How far back does your email go? And how does this relate to data security? Bobby R. Williams, Jr., managing consultant with iDiscovery Solutions, returns with his Finely Tuned blog series to discuss this topic's significance.
How far back does your email go? I’m sure many of you started scrolling through your Outlook to answer that question. I would wager most users do not know the answer to that question. Hopefully, the answer is easily found within your data retention protocols.
The skilled and hard-working IT professionals within our organizations often emphasize security. Data retention is a part of the security discussion but can be an afterthought as storage becomes less expensive. Some say, “If space is cheap, just keep everything”. We frequently ask how far back records within a system may go. Often the answer is, “As long as the system has been in use”. Whether this is good or bad is usually based on circumstance. Either way, we recommend it be determined by protocol and not left to chance.
Why is this significant?
When determining the scope of an investigation, important dates are often a huge factor. Many factors will determine how long we hold onto data - such as data types, categories and the laws that govern them. Knowing the rule(s) by which to govern your data and setting a protocol to match can help you quickly answer questions about what is available to collect. Investigations become more efficient when sources can be eliminated due to known retention guidelines. Not knowing the rules and/or your own protocol and settings for compliance creates more uncertainty.
Let’s say you need database records from 10 years prior, but the law dictates records of that kind should be maintained for 5. Your records were set to age out of that database after 5 years and there was no trigger for a legal hold. An expert will still ask you questions about confirmation (“Can we verify?”), replication (“Does the same data exist somewhere else in another format?”) and back up (“Can the data be restored or recovered?”) but the database itself may be instantly out of scope.
On the contrary, if you arbitrarily set records retention for 3 years, but the law requires them to be held for 10, an investigation can reveal major problems for the organization.
What’s the takeaway?
Understand your data types. Everything from emails to finance and human resources records can have a wide range of file types. Understand the laws that dictate how long data should be held. The standards for PII (Personally Identifiable Information) and/or medical records will differ from other data types. Understand the systems you deploy so that you will know their capacities and limitations for retention. And once you know, use those settings. Have the information documented and available. Consider bringing in an expert to help you execute all this. Many qualified consultants will help you manage Information Governance and Litigation Readiness. This will all help an investigator to easily leverage your existing work. All with the potential to aid analysis and lower costs. Another example of how paying attention can help you pay less money.
Published November 16, 2020.