There is little doubt about the value of information to businesses of all sizes. In fact, some of our recent research found that worldwide spending on business information is $1.1 Trillion – enough money to buy an iPad for every worker in the world. Information is the life blood of any organization, and often its biggest asset. While electronically stored information (ESI) is most often an asset, it can also be a liability depending on how much it costs to store, if it is retained indefinitely, and especially if information that is no longer needed is inadvertently distributed outside of the organization.
It is necessary for companies to have an information retention plan to manage this ever-growing volume of electronically stored information, and implementing that plan to reduce risk, save on resources and protect against compromised legal positions. The 2012 Information Retention and eDiscovery Survey found that despite realizing the importance of governing information, many companies fall short in creating, implementing and following information retention plans.
Number of companies with no retention policy cut in half
The survey found that the percentage of organizations that don’t have a formal information retention plan in 2012 improved by 50 percent from 2011. Fourteen percent reported they didn’t have an information retention plan in 2011 – this was dropped by half to 7 percent in 2012.
In addition to that year over year improvement, the survey highlights that nearly two-thirds (60 percent) of organizations say they have a formal retention plan and only one-third (34 percent) of organizations report their plan is fully operational. And, 35 percent of organizations who don’t have a plan in place report that they don’t see a need for having a plan.
Having a process and plan in place to manage information properly is fundamentally important to keeping costs and resources in check and protecting against risk.
A lack of a plan often leads to failure.
ESI requests fail a third of the time
The study also demonstrated that organizations are largely unprepared to deal with requests for electronically stored information for legal, compliance or regulatory reasons. Organizations report that requests to produce electronically stored information required failed 31 percent of the time. Each time a failure occurs, the organization is at risk. Respondents said that the inability to make decisions in a timely fashion, damage to reputation, compromised legal position, fines, court sanctions and raised profile as a litigation target are some of the consequences of these failures.
Failures have consequences.
A gap exists between retention beliefs and practices
Although organizations believe some data should be deleted, it is often kept indefinitely. Eighty-one percent said that a proper information retention plan allows organizations to delete information on an ongoing basis. However, 42 percent of backups are indefinitely retained by organizations.
When data is kept indefinitely, it not only adds to storage costs, but causes confusion about how the organization’s information retention plan should be followed. The study found information that is deleted by organizations is often deleted without considering established retention policies.
Not following plans and processes leads to improper deletion or infinite retention.
Consequences of infinite retention
The survey also identified some of the negative consequences resulting from preserving more electronically stored information than necessary. These include:
- Increased costs associated with collection, analysis and review (54 percent)
- Increased time spent to collect, analyze and review ESI (47 percent)
- Increased risk that sensitive information may be disclosed (44 percent)
- Compromised position in potential or actual litigation (27 percent)
- Unintentionally made information available for potential future litigation (28 percent)
These consequences are avoidable.
Update your plans to avoid infinite retention
As the title of this blog post suggests, if you fail to implement or follow an information retention plan, then you might as well plan to fail. However, by incorporating the following recommendations into your information retention planning, you can alleviate many of the consequences of infinite retention:
- Adopt a defensible deletion mindset: When organizations can adopt a defensible deletion mindset they can delete information with confidence according to their information retention policies.
- Err on the side of fewer, rather than many, retention policies: This improves the odds of successful information governance. Start with deleting obvious unnecessary files, then set minimum retention periods for compliance. Additional policies can be added later, if necessary.
- Automate privacy, retention and compliance policies to reduce risk: Allowing your policies to automatically work as they are designed not only reduces the risk of inconsistencies in policy implementation, but reduces the risk of unintentional access or distribution of information.
- Implement a solution in which legal holds can override expiry policies: Consider a unified eDiscovery solution where legal holds can be easily implemented to override expiry policies to avoid spoliation and sanctions.
- Don't use backups for long term retention: Backups are for recovery, archiving is for discovery. Deploy an archiving solution to quickly and easily respond to search requests for electronically stored information.
Read the full 2012 Information Retention and eDiscovery Survey Results at: http://bit.ly/VD5ixC.