|
I believe new law and legal findings make IT responsible. The eDiscovery
legislation of, I believe, 2008 actually makes it the responsibility of
the CIO to establish a policy for the retention of eMail and what to do
if a legal hold is decreed. IT needs to consult with legal when
establishing the policy, of course.
The law recognizes that IT doesn't have the legal knowledge to do
everything and thereby recognizes a "best effort" as adequate in terms
of sanctions against IT staff. Yet, the company is going to rely
mightily on the opinions and actions of the CIO and sanctions against
the company as a result of an inadequate "best effort" are going to
reflect on the competency of the IT staff.
The eDiscovery statutes, in my opinion, recognize that IT is the de
facto custodian of company records particularly with regard to eMail. I
think we'll find over years that this custodianship will be extended by
the courts to all records of the company.
IT needs to take charge and manage the retention policies as well as the
retention of company records.
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of John Jones
Sent: Tuesday, July 20, 2010 10:58 AM
To: Midrange Systems Technical Discussion
Subject: Re: Data Retention Policy
I don't think we're really in disagreement. IT manages the records,
yes.
That's the implementation of the policy that I mentioned. In, as you
noted, compliance with regs and the company's needs (as defined by the
policy that was created by the company with guidance from Legal).
Maybe I should have added that IT can and should act as a trusted
adviser to the business, but IT really cannot not be expected to know
the legal and corporate value of the data it manages. Advice should be
to the extent of how the data management can be technologically achieved
in a manner that suits the company's needs and budget limits.
As with all other employees, IT staff needs to use due care when
managing data, and certainly if anything blatantly illegal is asked of
an employee then the employee has a responsibility to notify the
appropriate people - internal or otherwise. To that end the employee
should be provided with a reasonable understanding of the nature of the
data they are managing; i.e.
data classification is needed before you can determine retention.
On Tue, Jul 20, 2010 at 10:05 AM, Dan Kimmel
<dkimmel@xxxxxxxxxxxxxxx>wrote:
I disagree with your assessment that records retention policy is not
the responsibility of IT. More and more it is the CIO's job to manage
company records in compliance with government regulations and company
legal and audit needs. Check this article from Forbes:
http://www.forbes.com/2010/07/17/security-documents-symantec-technolog
y-
cio-network-legal.html?boxes=Homepagechannels<http://www.forbes.com/20
10/07/17/security-documents-symantec-technology-%0Acio-network-legal.h
tml?boxes=Homepagechannels>
Other departments may be responsible for defining the retention policy
but it is the IT office's job to "get'er done". I think IT should
participate in the defintion of the retention policy.
Gross negligence or disregard of retention requirements is likely to
land the CIO in jail if records, particularly eDiscovery documents,
can't be produced. Failure to comply with the spirit of a legal hold
order will result in expensive sanctions against the company that will
reflect on the CIO's performance.
Look for retention policy information at www.aiim.org. AIIM has done
lots of work in accumulating information. Most of the information is
available without creating an account. If you choose to create an
account, AIIM is very respectful of your eMail volume.
Dan Kimmel
--
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of John Jones
Sent: Tuesday, July 20, 2010 7:41 AM
To: Midrange Systems Technical Discussion; RMunday@xxxxxxxxxxxxx
Subject: Re: Data Retention Policy
(Replying to you & the list)
I can't stress enough that it is not IT's job to determine data
classification & retention. IT is the custodian of business data, not
the owner. These are matters for Legal and the business leaders tobe an issue in the future.
determine.
IT's job is merely to implement. If you think the company's guidance
is inadequate, respond once in writing/retained electronic
communication to air your opinion. If you're shot down, you've at
least established that you opposed the decision should the retention
Data retention is only part of the story. The other part is data
ownership & classification. Classify the data and the owner can
determine the appropriate retention.
Corporate financial data, for instance, probably does need to be 7
years for tax & maybe SEC purposes. However, that doesn't mean all
backups; probably just the year-end would suffice. Your CFO or their
delegate should determine the retention (with input from Legal).
HR-type data may have a different retention.
Legal contract data may have something else, like contract length + x
years.
Email & other electronic communications (don't forget to keep
corporate IM
conversations) may have an entirely different requirement.
Where the company resides may impact things as well as some states
will mandate longer retentions than other states. This will most
likely apply to HR-type data.
PCI, HIPAA, FDA, and other private/governmental contracts/legislation
may have applicable guidelines. You may have clients that
contractually require you to retain data for x years. I doubt Stein
Mart does but my employer deals with client financial data so we do.
Don't forget that "financial data" may include not only database files
but QHST and other log files from the system hosting the database. In
general you get a buy on log files - 90 days to 6 months is adequate -
but some businesses may want more. Legal should provide guidance aspurposes.
log files would only be needed for forensic/dispute resolution
them.
There's some good info out there, like this from SANS:
http://www.sans.org/reading_room/whitepapers/backup/electronic-data-re
te
ntion-policy_514(PDF)<http://www.sans.org/reading_room/whitepapers/bac
kup/electronic-data-rete%0Antion-policy_514%28PDF%29>
.
It's the top hit when Googling for "data retention policies"
If you have access to the company CISO/CSO, you might consult with
They'd be in a better position to provide related guidance.
BTW, since this is under review now, it wouldn't hurt to ask how
backups should be stored. Is encryption required? What requirements
must the off-site facility meet? And so on.
Best of luck,
On Tue, Jul 20, 2010 at 6:55 AM, Robert Munday
<rwmunday@xxxxxxxxxxxxx>wrote:
Greetings from sunny Florida.The
I am charged with codifying our company's data retention policy.
official company policy document lists most of our data media ashaving a
seven year retention. This also mirrors what the IRS requiresseven
from what I
have been able to research. Upper management does not agree with
years and thinks it's a lower figure.where
What is your company's data retention policy? Other than IRS.gov,
can I find a definitive answer to the time interval required?
Please reply to my work address at RMunday@xxxxxxxxxxxxx as I do
not
have
access to my online e-mail at work.
Thanks,
Robert Munday
Munday Software Consultants
Montgomery, AL
on assignment in Jacksonville, FL
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
JJ
4 Out of 3 people have trouble with fractions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,http://archive.midrange.com/midrange-l.
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
JJ
4 Out of 3 people have trouble with fractions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
