Cos Struggling To Implement Information Retention Plans

Symantec Corp. has announced the findings of its 2012 Information Retention and eDiscovery Survey which examined how enterprises manage their ever-growing volumes of electronically stored information (ESI) and prepare for the eventuality of an eDiscovery request. The study found the percentage of organisations without a formal information retention plan dropped by half from the 2011 survey. However, even with this improvement, organisations struggle with implementing their information retention plans as only a third of organisations report their plan is fully operational.

Non-implemented plans risky to organisations

Nearly two-thirds (60 percent) of organisations say they have a formal retention plan, yet only 34 percent report those plans are fully operational. The perceived cost of implementing their plans is reported to be the most common reason why organisations are lagging in plan implementation. The survey found that only 7 percent of organisations don’t have any plans in place, a 50 percent drop from 14 percent of organisations reported in the 2011 survey.

More from Biztech

Future Group - Reliance Retail Deal approved by CCI RBI ban on cryptocurrencies takes effect; prohibition could force investors to tap the black market

Even more concerning is that while they received on average 17 requests for electronically stored information, these requests failed 31 percent of the time. This is significantly higher than the 20 percent of failures reported in 2011. Each time a failure occurs, the organisation is at risk. Forty-three percent reported the inability to make decisions in a timely fashion as the biggest consequence of these failures. Other consequences reported include damage to reputation, compromised legal position, fines, raised profile as a litigation target and court sanctions.

“The survey highlights that, although there is a reduction in the number of organisations without an information retention plan, organisations haven’t fully funded and implemented their plans,” said Trevor Daughney, Director, Information Intelligence Group, Symantec. “With the number of ESI requests and failures to obtain requested information increasing, organisations face risks that are much more costly in the long run than implementing their plans.”

No improvement in gap between retention beliefs and practices

There is still a substantial gap between beliefs and practices in retention policies, which has not significantly changed year over year. Eighty-one percent of respondents believe that a proper information retention plan allows organisations to delete information on an ongoing basis. However, 42 percent of backups are indefinitely retained by organisations. This is virtually unchanged from the 2011 results. And, information that is deleted by organisations is often deleted without considering established retention policies.

The most reported negative consequences resulting from preserving more electronically stored information than necessary include: Increased costs associated with collection, analysis and review (54 percent); increased time spent to collect, analyse and review ESI (47 percent); increased risk that sensitive information may be disclosed (44 percent); compromised position in potential or actual litigation (27 percent); and information unintentionally made available for potential future litigation (28 percent).

The survey also reports that organisations are keeping information longer than is needed, and keeping the data within backups rather than archives for legal holds, which reduces efficiencies when performing an ESI request. The survey reveals that 38 percent of data that organisations back up is not needed or shouldn’t be kept in backup. In fact, respondents say that a third of backup data (34 percent) shouldn’t be kept and is unnecessary due to litigation risk.

More than half of organisations keep that data indefinitely: 56 percent of organisations reported that their backup storage is used for infinite retention that is dedicated to legal hold. This has grown from 43 percent in 2011 and continues to get worse. Further, 85 percent of organisations routinely perform legal holds in their backups, which are not designed to be accessed in the same way as an archive.

Majority of organisations impacted by data privacy laws and regulations

As expected, data privacy laws and regulations have significant impact on organisations with 53 percent reporting that laws and/or regulations impact archiving and eDiscovery initiatives. However, there are many reasons respondents report collecting electronically stored information including: Litigation (60 percent); internal investigations (59 percent); internal compliance initiatives (58 percent); compliance with international regulations and laws (57 percent); compliance with local regulations and laws (55 percent); governmental inquiries or investigations (52 percent); and public information requests (46 percent).

Recommendations

Following are recommendations that organisations can implement to help them more effectively implement their information retention plan:

Adopt a defensible deletion mindset: When organisations can adopt a defensible deletion mindset they can delete information with confidence according to their information retention policies.

Err on the side of fewer, rather than many, retention policies: This improves the odds of successful information governance. Start with deleting obvious unnecessary files, then set minimum retention periods for compliance. Additional policies can be added later, if necessary.

Automate privacy, retention and compliance policies to reduce risk: Allowing your policies to automatically work as they are designed not only reduces the risk of inconsistencies in policy implementation, but reduces the risk of unintentional access or distribution of information.

Implement a solution in which legal holds can override expiry policies: Consider a unified eDiscovery solution where legal holds can be easily implemented to override expiry policies to avoid spoliation and sanctions.

Don’t use backups for long term retention: Backups are for recovery, archiving is for discovery. Deploy an archiving solution to quickly and easily respond to search requests for electronically stored information.