Slashdot Mirror

← Back to Stories (view on slashdot.org)

Document Retention - How Long is Too Long?

Posted by Cliff on from the c-y-a dept.

darthtuttle asks: "With the recent news of document destruction at Enron and the emails that have been discovered in high profile cases such as MS -vs- DOJ document retention seems to be a hot item right now. What document retention policies do people have at their companies, and what steps do companies take to make sure that documents are destroyed according to the policy when their time is up so they don't come back to haunt the company later? Note: the purpose of a document retention policy is not to keep documents, but to make sure they get destroyed according to policy before someone outside the company decides to use it against you. The big issues seems to be backups and documents stored on peoples desktop/laptops. You don't want those email server backup tapes from 2 years ago to be found, and you don't want to find out that the CFO was saving -every- email they ever got on their laptop."

10 of 405 comments (clear)

  1. Premature discussion by Skyshadow · · Score: 3, Interesting
    I rather suspect that this discussion is premature, and that thanks to our good friends at Enron and Anderson you're going to see a serious change in the way the laws effect this area.

    Personally, I think that corps shouldn't be allowed to destroy documents for at least 3-5 years -- all they're doing is covering their sins. Enron's a good example; they're destroying the evidence that they knew they were perpetrating a fraud against their investors. Destruction of the documents could mean that, as usual, the little guys get screwed and assholes like Ken Lay walk due to lack of evidence.

    Pretty disgusting.

    --
    Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
  2. Re:Cover WHAT? by modus · · Score: 4, Interesting

    Encrypting doesn't necessarily help. Sure, it prevents the court from reading your documents, but it doesn't prevent the court from putting your ass in jail for contempt of court after they subpoena your key/passphrase/whatever from you.

    And if you destroy your key as the feds are coming through the door, that's just like shredding documents -- They'll put you in jail for destroying evidence.

    (And yes, well encrypted data is indistinguishable from random data, but it's not going to be too hard for a state's attorney to argue that the huge pile of random data on your HDs is encrypted data, not your /dev/urandom souvenir collection).

  3. Hard problem by ajs · · Score: 3, Interesting

    The problem is hard on many levels. For example, many small companies have the, "we have nothing to hide" attitude, because they're not able to think in terms of large business dealings where years of internal email could be dragged out into court and used out of context.

    Once you convince a company that document "retention" is valuable, many managers will immediately declare themselves exempt because they feel that they will one day need that email from a vendor thanking them for buying the Widget 10,000 last week.

    What I think the industry really needs is some kind of software that manages information archives in a way that lets people specifically call out information that needs to be preserved as annotation. In this way, you could keep all of the headers of all of the mail and all of the filenames of all of the documents on a fileserver, but only keep the annotations (which may include some key points from an original).

    I know that I would find this more useful than the usual way that people annotate documents (named folders).

    1. Re:Hard problem by The+Man · · Score: 3, Interesting
      Once you convince a company that document "retention" is valuable, many managers will immediately declare themselves exempt because they feel that they will one day need that email from a vendor thanking them for buying the Widget 10,000 last week.

      This is a major policy problem in a much wider scope than a document retention/destruction policy. The problem of politically powerful individuals within a company declaring themselves exempt from various policies is a serious one. Ask any systems administrator about it - when you come up with any policy and present it at a meeting, everyone will approve it and say it sounds like a great idea. Later, each person will individually approach you and say that the policy is a great idea for everyone else but the he'she should personally be exempt because of some special circumstance or other that, of course, doesn't apply to anyone else.

      If your company is like that (that is, it's like mine), don't even bother with written policies, on document retention or anything else. Even if you own the company or are the CEO and thus powerful enough to force the approval of policies like this, nobody will actually follow them anyway. Your best bet is probably to institute some boilerplate policy you get from your corporate lawyers, post it conspicuously, and make sure everyone agrees to it in writing. As I said, there's no point in trying to make anyone follow it - they won't. But in this case at least you can try to offload all liability on the individual employees who don't bother to follow the policy. It probably won't work especially in the case of SEC troubles or similar, but it's easy and cheap to do.

      Honestly, why can't people just accept that they're NOT special?

  4. Re:nothing to hide by A+Big+Gnu+Thrush · · Score: 3, Interesting
    I work at a Fortune 100 company and documents and emails older than one year are automatically deleted. The email is pretty easy to enforce because we use Lotus Notes. The deletion takes place on the server copy and the deletes are replicated down to the local copy.

    Document files are a little more difficult. Everyone is encouraged to store files on the server in secure folders. This is enforced culturally because if a hard drive fails and the user wants data back, they are told it should have been on the server where it is backed-up (and deleted at the appropriate time).

    BTW, these procedures have proven very important as the company has defended itself in against anti-competitive suits as well as race-discrimination suits.

  5. Re:Got something to cover? by ajs · · Score: 5, Interesting

    Not at all. The problem is most obvious with email, so I'll use that as an example.

    Let's say that your company has done nothing wrong, but the SEC thinks that you might have been leaking information to financial institutions, in order to affect your stock price.

    That's a pretty serious charge, but if you're innocent you have nothing to worry about, right? Well, it turns out that you have an employee that sent a seemingly innocent comment to his friend at such a company, but now, in light of the charges, it could be seen as an indication that such activity did exist and widen the investigation. This costs you in terms of legal expenses, time, credibility, etc.

    Having old documents taken out of context can be truly damning, and it's just not worth the expense. Much better to destroy what could be used against you later.

  6. The plantiff's lawyers went back to 1937 notes... by RasTafarii · · Score: 3, Interesting

    from a engineering meeting held in a very old us company that made machine tools where the installation of operator guards was discussed on some type of press they agreed to do it and someone mentioned that if the guards were removed later serious injury could result to the operator.

    fast forward to 1985, the press made back in 1937 is still in use at some rundown plant staffed with illegal mexicans, it has not had any decent maintenance in decades and of course all the operator guards were removed to speed up production several owners ago.

    some guy puts his hands in the danger zone and the press gets him.

    the original company that made the press 48 years ago gets bagged on the grounds that they knew it was a dangerous machine that's why they mounted operator guards on it... the fact that persons unknown decades later removed those guards and no one trained the illegals on safe operation of this old rundown press was beside the point...

    being an old family run company, they had records dating back to the founding apparently they never threw anything away and minutes from a 1937 meeting ended up costing them a couple of millions of $.

    if the law or regulatory agency does not explictly require you keep the stuff, shred it as soon as you can, wipe the backup tapes as soon as possible and keep only the stuff you have to, the shortest time permitted.

    reimage the corp laptops every 6 months to prevent packrat ceo's from keeping every email and their kids who use it at home to surf p0rn sites when dad isn't watching...

    --

    "...can you imagine a BEOWULF CLUSTER of these? That'd be some serious power!"

  7. Re:Double-edged sword by markmoss · · Score: 3, Interesting

    I quite often have to refer back to projects that were closed out a few years ago. E.g., a few months ago I had a customer saying something like, problems have popped up with this latching SMT relay, costing around $100K in replacement boards and service calls -- why did I ever pick it? I go back to look things up and find a pretty clear trail of checking every SMT relay on the market -- this was the only latching relay available in 1998 that actually withstands SMT process temperatures, although just barely -- the circuit didn't seem entirely trustworthy, so why don't we go to this alternate circuit, that also costs less? -- and the customer turned that change down...

    In other words, given the customer's determination to implement a circuit designed in the early 1960's in surface-mount parts, that was the best part available, and probably still is. It wasn't good enough, but they wouldn't let me re-design to avoid it, and I've got their e-mails to prove it. We cranked out my more reliable design based around a 74HC 74 IC real fast, and they ate the cost.

    Without e-mails, I barely remembered this particular case out of several others, and the actual decision makers at both companies were gone...

  8. Re:Oh come on.. by susano_otter · · Score: 3, Interesting
    ie. the same sort of people who gave 12 mill to some bimbo for spilling hot coffee on herself.

    Please, try not to be a complete fucking idiot. Everybody else already has a clue.

    --

    Any sufficiently well-organized community is indistinguishable from Government.

  9. Shreding the Enron Documents by Zeinfeld · · Score: 3, Interesting
    The point that posters appear to be missing is that despite holding 80 person shredding parties enough has emerged about the activities of Arthur Anderssen and Enron to cause as much damage as could possibly happen. If the investigators can't get someone for fraud they will get them for shredding.

    The Enron documents that were shredded are likely the early drafts of the audit report. While it is quite likely that there will be electronic copies of the destroyed documents what the investigators would probably most like to get their hands on would be draft copies with handwritten annotations. It is unlikely in the extreeme that anyone wrote a document that was incriminating on its own, but quite likely that incriminating marginalia existed.

    BTW in addition to their involvement in the Sunbeam and Waste Management debacles Anderssen were until recently blacklisted by the UK government who held them responsible for their losses in the Delorean fiasco.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/