When Information Retention Runs Amok

By CIOinsight  |  Posted 08-05-2010

Although the vast majority of enterprise executives (87 percent) believe in the value of a formal information retention plan, only 46 percent of organizations actually have one, according to the 2010 Information Management Health Check Survey. More than 1,680 senior IT and legal executives in 26 countries responded to the survey, which was conducted in June 2010 by security, storage and systems management vendor Symantec.

The 2010 Information Management Health Check Survey also finds that:

  • Enterprises are retaining far too much information. Three quarters (75 percent) of backup storage consists of infinite retention or legal-hold backup sets. Respondents also stated that 25 percent of the data they back up is not needed for business or should not be kept in a backup.
  • Enterprises are misusing backup, recovery and archiving practices. Seventy percent of enterprises use their backup software to implement legal holds and 25 percent preserve the entire backup set indefinitely.
  • Respondents said 45 percent of backup storage comes from legal holds alone. In addition, enterprises cited that, on average, 40 percent of information placed on legal hold is not specifically relevant for that litigation.
  • Nearly half of the enterprises surveyed are improperly using their backup and recovery software for archiving. Additionally, while 51 percent prohibit employees from creating their own archives on their local machines and shared drives, 65 percent admit that employees routinely do so anyway.

The survey also shows a disconnect in how IT and legal executives view their organization's lack of an information retention plan. In IT, 41 percent of administrators don't see a need for a plan, 30 percent say no one is chartered with that responsibility, and 29 percent cite cost.

In the legal department, nearly six in 10 executives (58 percent), cite cost the top issues as cost as the top reason their organization lacks an information retention plan, followed by a dearth of expertise to build a plan (48 percent), and no one chartered with the responsibility (40 percent).

  • According to the survey, there are serious consequences to information mis-management, including:
  • Skyrocketing storage costs as over-retention creates an environment where it is now 1,500 times more expensive to review data than it is to store it.
  • Soaring backup windows and prohibitive recovery times.
  • Lengthy, inefficient and costly eDiscovery processes due to the massive amounts of information stored on difficult-to-access backup tapes.

The report makes the following recommendations for enterprises:

  • Don't use backup for archiving and legal holds. Enterprises should about 30 to 60 days of backup, and then delete or archive data in an automated way thereafter.
  • Use using backup only for short-term and disaster recovery purposes. Enterprises can backup and recover faster while deleting older backup sets within months instead of years. This represents a huge amount of storage that can be confidently deleted or archived for long-term storage.
  • De-dupe everywhere, within applications and within your backup environment. Enterprises that deploy de-duplication as close to the information sources as possible are able to free up network, server and storage resources. When de-duplication is combined with shorter retention periods, enterprises enable tapeless disaster recovery via replication for better SLA.
  • Develop and enforce automated information retention policies, making clear to employees what can and cannot be deleted, and when. Automated, policy-driven deletion creates less risk than ad-hoc, manual deletion.
  • Use a full-featured archive system to make discovery as efficient as possible. Companies can then search for information more quickly - and with more granularity than they would in a backup environment. This will reduce the time and cost it takes to evaluate litigation risk, resolve internal investigations and respond to compliance events.
  • Deploy data loss prevention technologies to measurably reduce the risk of data breaches, demonstrate regulatory compliance and safeguard customer information, brand collateral, and intellectual property.