Is Your Compliance Just Checking the Box?

459116601If your organization retains data to meet regulatory requirements, then you probably have a strategy to store that data somewhere. But do you have a good strategy to access and return any part of that data that is requested? If not, your compliance might be just “check the box” compliance – and headed for trouble.

Two Pieces To the Puzzle

Data that must be retained for compliance, regulatory investigations or litigation has two key requirements: (1) it must be protected from accidental or purposeful deletion or alteration for the required term, which can range from weeks to decades; and (2) it must actually be accessible, so that if a regulator or court requests some portion of that data, it can be located and provided in a timely manner.

Most organizations are good at the first part — retaining the data. The IT department may not know why it is creating and storing certain backups, but on a monthly or quarterly basis it will send backup tapes of certain systems, usually email or file shares, offsite for retention. (Once offsite, these tapes are almost never seen again and rarely returned for final disposition).

The second part – recovering and providing specific data in response to a regulatory request or litigation matter – is a far more difficult challenge. In many scenarios, the requested data is several years old and spread across backups of several systems (email, file shares), from different departments (finance and operations) and even across divisions or geographies.

Problems With A Stale Data Strategy

If you are “meeting” regulatory requirements by retaining data offsite and offline, you are probably just “checking the box” for compliance. This may pass the straight-face test when asked about retention for compliance, actually finding specific information or records would be time-consuming, expensive and difficult – if it could be done at all. The older the data, the less likely that you’ll be able to find it, and a greater chance that the backup media cannot be located or will fail.

And there are several downsides to this strategy. Preserving compliance data in this manner is actually costly – which is ironic because many companies initially use this strategy to save money! But when organizations add up the cost of the media, offsite transportation and never-ending rent, the costs are high. And that represents only one costly aspect.

The data represents a significant and growing risk. The organization could later become involved in an investigation or lawsuit where the data is relevant. The cost of restoring, processing and reviewing a large amount of offline/offsite data frequently runs into millions of dollars – per investigation or case. A good lawyer may tell you to argue that this data is “not reasonably accessible”, but at best this gives you another fight within your battle that will cost time and money. Even a victory probably means just shifting part of the cost to your adversary.

And there is probably more risk to come. If your data is from European operations, you might face penalties if it includes personal data and is retained for too long or for purposes not originally intended. (The focus may be on retaining compliance data, but it’s probably mixed in with personal information about employees, customers and others). While those laws are not strongly enforced today, especially in this scenario, that is changing. In addition, under EU law you may have a duty to respond to an individual’s request for all data the organization maintains about them, which would include everything on these old tapes. And some of these requirements could be coming to the US as we re-think some of our privacy laws here.

Best Practices

Most organizations should strive to do more than just checking the box when it comes to compliance. Here are a few things to do:

  • Have a data protection strategy that accounts for the differences in value, over time, of your data. Just as you would not recover a critical order system from tape-based backup, you should not ship long-term data to an offsite warehouse;
  • Form a cross-functional team, including IT, Legal and possibly compliance and records management, to review your key data repositories and workflows. If legal and compliance understand that compliance data is not actually going to be readily available, they will help to set things right;
  • Consider actual archives for data that must be retained long-term. The data can be indexed, de-duped and maintained on less expensive storage to drive costs down, while being easily accessible (within minutes!) when it is needed. This will also help you to destroy the data when its retention period has expired and it is no longer of any value to the organization.

You can’t fix everything overnight but staying focused will lead to real savings, reduced risk and improved operations.  And those are a few boxes that everyone likes to check!

About the Author: Jim Shook

James D. Shook, Esq., CIPP/US Director, Compliance Practice, Global Technology Office Dell EMC Jim helps Dell EMC’s customers understand and efficiently meet the legal and regulatory obligations for their data, focusing on cybersecurity, privacy, retention and electronic discovery. Along with an undergraduate degree in Computer Science, he is an experienced commercial litigator and a former general counsel to technology companies. Jim publishes and speaks frequently about meeting challenges created by the intersection of law and technology, and has been an active member of The Sedona Conference’s working groups on electronic information (WG1) since 2004 and data security and privacy (WG11) since 2015.