Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
I recently met with a client that had a 45-day retention policy for ALL data. I've heard of this kind of policy for e-mail, but I don't recall ever hearing of it for all the data in the enterprise. Is this realistic and can you get away with that short of a data retention policy? Not really, and here's why.
May 21, 2008
5 Min Read
I recently met with a client that had a 45-day retention policy for ALL data. I've heard of this kind of policy for e-mail, but I don't recall ever hearing of it for all the data in the enterprise. Is this realistic and can you get away with that short of a data retention policy? Not really, and here's why.What the client really meant by this 45-day retention policy is that it only kept backup copies of data for 45 days. This client had been sued a few times in recent years and this policy was in response to requests for legal discovery information. The problem is, I'm not sure how this actually protects them from anything, and in fact may be more dangerous because it provides a false sense of security. It's not deleting all data (or any data, for that matter) after 45 days, just recycling backup data sets, essentially tapes. All the data, years worth, is still on its servers, desktops, and laptops. As part of a discovery request, you can ask for information off any of these. I've seen cases where laptops have even been confiscated. If you were a data recovery specialist, wouldn't you rather start with the file system data anyway? Isn't that easier to get to that data on tape? Certainly the customer wasn't going to crash a server and lose all the data on a server's hard drive in the event of a lawsuit. If I were asked to find data and all the company sent me were tapes, I would most likely be able to get to all the data. Why? The old data is on the file servers and isn't being deleted from the file servers every 30 days. As a result, this old data is backed up every weekend when full backups are done.
While the company may only keep the tape for 30 days, the fact is that the actual data being backed up each week is well over 30 days old. The only instance where it is protected is if a user deletes something, and then 31 days or more later after the deletion a legal request is made, then the data wouldn't be accessible. Reality is that the users will likely not delete that data as part of normal housekeeping. I know very few users that every 30 days clean up all their files in accordance with corporate guidelines. So, in reality, all the data needed is still on the backup tapes. To make matters worse at this organization, there was no formal policy in place to delete old projects, so the project data stays on the servers indefinitely. The only time project data would be deleted would be in the instance of a RAID failure on a server, but even then it would likely be recovered through the restoration process. There was no policy in place to not recover old data -- everything comes back on a server recovery.
To take this a step further, if a user or system administrator knowingly deletes data that may have bearing on a future legal action, that is obstruction of justice. Note the precedence has changed -- it is not only when you are currently under a legal action, but even if you think the data might be of value in a FUTURE legal action. This isn't a scare tactic on my part, it is legal precedence: "Silvestri v. General Motors Corp., (2001) "spoliation" is destruction or material alteration of evidence or failure to preserve property for another's use as evidence in pending or reasonably foreseeable litigation." The e-mail policy was similar; all e-mail was deleted from the primary mail server after 45 days. Ironically, though, users were encouraged to save any mail they wanted to keep beyond this 45-day window to PST files. Those PST files were stored on a specific file server on the network and were backed up as part of the normal backup rotation. The last time they were sued was over an inappropriate e-mail being sent from one employee to another (I'll let you fill in the blanks as to what the e-mail contained). This policy was to prevent that evidence from being available. The problem was that the offended employee sent it to their personal e-mail account and had it for the case. The company looked rather silly and a bit conspicuous by not being able to produce anything relevant to the case. As is typically the case, the retention and litigation focus of this organization was on the wrong end of the problem -- data being stored at rest, not active data. The policy was basically to try to get rid of potentially liable data after the offense.
What can be done? The best solution is training users to understand that someone may eventually see what they put in a document or e-mail that they did not intend to see it. I tell users to write everything (documents or e-mail) as if it was going to be e-mailed to everyone in the organization. Obviously, in the case of employee issues that involve Human Resources, this needs to be done more discretely. Training policies should focus on the active data, not the passive data. Software solutions should be used to log, search, and monitor active documents so that if a legal action occurs, that data can be found quickly and, once found, having an accurate log of who created, modified, and potentially deleted that data can be invaluable. At the end of the day, you have to keep data. We can debate about how long that might be; 3 years, 7 years, forever, but I can assure you it is significantly longer than 45 days or even one year. If you find a piece of data stored on a server that might cause damage to your organization, the last thing you should do is delete it. Someone else has probably seen it, or at least you should assume they have. The best thing you can do is isolate the document or e-mail and be prepared to address it, preferably prior to any legal action.
George Crump is founder of Storage Switzerland, an analyst firm focused on the virtualization and storage marketplaces. It provides strategic consulting and analysis to storage users, suppliers, and integrators. An industry veteran of more than 25 years, Crump has held engineering and sales positions at various IT industry manufacturers and integrators. Prior to Storage Switzerland, he was CTO at one of the nation's largest integrators.
About the Author(s)
President, Storage Switzerland
George Crump is president and founder of Storage Switzerland, an IT analyst firm focused on the storage and virtualization segments. With 25 years of experience designing storage solutions for datacenters across the US, he has seen the birth of such technologies as RAID, NAS, and SAN. Prior to founding Storage Switzerland, he was CTO at one the nation’s largest storage integrators, where he was in charge of technology testing, integration, and product selection. George is responsible for the storage blog on InformationWeek's website and is a regular contributor to publications such as Byte and Switch, SearchStorage, eWeek, SearchServerVirtualizaiton, and SearchDataBackup.
You May Also Like
A screen displaying many different types of charts and graphs to show what data is being analyzed.Cybersecurity Analytics
Use the 2023 MITRE ATT&CK Evaluation Results for Turla to Inform EDR Buying Decisions
Strengthen Microsoft Defender with MDR
Building Cyber Resiliency: Key Strategies for Proactive Security Operations
Buyer's Guide: Choosing a True DevSecOps Solution for Your Apps on AWS
Understanding AI Models to Future-Proof Your AppSec Program