Every company in every industry has to retain content
From companies publicly traded in the United States to private small businesses, everyone needs to retain certain content on a long-term
basis. This content can range from important emails to contracts to x-rays. It might be structured, unstructured, or semi-structured. And you might need to keep it forever or for seven years.
Of course, the regulations that apply to your company will determine which specific documents you need to retain and for how long. If you’re starting from the ground up, finding out which regulations apply to you and what they mean can be overwhelming. And even at a well-established company, new employees may feel like they’ll never understand their company’s retention policies.
Compliance can make content retention messy
Let’s familiarize ourselves with the most common laws and regulations by their industries.
- Publicly traded companies → Sarbanes Oxley Act (SOX)
- Healthcare companies → Health Insurance Portability and Accountability Act (HIPAA)
- Educational institutions → Family Educational Rights and Privacy Act (FERPA)
- Federal agencies → Federal Information Security Management Act of 2002 (FISMA)
- Financial institutions → Gramm-Leach-Bliley Act (GLBA)
- Financial institutions → Bank Secrecy Act / Anti-Money Laundering Law (BSA / AML)
- Credit card-handling companies → Payment Card Industry Data Security Standard (PCI-DSS)
This quick list should give you an idea of why retention can get so confusing. From this list, we can see that a publicly traded health insurance carrier that handles credit cards will at minimum need to be familiar with HIPAA, SOX, and PCI-DSS.
There’s a lot of data to sort through to get compliant
It’s no secret that technology has enabled exponential data creation. Online and offline, the world’s data almost doubled between 2011 and 2013. Plus, 90 percent of the data created from the beginning of the world to today was created in the last 2 years.
Sorting through your company’s share of that data and figuring out which data you need to keep can be overwhelming. And then you have to figure out where to store the content you keep. Storing it all in primary storage will probably make it hard to find when you actually need it 3 years from now. It’s expensive and unnecessarily slows down access to your primary storage.
You can retain data in any storage tier
IT staff, company CPAs, and Records Managers are likely responsible for developing your company’s record retention policies—the “what” of retention. Still, your company will also need to decide on the “where” of retention. Policies like HIPAA that dictate what content you need to keep don’t specify where you need to keep it. As long as it’s secure and recoverable, it shouldn’t matter whether you retain content in primary or third-tier storage.
The choice is up to you, then.
Small companies may be able to keep all content in primary storage and in their original applications—at first. But your primary storage can only get so big before it gets weighed down by inactive data—and you’ll eventually replace outdated legacy applications with shiny, new ones.
Archiving software can ease retention and retrieval
Instead of trying to rely on your backup software to retain your documents, invest in an archiving software. After all, backups are inherently different from archives. Forcing your backup solution to also be your archiving solution will only result in frustration and confusion when you perform e-discovery.
When you’re searching for long-term archiving software, there are several things you should keep in mind.
- Storage medium: Not all archiving applications are compatible with all storage platforms. So, you may want to decide where you’re storing archives—for example, network-attached storage (NAS), direct-attached storage (DAS), or the cloud—before you decide on how you’ll store them.
- Searchability: One of the biggest differences between backups and archives is their searchability. This doesn’t mean that every archiving software has the same search capabilities. Determine what kinds of markers you’ll need to find documents. Then, find a software that claims to have these search functions and ask to demo the software to see if it actually measures up.
- Retain, hold, and destroy lifecycles: To make it easier to maintain compliance, select an archiving application that understands the regulations your company is subject to. This is especially important if you’re under multiple regulations. For example, remember the health insurance carrier from earlier—they’d need an application that could juggle three different lifecycles (HIPAA, SOX, and PCI-DSS). Once an application knows the right regulations, you can trust that it will retain, hold, and destroy the correct content at the correct time.
How you can increase the success of your retention policy now
One of the biggest ways to ensure the success of your retention policy is to make sure you’re using the right archiving software. So, check that your current archiving software measures up with these simple steps:
- Test the search features. Try a request similar to what you might have to do for e-discovery. For example, ask for all content of any kind, created between 11/1/2009 and 11/1/2014, with the phrase “project thunder” in them.
- Test the recoverability. Try to recover one of the documents brought up in your search. If it’s corrupt, unreadable, or takes an unreasonable amount of time to retrieve, you may want to try a different archiving application.
- Test the destruction. Search for a document that should already be destroyed to make sure your archiving software has the correct instructions for destruction. For example, if your company is under SOX, a purchase order from 7 years ago should not exist anymore. Under SOX, you should only retain purchase orders for 5 years.