Time to review your data retention requirements

Ever since the days of the Pharaohs, ostrich feathers have been prized for their decorative qualities.  When the ostriches caught on to what was going on, they adopted a strategy of hiding from their enemies by sticking their heads in the sand.  Egyptian royalty continued to get their feathers, and we got the term “bird brain.”

I get a lot of interesting e-mail from my readers. The other day one of my correspondents (Gary, a CTO in the Twin Cities area) pointed me to a frightening article on a Web site I don’t usually look at.  It’s worth sharing.

It is not the kind of Web site IT folks tend to go to, but many of the people who rely on our services probably do.  It belongs to a group named AccountingWeb (http://www.accountingweb.com).  As few of us got into IT because we wanted to become accountants, I assume you probably don’t hang out at this sort of place any more frequently than I do. I’ll summarize an article appearing there titled “IT Departments Failing to Take E-mail Archiving Seriously.”

The key points are:

* More than half the sites using Exchange do not archive e-mail, and 28% don’t plan to archive.

* 19% of companies that do archive their e-mail use a system with indexing, search and retrieval features.

* 77% of the surveyed companies feel backing up e-mail to tape is equivalent to archiving.

* About half of those who view backing up to tape as archiving keep the tapes for only 90 days.

Thus, within the survey sample at least 9% of the companies (those that use indexed archives) have any chance of being in conformance with the growing set of regulations that exist regarding the retention, protection and accessibility of data.

Why the disparity between what these companies do and what most of us know is necessary?  Glad I asked.

The sort of IT approach these statistics reveal is at best cavalier, and at worst – in these days of industry regulation, government mandate and widespread litigation – may be criminal.  It is pretty clear that the companies that take this route either are unaware of their exposure, or simply don’t care.

There is always plenty of blame to go around when something goes wrong. Corporate CEOs who get caught often have to face stiff penalties such as giving up one of their summer homes or losing part of their art collection in order to pay for their malfeasances. What happens to the IT director who hasn’t covered his CEO’s data assets?  Probably something more mundane.  You guess what that might be. 

Not knowing the laws is never an excuse, and neglect, at least in such cases as this, is rarely viewed by the legal system as having been benign. 

If you are not sure what your data retention requirements may be as far as the government is concerned, this is probably a good time to start gathering information.  Remember that for many businesses the requirements provide rules of the road for ensuring that both the data is protected from those who shouldn’t have access to it, and is immediately accessible to those who should.  Remember that this may include many years’ worth of e-mail.  Also remember that while enraged CEOs have rarely been known to collect ostrich feathers, there is many an IT director’s scalp on a boardroom wall.

Next week I’ll be meeting with the senior folks at Sun.  I’ll share some of their thinking on storage with you in an upcoming column.