Symantec’s 2011 Information Retention and eDiscovery survey found nearly half of respondents do not have an information retention plan in place. Thirty percent are only in the process of discussing how to do so, and 14% have no plan. A year later, according to the 2012 Information Retention and eDiscovery Survey, the percentage of organizations without a formal information retention plan dropped by half.
What a Difference a Year Makes
While nearly two-thirds (60%) of organizations say they have a formal retention plan, only 34% report those plans are fully operational.
However, the survey found that only 7% of organizations don’t have any plans in place, with the main reason being attributed to its perceived cost.
Though such improvement makes for a great headline, there is still some cause for concern. Organizations indicated that while they received on average 17 requests for electronically stored information, these requests failed 31% of the time, a higher rate than reported in 2011. It goes without saying that each time a failure occurs, the organization is put at risk.
What seems to be causing the failures? It’s not terribly surprising that an inability to make decisions in a timely fashion was the biggest consequence, while other consequences reported included damage to reputation, compromised legal position, fines, raised profile as a litigation target and court sanctions.
Gaps Between Retention Beliefs and Practices
There is still a substantial gap between beliefs and practices in retention policies, which has not significantly changed year over year.
What companies think happens:
- Eighty-one percent of respondents believe that a proper information retention plan allows organizations to delete information on an ongoing basis.
What really happens:
- However, 42% of backups are indefinitely retained by organizations, while information that is deleted by organizations is often deleted without considering established retention policies.
The survey also reports that organizations are keeping information longer than is needed and keeping the data within backups, rather than archives for legal holds, reducing efficiency when performing an ESI request.
What companies say:
- A third of backup data (34%) shouldn't be kept and is unnecessary due to litigation risk
What companies do:
- Fifty six percent of organizations reported that their backup storage is used for infinite retention and dedicated to legal hold. Furthermore, 85% of organizations routinely perform legal holds in their backups, which are not designed to be accessed in the same way as an archive.
It’s a New Year!
How can organizations ensure that they continue to improve in 2013? The following recommendations were offered by Symantec for effectively implementing an information retention plan:
- Adopt a defensible deletion mindset so you can delete information with confidence according to their information retention policies.
- Aim for fewer, rather than many, retention policies. This improves the odds of successful information governance. Start with deleting obvious unnecessary files, then set minimum retention periods for compliance. Additional policies can be added later, if necessary.
- Automate privacy, retention and compliance policies to reduce risk. Allowing your policies to automatically work as they are designed not only reduces the risk of inconsistencies in policy implementation, but reduces the risk of unintentional access or distribution of information.
- Implement a solution in which legal holds can override expiry policies.
- Don't use backups for long term retention. Backups are for recovery, archiving is for discovery. Deploy an archiving solution to quickly and easily respond to search requests for electronically stored information.
There seems to be a big difference between what organizations said and what they actually did. Just because more organizations indicated that they had a retention plan, doesn't mean that it's necessarily helping them alleviate risk.