May 07, 2014
We’ve been working with a growing number of organizations that have finally (finally!) arrived at the decision that keeping everything forever is no longer a sustainable business strategy. Yes, they recognize that information growth continues unabated and, yes, more of this information is appearing in unmanaged locations such as social media. But, arriving at a shared perspective on how long information has value, what process could be utilized to rid oneself of junk, how to account for the information needs of users, and how one can gauge the incremental eDiscovery risks associated with preservation and disposition can often appear to be insurmountable obstacles.
Motivated by the search for a simple answer to the complex infogov question of “what information should I keep, and for how long”, these discussions have inspired me to advance a new approach to proactive information governance that are probably best described as Semper Gumby.
As you probably know, Semper Gumby is an unofficial motto of the United States Marine Corp, adopted to convey the imperative to be “Always Flexible”. The importance and direct relevance to retention management is clear, where policies need to be sensitive to:
1) At the on-going operational level, setting policy reflects the fluid needs to deliver consistent access to business-critical information to end users, balanced against the IT need to cost effectively manage data storage cost and hassle;
2) Increasingly complex regulatory requirements that have now established themselves as the top litigation concern for many corporations
3) Litigation patterns and trends, along with deep-seeded notions of how information management impacts preservation risk
4) Internal communication patterns, and the increased traffic that is occurring outside of sanctioned communication channels
Suffice it to say, these variables will continue to evolve and intermingle to ultimately produce a set of policies that map to each organizations unique situation. But, as Semper Gumby would dictate, a premium is placed on flexibility. Conditions, including use of specific communication channels, storage cost, and regulatory drivers, will inevitably evolve. Policies must be flexible to evolve with these conditions.’
This fact can be highlighted via a survey that we recently conducted, looking at the existing retention policies of information archiving customers (horizontal axis representing retention policy length in years, vertical axis counting the number of companies with that policy).
Some of the findings from the survey include the following:
- 65% of the companies sampled had more than 1 active retention policy, averaging 3 policies over-all
- The default retention period for all companies surveyed was averaged slightly more than 4 years
- As expected, policies varied widely by industry. Health care, for example had default policies that ranged from 1 to 8 years
- Most common reasons for multiple policies were geographic drivers, policies driven by existing records class definition, and policies reflecting legal discovery definition
- Policies are trending toward longer retention periods, mostly likely due to storage becoming less of a driver in setting policy given falling storage costs
As demonstrated by the survey, there is no one policy size that fits all (except those things driven by industry mandate). But it is also true that answering the question of “what information should I keep, and for how long” does not need to stop with “it depends“. Effective policies are not static and require granularity to reflect the unique needs of users, as well as legal and compliance stakeholders.
Equally important, effective policy management needs to address not just the challenges faced today by many companies in defining retention policies, but also ensuring that policies can be enforced. Policy enforcement that relies solely on actions of end users is rarely effective. Therefore, end users should be engaged as stakeholders based upon their knowledge and business expertise – not as records managers. The topic of policy enforcement will be covered in a post to follow..
For more information on how Proofpoint Enterprise Archive follows the Semper Gumby mantra in enabling robust – yet flexible – retention policy management, please visit http://www.proofpoint.com/products/archive-governance/by-role/compliance-officer.php#main. And, if you are planning to attend the MER conference in Chicago, would love to meet with you then. Please schedule a session at: http://www.merconference.com/mymer/.
Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.