The 7 deadly sins of records retention

While sports records are made to be broken, enterprise records are made to be retained—at least until they’ve outlived their usefulness. As regulatory mandates rapidly multiply, enterprises are facing a document tsunami, as current and outdated records begin overwhelming the human and IT resources necessary to securely store, track, manage and eventually destroy them.

Each records class has a retention period that’s defined by a combination of corporate policy, business risk tolerance, external legal advice, regulatory requirements and legal obligations, says Sean Riley, a principal at Deloitte Risk and Financial Advisory. “Some records only need to be kept for three years, others may need to be kept indefinitely for business value or legal reasons,” he notes.

Records retention is really all about records destruction, says Dan Frank, also a principal at Deloitte Risk and Financial Advisory. “Most organizations are very good—too good—at retaining data,” he says. “The CISO’s primary responsibility is to ensure that the organization has secure data and records destruction capabilities, as well as corresponding technologies that securely delete data and records when appropriate.” Preserving obsolete records can lead to wasted time and needless confusion as researchers find themselves plowing through outdated files as they search for the records they actually need. Failing to properly curate records also drives up storage and backup costs.

As CISOs face an ever-growing stockpile of mandated records, and struggle to decide which documents and data to keep or discard, they’re liable to fall victim to the following seven deadly sins of data retention:

1. Neglecting to stay on top of emerging and evolving record retention requirements

Recent privacy regulations, such as the EU’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), have significantly increased the need for deeper, stronger, and more inclusive data governance. “In order to survive in today’s privacy, legal and regulatory environment, organizations must have a comprehensive understanding of what data they have, how it’s used, who it’s shared with, whether it’s sold, where it’s sent geographically, and how long it has to be retained,” Frank explains. How can a CISO help implement a comprehensive records retention schedule and policy without first knowing what types and amounts of data the organization holds and where it’s located?

2. Neglecting to adequately define data retention objectives and responsibilities 

Data retention and data governance programs aren’t one-time projects. “A fully functional and reliable program needs people, processes and technology to support them, just like any other corporate function such as data privacy or information security,” Frank says.

CISOs managing poorly organized data retention programs tend to be disconnected from internal teams that can help drive risk-reducing outcomes. “CISOs serve their organizations best when they involve all stakeholders in developing and operationalizing records retention protocols and programs—inclusive of legal, privacy, cybersecurity, IT and records management teams,” Riley says.

Disorganized and unaware CISOs are also prone to missing the prime data curation improvement opportunities that arise from time to time during the regular course of business. “Internal systems upgrades, migrations and external events, like divestitures and acquisitions, can provide moments to bring policy into practice,” Riley suggests.

3. Failing to fully understand the CISO’s role in record retention

While lawyers, CIOs and CDOs are generally in charge of establishing basic record retention policies and schedules, CISOs also play a central role in records management, particularly when it comes to preserving and presenting data that can be used to support security investigations, as well as chain of custody evidence for proving data integrity. “Additionally, information security leaders must be able to prove event correlations that can satisfy non-repudiation requirements in a court of law and provide event history that can determine the dwell-time of incidents within an environment,” says Lakshmi Hanspal, CSO at Box, an online file sharing and cloud content management service. “Finally, CISOs should be responsible for [presenting] reports related to independent audits … and legal and regulatory obligations,” she notes. 

4. Lacking a complete understanding of data lifecycle elements

Some CSOs lack a full understanding of the various components involved in the data lifecycle. As a result, key data lifecycle elements are often either ignored or incorrectly used.

Knowing the exact name and description of a processing activity, the process owner, the data processor, and business purpose and lawfulness is just part of the challenge, says Rodney Pattison, senior cybersecurity manager at business and technology firm Capgemini North America. “Add in the assets linked to the processing activity, plus their geography, and there’s a lot of metadata to analyze,” he notes. Even when the metadata is correct, there has to be someone on-hand to perform the initial analysis, which is not a traditional security skillset, Pattison adds.

5. Believing that automation is a magic records management solution 

Records automation can be a highly useful and time-saving technology. Unfortunately, it’s also a highly complex tool that can easily lead to incorrect record retention or destruction decisions, particularly when poorly configured or misused. “Understanding what triggers changes to automation processes, such as legal holds, tax audit holds, and regulatory changes, can be hard to capture for every use case,” Pattison warns.

People should still play an important role both in manual records management and automation configurations. “Having two-way communication with oversight stakeholders about their objectives and scheduled purges is critical,” Pattison says. “Knowing the data stewards who can explore and manipulate data internally and externally is vital,” he adds.

6. Neglecting to retain tactical log data 

This oversight can be particularly lethal since, in the event it becomes necessary to triage a large breach or address some other type of major security incident, investigators may need to literally turn back time to discover the event’s roots. “Discovering the source of a breach, or the extent of the damage, is largely dependent on going back through archives of traffic and other logs to follow the attack path and techniques executed by the adversary,” says Brandon Hoffman, CISO at network management technology and services provider Netenrich. Lacking access to tactical log data turns pinpointing the exact moment an attack occurred, and the course it followed during its journey through enterprise data resources, into a high-stakes guessing game.

7. Failing to periodically check if current record retention periods are still relevant

The regulatory landscape is constantly changing and CISOs need to be prepared to quickly adjust record retention periods whenever regulatory or legal changes demand a change. Failing to act promptly can lead to serious financial and litigation consequences when still-needed records are automatically purged via inaction. It’s important to maintain tight oversight on retention periods, advises Caroline Morgan, a partner in the New York offices of national law firm Culhane Meadows. “You have to find your records retention sweet spot,” she adds.

Morgan also urges CISOs to monitor exactly how management and staff are accessing and handling records. “Keep your ear to the ground,” she says. “No matter how perfect a record retention policy is on paper, if people don’t comply with it, it’s useless.”