Records Retention: Practice What You Preach

If your organization is going to claim in court that records aren't available because they've been destroyed, be prepared to back up that assertion with a retention and disposition policy--in writing. You also should have records that demonstrate how the policy is implemented and how employees are trained in retention and disposition. When creating the policy, IT, legal, and compliance officers need to be involved, as do line-of-business managers. But don't forget the people who actually create the content.

"Users are in favor [of disposition] unless it's their data," says Mike Brooks, CIO and senior VP of CVR Energy. A disposition policy has to be cognizant of users' desire to have some information that lives forever. Overly strict policies will prompt users to find ways to thwart the rules--and that could have harmful compliance or legal repercussions.

You also need to have an audit trail, such as electronic log files, to show that disposition is applied regularly and uniformly in accordance with the written policy. Be sure the process includes legal-hold capabilities, and expect to have an IT or storage director be deposed, or even appear in court, to explain the policy and how it's implemented.

Whatever you do, don't write a policy and then fail to follow it. "That's arguably worse than not having a policy at all," says Michael Sands, partner at law firm Fenwick & West. Many in-house lawyers see retention and disposition as a checklist item, he says. They get a sample policy, slap the company logo on it, put it in a drawer, and forget about it. That's dangerous.

"When a company has a 'policy' that they aren't following, they have defined their own standard of care that they have then failed to meet," Sands says, adding that if your opponent can show that you say one thing but do another, you've already lost.

Note also that there are different levels of "deleted." The most common method is to overwrite data with other information. However, data erased by a simple overwrite often can be recovered using forensic software. Other methods, such as overwriting multiple times with ones and zeroes, encrypting without preserving the decryption key, using a strong magnetic field to wipe a disk, or physically destroying storage media, are used for high-security deletion to defeat forensic data recovery. When it comes to data disposition and federal civil court cases, a simple overwrite is sufficient. Courts are less interested in the method used to delete data than in a litigant's ability to demonstrate a comprehensive and repeatable disposition system.

"If you say, 'We don't have e-mail from the following people prior to March 2006,' courts are generally going to accept that as long as it's supported by a declaration from someone in IT explaining retention and disposition policies and practices," Sands says. "A court isn't going to make you prove a negative."

However, it's useful to maintain clear disposition records, such as audit trails. Many archiving products, such as Hewlett-Packard's Integrated Archive and Autonomy's Idol software platform, create date and time stamps for each object, such as an e-mail or document, stored in the archive. Tracking the archive date is crucial for time-based disposition policies.

Photo illustration by Sek Leung

Return to the story:
Comply Or Die: Data Disposition Must Be A Priority