Implementing an electronic records retention system

Learn the components of an electronic records retention system and best practices for implementing an electronic data discovery policy. Don't risk e-discovery request errors.

Many companies strive to put together what is often called a defensible electronic records retention system to help them show attorneys and judges that electronic data discovery materials such as litigation holds, email archiving, deletion policies and more have not been improperly modified.

Christine Taylor, an analyst at Hopkinton, Mass.-based Taneja Group, discusses the critical components of a record retentions system and shares best practices for implementing an electronic data discovery policy in your storage environment.

You can read the podcast interview below or download the MP3 file.

Play now:

Download for later:

Implementing a solid electronic records retention system
• Internet Explorer: Right Click > Save Target As
• Firefox: Right Click > Save Link As Let's talk about putting together an e-discovery records retention system. What makes a records retention system "defensible"?

Taylor: "Retention system" means a very different thing to an IT listener vs. a legal listener, and we want to focus on the IT aspect of electronic record retention systems. Retention systems in terms of IT refer to data retention and restore for disaster recovery [DR]. However, retention systems for the purpose of e-discovery is different than disaster recovery, and that's what we are going to be talking briefly about today.

A defensible e-discovery record retention system from the IT side is the ability to quickly respond to searches from attorneys or from compliance officers, and being able to prove that the information they collect has not been improperly modified. It's also a way to track data deletion so that the court does not think the deletion was done in error, or worse, deliberately to keep evidence away from the court. What are the critical components to a defensible electronic records retention system?

Taylor: I came out of IT, so I understand that when we hear components, we think in terms of hardware and software components. And certainly those are part of this, but defensible records retention systems also combine people and processes, as well as technology.

The first component of records retention systems is to form interdisciplinary teams. This component is usually the one that IT likes the least. However, forming an interdisciplinary team is the single thing that's going to give you success. It doesn't have to be formal. A formal team would be made up of IT, certainly legal, possibly compliance officers and maybe records management. And the larger your company is -- certainly if they're public -- [the more] you are probably going to want to do something like that.

But you can do something more informal and much simpler by talking to your counterparts in the General Counsel's office. Tell them what it is you want to do and ask them what they need, because when it comes to a defensible electronic records retention system, you need to know what the attorneys are going to ask for.

The second component of an electronic records retention system deals with this technology, specifically the tools out there that help you to dynamically map your data and know how to get hold of the data quickly. Mapping, or dynamic mapping, is important because it helps you to know what type of data is on what data source or data target. It also helps you to quickly search that data because you are searching from the index.

Some examples of these tools include StoredIQ or EMC Corp.'s SourceOne using what used to be the Kazeon technology.

The third component is documentation. You need to document the team, you need to document the champion, you need to document the policies and you need to document the tools. You're also going to want to prioritize the list of data sources that are most likely for e-discovery. What are some best practices for implementing a defensible electronic records retention system?

Taylor: The trick is to be able to do operations using the system; make them sustainable and repeatable.

So let's say that a case has come down the line. There is a request from legal that there is, for example, a pending lawsuit over intellectual property. At this point the attorneys should be communicating with IT. First of all, you need to understand what it is they need. Oftentimes, legal does not know how to talk to IT, so you should ask them these two questions: What data custodians and date ranges are we talking about? And what are the keywords? They'll know how to answer those questions.

Once that is done, you're going to want to locate the storage that holds that potential data and identify what you need from it. Once you've identified where it is, then you're going to collect the data. This almost always includes the attorneys actually issuing queries. The attorneys can simply tell you, as I mentioned, what the data custodians and date ranges are, and once they get that back and have access to the stored data they can search it themselves. How you collect your data is really up to you and what kind of policies you have. It is possible to collect your data in place. It is also possible to give them access to a given storage repository.

Now, let's remember we're talking about a defensible system. This is where the technology comes in. What you need is the ability to prove that a particular piece of data has not been modified.

There are a couple of ways you can do this. You can simply be careful that when you back up or archive, understand that your settings do not change metadata. That's very important. You can do that in the backup app or in the archiving app. Other ways that you can do this is to store potentially relevant data, especially critical data, on a content addressable storage [CAS] system. One of the primary examples is EMC's Centera Governance Edition. It's not the only one out there, but it's one of the industry standards. These object-based systems make it impossible to change objects, which in itself proves the sensibility [in using one]. Another good way to do this is when information is collected, move it immediately to a secure repository -- even if the repository is just an array or disk somewhere -- as long as the target has access controls and you can prove that.

And lastly, remember that a good, defensible electronic records retention system benefits not only the user groups you support, but you. It's a win-win.

Dig Deeper on Storage management and analytics

Disaster Recovery
Data Backup
Data Center
and ESG