To Keep or Not to Keep? The Age-Old Question of Information Retention

- Trevor Daughney, director information intelligence group at Symantec Corp., says:

As organizations are constantly trying to steer clear of litigation, their fears of not having the right information saved when a lawsuit arises have lead them to keep more information than is necessary. In fact, while most organizations think they are saving themselves time and money by keeping everything, negative consequences can result from preserving more electronically stored information (ESI) than necessary. According to Symantec’s recent Information Retention and eDiscovery Survey, 54 percent of respondents noted that when they preserved too much ESI, it increased their costs associated with collection, analysis and review in times of litigation. In addition, they experienced a 47 percent increase in time spent to collect, analyze and review ESI.

In the same Symantec survey in 2011, organizations believed that while some data should be deleted, it is often kept indefinitely. In a year, there hasn’t been much of a change – in 2012, 81 percent of survey respondents believe that a proper information retention plan allows organizations to delete information on an ongoing basis. Even though this is the belief, 42 percent of respondents noted that their backups are indefinitely retained by their organization. This is not only going against their information retention beliefs, but it is also creating a vast sprawl of information that will have to be sifted through in times of litigation. This stat didn’t change much from the 2011 survey where 79 percent believed that organizations should delete information regularly, and 40 percent of backups were retained indefinitely by organizations.

Keeping backups indefinitely can also lead to inefficient backups. This year’s survey has shown us that not only are organizations keeping information longer than is needed, they are keeping the data within backups rather than in archives for legal holds, which can lead to costly and time-consuming discovery. Symantec has found that this method continues – 85 percent of organizations routinely perform legal holds in their backups, which are not designed to be accessed in the same way as an archive. Thirty-eight percent of data that organizations back up is not needed or shouldn’t be kept in backup. In fact, respondents say that a third of backup data (34 percent) shouldn’t be kept and is unnecessary due to litigation risk.

Based on the 2012 results, Symantec has found that there has been no improvement in the gap between retention beliefs and practices, resulting in ESI requests failing a third of the time. So what can organizations keep in mind when pulling together a retention policy and sticking to it? Here are some recommendations:

1. Adopt a defensible deletion mindset

2. Err on the side of fewer retention policies

3. Automate privacy, retention and compliance policies

4. Implement a solution that allows you to automatically override expiry policies with legal holds

5. Don’t use backups for long term retention