IT doesn't understand why legacy data must be destroyed

Many IT departments are leaving their companies exposed to unnecessary cost and legal risk by not complying with data retention policies laid down by the business.

Many IT departments are leaving their companies exposed to unnecessary cost and legal risk by not complying with data retention policies laid down by the business.

Their actions could result in expensive e-discovery procedures to produce data for evidence and risk the company being found liable based on legacy data.

Alex Dunstan-Lee, director forensic technology at KPMG, says, "The biggest problem for in-house legal teams is the lack of awareness of data policies and record management."

He says the culture in IT departments is sometimes at odds with the requirements set by company lawyers. "It is hard to match data polices with day-to-day IT."

A KPMG Forensic and Harris Interactive survey found that 21% of legal departments had never been consulted by their IT departments about changes in storage capabilities within the organisation, and 25% were "rarely or never" consulted about the adoption of new technologies for dealing with electronic evidence for e-discovery.

Dunstan-Lee warns that the business is required to provide all relevant data when it is the subject of litigation. This can be time-consuming and expensive if the company retains information indefinitely. It also opens up the company to the risk of long forgotten archived data exposing the company's liability. "If the data is no longer available, then it cannot be produced. If it is still available, then it cannot be destroyed because it is evidence."

To be on the safe side, Dunstan-Lee recommends that businesses specify a data retention policy that stipulates a reasonable time limit on the length of time data is kept.

"The legal department must send out an edict to specify when data must be destroyed." IT staff must not allowed to store back-ups of this data for emergencies.

Dunstan-Lee says he was once advised a client where the IT department was keeping data for 20 years, rather than six, as stipulated by the data retention policy. "From a practical perspective, destroying data is incredibly difficult to do," he warns.

Furthermore, the edict needs to cover all forms of storage, including USB memory sticks, laptop computers and back-up media.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close