issa data retention policy development

Developing a Data Retention Policy

“Yep, son, we have met the enemy and he is us.”

- Pogo, 1971

Presented by:

Bill Lisse, CISSP, CISA, CGEIT, CHFI, GPCI, GHSC, CSSA

Technology & Risk Services Manager

Required Disclaimers

• Legal – The presenter is not an attorney and the views expressed in this presentation are based on generally accepted practices; this presentation should not be construed as legal advice.

• Circular 230 - Under IRS Circular 230, we are required to advise you that, unless otherwise expressly indicated, any tax advice contained in this communication, including attachments, is not intended or written to be used and cannot be used, for the purpose of (1) avoiding penalties that may be imposed under Internal Revenue Code, or (2) promoting, marketing or recommending to another party any tax related matters addressed herein.

On December 1, 2006

the Federal Rules of

Civil Procedure (FRCP)

was approved in an

effort to modernize and

clarify discovery rules as

they relate to

electronically stored

information (ESI).

Criminal PenaltiesCriminal Penalties

Civil PenaltiesCivil Penalties

Compliance FinesCompliance Fines

Securing, gathering, searching, and distributing electronic data for evidence for a civil or criminal case is known as electronic discovery, or eDiscovery.

Why should business Why should business leaders care?leaders care?

Compliance Example

• While the focus of the Sarbanes-Oxley Act was on public companies, §802 addresses the retention and destruction of records.

• Private companies are also expected to comply with SOX §802 when there is a “government interest” and can face fines plus up to twenty years imprisonment for knowing destruction, alteration or falsification of records with the intent to impede or influence a federal investigation.

Purpose of Retention/Destruction

Retention • Legal compliance• Litigation preparedness• Company’s reputation• Business needs

Destruction• Reduce Operational Cost• Asset protection • Privacy

Preparation is Critical

- Step #1: Digital Data Mapping

- Step #2: Risk Assessment

- Step #3: Implement Digital Data

Management Policies and System

Control Procedures

- Step #4: Litigation Hold Procedures

- Step #5: Compliance Monitoring

• Where is ESI stored and processed?•Data Flow Diagram (DFD)

• Entity Relationship Diagrams (ERD)• Upper-CASE Tools (Visio, Visible Analyst,

etc…)

•ICOR Definition (IDEF) – 0• Inputs, Constraints, Outputs, Resources

•Process Maps•Flow Charts

Digital Data Mapping

HR

Production

Accounting

Sales

Network Attached

Storage

Storage Area

Network

Near Line

Storage

Data

Warehouse

Operational

Application and Web Services

Operational

Application and Web Storage

Data

WarehouseData

Warehouse

Data Stores

Analytics

and

Reporting Services

Content

Management

Backup

Identify and document the method, location, and native file format of information created within the organization.

Risk Assessment

• Forming the Team• Types of Data• Retention Periods• Cost of Retention

Interdisciplinary Team Approach

• The Team provides an enterprise understanding of data retention through:

• Comprehensive understanding of corporate policy and procedures related to regulatory compliance.

• Elimination a fragmented responses to inquiries and discovery requests

• Optimizes response to Litigation Discovery

It’s not just about information systems

• SEC Rule 17a-4 Electronic Storage of Broker Dealer Records

• Graham-Leach-Bliley Act (GLBA)- Financial Services Modernization Act -1999

• Sarbanes – Oxley Act of 2002• FDA 21 CFR Part 11• DOD 5015.2 Department of Defense • Health Insurance Portability and Accountability Act

(HIPAA) • Fair Labor Standards Act • Occupations Safety and Health Administration (OSHA)

Act• Internal Revenue Service (IRS) Reform Act• Food and Drug Administration • Health and Human Services

Retention Rules

20,000+ statutes and regulations require retention

Retention Periods

• Don't assume that the retention requirement for all business-related information is the commonly-quoted "7 years." • There are a lot of variables depending on the industry, type of organization and type of information.

Retention Periods vary based on the specific statute or regulation

Cost of Retention

• Cost/Benefit Analysis• Costs of making data accessible for

discovery

• The organization is not obligated to retain all information created or received, unless a business or legal obligation exists for an organization to maintain information. • Retaining information beyond these

reasons could pose liability for the organization.

• Establishing the Data and Information Retention Policy• Preservation and Retention• Retention Policy• Preservation and Retention Duty

• Compliance• Litigation• Creating Your Policy – This is not an IT Problem• Document Destruction• Retention Policy and The Litigation Hold• Information Security

Implement Digital Data Management Policies and System Control Procedures


• Specifically delineate the organization’s electronic records maintenance, storage, and destruction schedules.

• Determine how the organization would define “good faith operation” of its information systems, if required.

• FRCP Rules 37 and 37(f) provide for sanctions and safe harbors, while FRCP 26 provides for provisions to balance the proportionality of e-discovery requests for information.

• E-mail and instant messaging are business records -- a common oversight, especially in smaller organizations that still have to comply.

• Consider MS Outlook .pst files

• Don't assume that limiting share space, size of user mailboxes, etc. will enforce retention or avoid any problems that may crop up related to it. Users will almost always adapt and find ways around your controls.


• Don't make the mistake of leaving current retention procedures in place (such as suspending tape or disk backup rotations) in the event of a pending investigation, audit or other litigation.

• This can lead to unwanted charges of destruction of evidence.

• Don't take a "delete everything" stance -- it's too risky and it's hard to prove you're not trying to cover something up.


• Don't take a "save everything" stance -- it can open up your organization to discovery risks and massive costs for storing and administering data.

• Don't assume access to archived data means you will be able to restore it within a reasonable amount of time.

• Don’t use boiler plate templates; tailor for the organization’s needs

• Involve lawyers to review, not create your policy


1. Purpose of the policy2. Whom is affected by the

policy3. What type of data and

electronic systems are covered

4. Identify roles and responsibilities (by position name)

5. Describe the requirements in detail - legal, compliance and business

• Outline the procedures for ensuring data is properly retained

• Outline the procedures for data disposal/destruction

• Clearly document the legal hold procedures and how to respond to discovery requests

• Build a matrix correlating data type and corresponding retention period

• Identify audit requirements and policy enforcement

• Appendices - references and glossary

• Recommended sections of the data retention policy should include:


Litigation Hold Procedures

• Identify all individuals responsible for receipt and processing of subpoenas (e.g., risk management departments).

• Documenting the organization’s current process to identify and communicate threatened or pending litigation.

• Documenting how information is preserved in during pending litigation.

Considerations:• Who is responsible for establishing a legal hold • How data and systems will be secured and for how long • Who must be notified • The cost and burden to preserve the data • Under what circumstances the legal hold will be lifted • How the organization expects to respond to the e-discovery

request (through an external e-discovery litigation software vendor or through internal IT systems)

• Determining how large amounts of electronic data will be accessed, manipulated, and produced in response to an e-discovery request.

Litigation Hold Procedures (continued)

• Establish internal audits or controls to measure compliance with the organization’s storage, retention, and destruction policies.

• A records management storage, retention, and destruction policy that is not followed is not only useless, it is a potential liability.

• Don't assume that just because your retention policy says that everything is destroyed after a certain period of time that it actually is – Verify!

Compliance Monitoring

Retention Engine

Data

Disposal

Relational Data

Archive Tapes

Retention Audit

Reporting and

Messaging

Paper Copy

Content Management

Retention Rules

Other

Content Management

Disposal Process

Paper Disposal Process

Messaging

Rules Engine Audit And Reporting

Email

Retention

Source

1. Rule 26(a) says that companies must be prepared to

disclose all relevant electronic data under their

control including email, instant messages, sound

recordings, proprietary databases, etc.

2. Rule 26(f) says companies must know where and how

all ESI is stored in their systems, and the potential

recovery costs, timeframes, and alternatives.

3. Rule 37(f) provides "safe-harbor" for those

companies who are unable to provide discoverable

ESI based on "good faith" application of standard

business and IT processes.

Data Retention - Key Points

Prescription (Best practices)

1. You really

do

need an data

retention poli

cy

2. You need to

create and be

able

to demonstrate

that

you've got sec

ure

storage enviro

nment

for your ESI

3. ESI needs t

o be

searchable and

retrievable in

a

timely manner

Conclusion• A data retention policy is necessary for

meeting legal, compliance, and operational business requirements

• Data retention should be balanced based on an understanding of the requirements and the operational business requirements

• While a data retention policy may not reduce the probability of litigation, it does:• significantly reduce the probability of sanctions for

non-compliance• provide support for defending the unavailability of

certain data• reduce the cost of responding to e-discovery requests

Bill Lisse, Technology & Risk Services Manager

Phone: (937) 853-1490Email: [email protected]