Best practices for implementing a data disposal policy

Because of the Sarbanes-Oxley Act, intentional document destruction is now a process that must be carefully monitored. But a "document" takes on many forms, from spreadsheets and emails to instant messages and Word files. In this expert Q&A, Michael Cobb clears up some of the confusion and reveals which best practices can boost an enterprise's data destruction policy.

Is there technology available that can help enforce document destruction policies? Tracking and archiving an financial organization's documentation has become a very complex and difficult task. There are now so many digital forms that documents can take: spreadsheets, emails, Word/PDF documents, instant messages and so on. Several technologies do aim to solve these problems, such as Chronicle Solutions Inc.'s netReplay and Mathon Systems...

Inc.'s Integral. AXS-One Inc.'s Retention Manager, an integrated component of the AXS-One Compliance Platform, also enables financial organizations to apply retention and disposition rules to electronic records, regardless of the originating application.

When you're talking about documents transmitted electronically, however, it becomes almost impossible for a financial organization to effectively enforce a document destruction policy. I have read internal reports where financial organizations estimate that there are at least 16 or more copies of most business documents spread throughout their network. This is mainly due to people including an original message and attachments in their replies.

Documents distributed beyond the corporate network represent a significant concern. Deleted documents can often be recovered easily, while additional versions of a document may unknowingly exist elsewhere. We are a long way from a time when a document's permissions can be embedded at the file level, traveling with the document no matter where it is sent. Ideally, someday your document destruction and retention policy will enforce itself, no matter where the documents are stored.

Another problem, though, with trying to automate document destruction policies is that no uniform standards exist for managing the lifecycle of documents and electronic data. Policies must be tailored to the unique business needs of each financial organization and its regulatory requirements. And because of the Sarbanes-Oxley Act, intentional document destruction is now a process that must be carefully monitored.

Despite the fact that the enforcement of document retention policies can't be handled by technology alone, the destruction process does bring real benefits: preserving the storage space on the network, on desktops and on backup media. Document retention also optimizes network and search performance and lessens the chance of having information used against an organization in lawsuits.

The period of time for storing business records should be determined by a retention schedule that takes business concerns and the requirements of federal and state regulations into consideration. Detailed logs of all destroyed documents and their exact data should be maintained. When getting rid of documents, be sure that the destruction method renders the information unusable and unrecoverable. Finally, don't just allow anyone to destroy your records. Payroll information, for example, or documents relating to labor relations or legal affairs, should not be entrusted to lower-level employees. If you use third-party contractors, make sure you understand the service level agreement and how they will ensure the security of your documents during the destruction process.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: