Devil is in the detail for data retention: survey

Globally organisations are struggling with implementing their information retention plans as only a third report theirs is fully operational, according to Symantec’s 2012 Information Retention and eDiscovery Survey *.

Nearly two-thirds (60 percent) of organisations say they have a formal retention plan, yet only 34 percent report those plans are fully operational. The perceived cost of implementing their plans is reported to be the most common reason why organisations are lagging in plan implementation. The survey found that only 7 percent of organisations don’t have any plans in place, a 50 percent drop from 14 percent of organisations reported in the 2011 survey.

Even more concerning is that while they received on average 17 requests for electronically stored information, these requests failed 31 percent of the time. This is significantly higher than the 20 percent of failures reported in 2011. Each time a failure occurs, the organisation is at risk. 

Forty-three percent reported the inability to make decisions in a timely fashion as the biggest consequence of these failures. Other consequences reported include damage to reputation, compromised legal position, fines, raised profile as a litigation target and court sanctions.

"The survey highlights that, although there is a reduction in the number of organisations without an information retention plan, organisations haven’t fully funded and implemented their plans" said Trevor Daughney, Director, Information Intelligence Group, Symantec. "With the number of ESI requests and failures to obtain requested information increasing, organisations face risks that are much more costly in the long run than implementing their plans"

There is still a substantial gap between beliefs and practices in retention policies, which has not significantly changed year over year. Eighty-one percent of respondents believe that a proper information retention plan allows organisations to delete information on an ongoing basis. However, 42 percent of backups are indefinitely retained by organisations. This is virtually unchanged from the 2011 results. 

And, information that is deleted by organisations is often deleted without considering established retention policies.

The most reported negative consequences resulting from preserving more electronically stored information than necessary include: Increased costs associated with collection, analysis and review (54 percent); increased time spent to collect, analyse and review ESI (47 percent); increased risk that sensitive information may be disclosed (44 percent); compromised position in potential or actual litigation (27 percent); and information unintentionally made available for potential future litigation (28 percent).

The survey also reports that organisations are keeping information longer than is needed, and keeping the data within backups rather than archives for legal holds, which reduces efficiencies when performing an ESI request. 

The survey reveals that 38 percent of data that organisations back up is not needed or shouldn’t be kept in backup. In fact, respondents say that a third of backup data (34 percent) shouldn’t be kept and is unnecessary due to litigation risk.

More than half of organisations keep that data indefinitely: 56 percent of organisations reported that their backup storage is used for infinite retention that is dedicated to legal hold. This has grown from 43 percent in 2011 and continues to get worse. Further, 85 percent of organisations routinely perform legal holds in their backups, which are not designed to be accessed in the same way as an archive.

(*Symantec surveyed IT executives at 500 organisations with more than 500 employees in the US, UK, Canada and Germany).