Information retention: survey reveals failures in policy implementation
Symantec Corp has announced the findings of its 2012 Information Retention and eDiscovery Survey which examined how enterprises manage their ever-growing volumes of electronically stored information (ESI) and prepare for the eventuality of an eDiscovery request. The study found the percentage of organizations without a formal information retention plan dropped by half from the 2011 survey. However, even with this improvement, organizations struggle with implementing their information retention plans as only a third of organizations report their plan is fully operational.
Non-implemented plans risky to organizations
Nearly two-thirds (60%) of organizations say they have a formal retention plan yet only 34% report those plans are fully operational. The perceived cost of implementing their plans is reported to be the most common reason why organizations are lagging in plan implementation. The survey found that only 7% of organizations don’t have any plans in place, a 50% drop from 14% of organizations reported in the 2011 survey.
Even more concerning is that while they received on average 17 requests for electronically stored information, these requests failed 31% of the time. This is significantly higher than the 20%of failures reported in 2011. Each time a failure occurs, the organization is at risk. 43% reported the inability to make decisions in a timely fashion as the biggest consequence of these failures. Other consequences reported include damage to reputation, compromised legal position, fines, raised profile as a litigation target and court sanctions.
“The survey highlights that, although there is a reduction in the number of organizations without an information retention plan, organizations haven’t fully funded and implemented their plans,” said Trevor Daughney, Director, Information Intelligence Group, Symantec. “With the number of ESI requests and failures to obtain requested information increasing, organizations face risks that are much more costly in the long run than implementing their plans.”
No improvement in gap between retention beliefs & practices
There is still a substantial gap between beliefs and practices in retention policies, which has not significantly changed year over year. 81% of respondents believe that a proper information retention plan allows organizations to delete information on an ongoing basis. However, 42% of backups are indefinitely retained by organizations. This is virtually unchanged from the 2011 results. And, information that is deleted by organizations is often deleted without considering established retention policies.
The most reported negative consequences resulting from preserving more electronically stored information than necessary include: Increased costs associated with collection, analysis and review (54%); increased time spent to collect, analyze and review ESI (47%); increased risk that sensitive information may be disclosed (44%); compromised position in potential or actual litigation (27%); and information unintentionally made available for potential future litigation (28%).
The survey also reports that organizations are keeping information longer than is needed, and keeping the data within backups rather than archives for legal holds, which reduces efficiencies when performing an ESI request. The survey reveals that 38% of data that organizations back up is not needed or shouldn’t be kept in backup. In fact, respondents say that a third of backup data (34%) shouldn’t be kept and is unnecessary due to litigation risk.
More than half of organizations keep that data indefinitely: 56% of organizations reported that their backup storage is used for infinite retention that is dedicated to legal hold. This has grown from 43% in 2011 and continues to get worse. Further, 85% of organizations routinely perform legal holds in their backups, which are not designed to be accessed in the same way as an archive.
Majority of organizations impacted by data privacy laws & regulations
As expected, data privacy laws and regulations have significant impact on organizations with 53 percent reporting that laws and/or regulations impact archiving and eDiscovery initiatives. However, there are many reasons respondents report collecting electronically stored information including: Litigation (60%); internal investigations (59%); internal compliance initiatives (58%); compliance with international regulations and laws (57%); compliance with local regulations and laws (55%); governmental inquiries or investigations (52%); and public information requests (46%).
Following are recommendations that organizations can implement to help them more effectively implement their information retention plan:
• Adopt a defensible deletion mindset: When organizations can adopt a defensible deletion mindset they can delete information with confidence according to their information retention policies.
• Err on the side of fewer, rather than many, retention policies: This improves the odds of successful information governance. Start with deleting obvious unnecessary files, then set minimum retention periods for compliance. Additional policies can be added later, if necessary.
• Automate privacy, retention and compliance policies to reduce risk: Allowing your policies to automatically work as they are designed not only reduces the risk of inconsistencies in policy implementation, but reduces the risk of unintentional access or distribution of information.
• Implement a solution in which legal holds can override expiry policies: Consider a unified eDiscovery solution where legal holds can be easily implemented to override expiry policies to avoid spoliation and sanctions.
• Don’t use backups for long term retention: Backups are for recovery, archiving is for discovery. Deploy an archiving solution to quickly and easily respond to search requests for electronically stored information.
Here’s a link to the full (7.2Mb) report Symantec 2012 Information Retention Report
Here’s a link to a slide-show on the survey results: www.slideshare.net/symantec/2012-information-retention-and-ediscovery-survey-global-results
Here’s a link to a Symantec blog posting on the survey: www.symantec.com/connect/blogs/symantec-2012-information-retention-survey?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2013Jan_worldwide_inforetentionsurvey