Think about how many documents are created at your company, e.g. paper, electronic, all revisions of documents, emails, manuals, notes about manuals, meeting summaries, financial spreadsheets, confidential and sensitive information of all kinds, etc. Even for small companies the amount of records created is ever increasing. Now think about what would happen if all of those records were made available to your adversaries. That would be a bad day for your company. Now consider that as much as 60 percent of it must be retained for regulatory requirements.
To implement ANY system of security controls you must know what kind of information is involved and its requirements are for confidentiality, integrity, and availability. This is why I am always speaking about and recommending companies begin an information classification system as the start of the cyber security policies. Part of your information classification system must include information types that consider the business and legal retention requirements of the information. To do this effectively, you must understand the company’s current and planned IT infrastructure as it relates to all these information types. You may be faced with the prospect that the current systems are incapable of applying information classifications and treating them differently. In that case, a decision must be made as to whether the company goes without the classification required, treats all information at a higher classification level, or if a new system is to be put in place. Each choice has its own risk implication to the company.
A good records management system must allow you to identify all the information by type, who controls and is responsible for that information, where the information is kept, and what the retention period should be for that type. You must also be able to change classification, and therefore change the access and retention requirements, of any information when the status of the information meets new legal or regulatory requirements. For example, litigation holds require reclassification of a large and sometimes diverse set of information. These litigation holds must be accurate and inclusive of all information that meets the retention requirement without missing information or holding too much outside of the hold. At times, you will need to execute a litigation hold on information without the owner and controllers of the information knowing that it has been done. You will have no defense against claims of spoliation if the owners of the information delete it when it should have been retained.
However, you are not playing it safe by retaining everything. Quite the contrary. Not only does this increase costs of retention dramatically, you are playing roulette when it comes to your company’s legal risk. Legal adversaries often hire experts at electronic discovery designed to find the “smoking gun” within records that did not have to be retained but were swept up in litigation holds. To lower the risk, you must know when records have exceeded all retention requirements—and then get rid of it, all of it. Don’t forget that the information may exist on backups, there might be multiple versions of the same record that can be deleted, and the records might be on multiple systems both real and virtual, inside the company’s own IT systems and/or in some cloud vendor’s storage system. Not easy is it? Its impossible without some sort of information classification scheme. It’s also unlikely to be done properly without involving legal counsel. Don’t let IT staff create all classifications and associated retention periods without the involvement of legal counsel. Better yet, general counsel or outside counsel should be driving the requirements of the records management policy and the requirements that the IT department must implement.
Joel Colvin has been a security consultant since 1992 and an attorney since 2015. If you would like help in developing your organization’s security policies, please contact him at jcolvin@jcolvinlaw.com.