anywhere near the same amount of respect as a statement of company policy, which is why it’s imperative that the document be put forward by executives after being reviewed by the organization’s legal counsel. While these simple steps will provide you with an effective data retention policy, don’t assume that data retention is a simple walk in the park. It’s a serious process that can impact an organization’s industry and legal standing and, when not taken seriously, can have serious repercussions.

Common Data Retention Pitfalls

Data Wipes

Forming a data retention policy may not be overly complicated, but that doesn’t mean that implementing this plan comes without risk. The security of a data retention plan hinges on one crucial software: a reliable data wipe. If the data wipe were to fail, then sensitive information (e.g. old tax information, business plans, etc.) that was to be deleted would suddenly be available to whoever happened upon your organization’s decommissioned hardware.

When selecting your data wipe, you’ll want to choose something that meets or exceeds your industry’s data security standards; these are typically put forward by groups like the NIST and laws like HIPAA. Do not slouch on the research you put into your data wipe–you’ll be entrusting your organization’s security to it, after all.

When considering your options for reputable data wipes, look at Clarabyte’s wipe. Not only does it exceed over a dozen national and international data destruction standards, but the software is remarkably user-friendly and fully automated to maximize the efficiency of your data retention protocol. If you’d like to see more about what Clarabyte’s data wipe has to offer, then schedule a demo and experience this cutting-edge solution for yourself.

Regardless of what data destruction tools you implement, however, it’s imperative that you select a data wipe that you trust. Without completely deleting your digital records, there’s no guarantee that your information can effectively be secured. Security does not stop here, however, and you should consider how you will be storing your equipment that is to hold your digital records and files.

Storing Hardware

Presumably, you won’t want your everyday PC to be bogged down with countless files about your organization’s taxes and legal records, and that data has to go somewhere. Most organizations choose to store this information on select hardware like HDDs and SSDs, but the storage of this equipment is often, and regrettably, overlooked.

Inherent security weaknesses lie in mismanaging the hardware that holds your private records. If you simply place these hard drives in an unlocked closet, for example, what’s to stop a thief from simply walking in and taking the information that they want?

For this reason, it’s essential that your hardware be stored in a secure location that only a select few will have access to. This ensures the safety of your hardware from physical theft and, if you’ve followed the other data security steps, should close off the final remaining attack vector upon your data security.

Final Thoughts

Data retention is all about balance–balancing overly complex planning with not having a plan at all, balancing the storage of important information with hoarding unnecessary data and balancing ease of access with data security concerns. By following the tips and tricks in this article, though, your organization can find the balance and greatly benefit from a reliable and well-executed data retention policy.

References

Corbin, Charles, Dan Martin, CFE, and Tamara Prince. “I Can’t Find The Signed Franchise Agreement!”: Creating and Implementing Record Retention and Management Policies that Work . International Franchise Association, 6 May 2014. Web.

Data Disposal Attitudes & Practices (2010-2011). Rep. NAID-Europe, Feb. 2012. Web.

Shaw, Thomas J., Esq. “A Publication of the E-Discovery and Digital Evidence Committee ABA Section of Science & Technology Law.” EDDE Journal 3.3 (2012). Web.

United States v. Andersen. Supreme Court. 2005. Case Briefs. Bloomberg Law, Web.