A study by Symantec shows that while most businesses believe in the value of a data retention plan, fewer than half follow one, resulting in increased expense and reduced efficiency as they basically follow a "save everything" policy in practice. The Symantec Information Management Health Check, the result of a global survey of 1,680 businesses in 26 countries, shows that while 87 percent of respondents believe in the value of a formal information retention plan, only 46 percent actually have one. The survey also shows that 75 percent of backup data storage plans consist only of "infinite retention" of materials or legal holds, which are orders not to destroy certain data that may be material in a lawsuit or regulatory investigation.
More specifically, the survey reveals that many organizations are saving data on backup software indefinitely when that data really should be archived. Symantec says data needn't be saved in backup for more than 90 days and could safely be deleted or archived beyond that. This "when in doubt, save everything" approach means companies spend needlessly for extra storage capacity, increase the time it takes to recover data and complicate e-discovery. To find out how IT can help address e-discovery issues, see "Easing The Pain of E-Discovery."
The survey found obstacles to companies adopting a sensible data retention plan. Forty-one percent of IT administrators don't see a need for a plan, 30 percent said no one in their organization has been given that responsibility and 29 percent cited cost as the reason. Backup software is being used for indefinite data storage or legal holds, but Symantec says neither of those is an appropriate or practical use of backup. "Backup is for recovery and archiving is really the mechanism to enable discovery," says Danny Milrad, senior product marketing manager for Symantec.
The survey found that 70 percent of respondents use backup storage for legal holds, but that 40 percent of the data saved is not relevant to the litigation or investigation. The survey also found lax enforcement of data retention policies that are in place. For instance, while 51 percent of companies surveyed prohibit employees from creating their own archives on their own computers, 65 percent admit that some employees do it anyway. The report also found "stunning" differences between the data retention policies and practices of large enterprises versus smaller companies. According to the survey, which grouped the 1,680 respondents into five tiers based on size, 71 percent of top-tier enterprises had a formal data retention plan while only 27 percent of bottom tier enterprises did. Only 26 percent of top tier enterprises used their backup storage for archiving versus 49 percent of the bottom tier. And only 26 percent of top tier enterprises used backup for legal holds, versus 60 percent of bottom tier companies.
Symantec recommends a five-step plan for developing and adhering to a sane data retention system. First, develop a plan. Second, stop using backup storage for legal holds and infinite retention. Third, deploy deduplication, which finds multiple copies of documents and other data and deletes them so only one version is saved. Fourth, delete unneeded data according to your plan. Fifth, use the archive system, not backup, for discovery purposes.