Last week, Index Engines provided its take on how to best prepare and manage corporate data. The discussion didn’t end there, however. Today, Symantec released its 2011 Information Retention and e-Discovery Survey, which examined the retention policies of the enterprise. The survey reveals that email is no longer the most commonly requested records companies must produce — further complicating the way information and the kinds of information are managed.
We thought this was the perfect opportunity to have Symantec weigh in. We asked Greg Muscarella, senior director of product management for Symantec’s Information Management Group, the same three questions about how to effectively manage your corporate data.
CMSWire: What are three things every company should know about managing corporate data?
Greg Muscarella: First, don’t suffer from paralysis of analysis. Create and implement a records and information management (RIM) program. Get started with a formal plan as soon as possible, and then refine it accordingly to address specific laws and regulations governing the retention and availability of information. Without a formal plan it is difficult to know when — and what — to delete, which drives over-retention and creates additional risk.
Second, don’t hold onto everything forever. Periodically delete electronically stored information (ESI) according to your RIM program. Symantec’s 2011 Information Retention and eDiscovery survey found that most organizations (79%) believe that a proper information retention plan should allow them to delete information. Yet, 20% of organizations still retain archived data forever. This means that a large percentage of organizations are not correctly deploying the archive to minimize data through expiry and by implementing document retention policies. Delete according to your information retention plan to reduce storage, litigation exposure and e-Discovery costs.
Third, use backup for recovery, archiving for discovery. Keeping data on backup tapes indefinitely and using those backup tapes for the legal hold process creates significant risk of not being able to meet an e-Discovery request. Instead, the organization is exposed to the costly and dangerous proposition of restoration in the event of litigation. Backup is intended for recovery purposes, and 30 to 60 days is the longest data should be backed up. Files should then be archived or deleted. Using backup only for disaster recovery enables an organization to delete older backup sets within months instead of years.
CMSWire: Why do so many companies fail to manage their corporate data effectively? Are they undereducated? Do they honestly think they're not at risk?
Muscarella: We examined that question in our 2011 Information Retention and e-Discovery survey, and found the reasons vary. We spoke to 2,000 enterprises from 28 countries. The organizations, which included a large range of industries, were enterprises with 1,000 employees or more. Respondents consisted of both a representative from IT management and a representative from Legal.
Despite the risks, the survey found nearly half of respondents do not have an information retention plan in place. 30% are only discussing how to do so, and 14% have no plan to do so.
When asked why, respondents indicated lack of need (41%), too costly (38%), nobody has been chartered with that responsibility (27%), don’t have time (26%) and lack of expertise (21%) as top reasons.
CMSWire: Is it enough to simply manage data? How can companies stay up-to-date on trends and risks affecting their industry?
Muscarella: One key for organizations to stay up-to-date on trends and risks is to understand exactly what industry standards governing the security and availability of information they must comply with, such as HIPAA or PCI. Companies are also increasingly being asked to produce social media records, including posts and interactions on Facebook, Twitter, LinkedIn and blogs as part of an e-Discovery request. It’s now so important for an enterprise’s legal and IT departments to work together on developing and implementing an effective information retention policy.