1. 1 David Ferris Feb 29th, 2008 at 9:16 am

   (Emailed in so have removed the person’s contact info to preserve anonymity)

   Quick Retention Policy Survey

   Q1. 20 people in company

   Q2. What retention policies do you have?
   ***We are a privately held company so we manage more on space needs than anything. We really don’t have a formal policy as we only have a little over 20 users and it’s more on an individual basis.

   Q3. What internal policies, laws and/or regulations have greatest impact on your retention policies?
   ***None

   Q4. What advice would you give to peers trying to formulate their retention policies?
   ***Know the answer to #2 above. Make sure you have a team made up of Legal and IT and each understands the other’s policies. If you don’t know how you are affected, you have no idea what to keep. Make sure you have a strong backing to your policy. Also, find a solution that gives ease of use for the end user to access there data, and ease of use for Legal to get what they need.

   Q5. How will your retention policies change over the next few years?
   ***Depends on the industry demands and our growth.

   Q6. What are the most important best practices associated with successfully implementing a retention policy?
   ***1. Have a solid understanding of what you want/need for your organization
   2. Have a solid backing from Legal & IT
   3. Think about the data and how it will be needed 1 month, 1 year or 5 years from now. If you don’t have the data, you can’t provide it to legal when they need it.
   4. Find a solution that knows what they are talking about. They don’t have to be the most expensive with a lot of hardware, you simply need to find one that works best for your environment. Make sure the company understands the platform they are working with. There are a lot of vendors who say they can archive from particular platforms, but don’t know the first thing about being an admin of that environment.

   Q7. What are the main archiving products/services you use?
   ****Mail Attender for Lotus Notes (Sherpa)

2. 2 dferris Mar 4th, 2008 at 10:00 am

   Response in which sender identification has been removed to respect his/her anonymity:

   Q1. What retention policies do you have?
   * We have a dedicated retention policy for E-Mail messages:
   * Deletion after 90 days in mailbox (voice messages from UM systems: 15 days)
   * Retention of 3 years if archived by user. Deletion taken place only when a message hasn’t been looked up since 13 months. No UM messages in archive, no private messages in archive.
   * Messages which express or carry legal obligations, legal commitments and such have to be stored outside of E-Mail mailboxes and E-Mail archive in other archiving applications, which comply with the appropriate legislation resp. regulation.

   Q2. What internal policies, laws and/or regulations have greatest impact on your retention policies?
   * Governed primarily considerations of risk control in litigation of legal departments, secondary is GxP regulations

   Q3. What advice would you give to peers trying to formulate their retention policies?

   Define clearly the purpose of any retention policy. If the requestor is not IT, then make clear that IT just acts on behalf… Keep it simple. Try to maintain a ‘one size fits all’ approach.

   Q4. How will your retention policies change over the next few years?

   Nothing planned. But high level litigation cases in the pharma business might have an impact to adjust our retention policy.

   Q5. What are the most important best practices associated with successfully implementing a retention policy?

   Clear communication about its purpose and what it entails for the user. The more it requires changes of user behavior, the more a buy-in and commitment of the entire business management hierarchy becomes important. Real top management commitment is advantageous. Well thought through and careful preparation of the rollout is a must. Calculate more effort on PR, communication, training than on the technical implementations.

   Q6. What are the main archiving products/services you use?

   Zantaz EAS

3. 3 Ralph Harvey Mar 6th, 2008 at 2:17 pm

   Hi All,

   Interesting and highly relevant question to the industry as a whole David. Regarding email retention, why would you not retain all email forever? The only acceptable answers are:

   1. Storage Capacity.

   2. A regulation that states a maximum period of retention - (not sure I know of one actually - anybody else know of such a reg? i know of regs where when you delete it - it must be deleted properly but that’s different).

   3. something I can’t think of!

   Most ‘normal’ users DO NOT retrieve email from their archive because they are being sued, because regulations dictate they do so, because courts demand it, or because of federal or government requests it. Most email archiving email retrievals are performed because users are either trying to retrieve some information or recall what was said, perhaps dig out a contact. In other words, they use the archive in the same way they use their current email folders - that were sadly architected so long ago that, in the case of Microsoft Outlook are an anachronism to the needs of the modern email user. So for ‘normal’ non-privileged employees, it’s an extended filling cabinet that resolves or mitigates the design constraints of existing email products. You never know when you want to go back for that email someone sent you 3 or 4 years ago. Clearly it becomes less relevant the further you go back. But what you don’t want to do is be sure that you had the email, but not be able

   Most privileged users DO retrieve information for audits, H.R. requests, or other legal action (defense or prosecution). Here, temporal factual accounts of the exchanges of email, the parties, and the metadata are vital for proving a case. The mistake that many make is to believe that if they delete their email after a short retention period, that - Phew! It’s gone! Wrong! It’s only gone (assuming NSA grade logical block overwrite policy is in force) from your infrastructure. Not from the infrastructure of other parties involved in an email exchange.

   Having a retention policy should be as simple as stating at what point do you remove all of the email from an archive (after 7 years for example) - and NOT should you retain information from Sales for n years and from Engineering for y. It is not realistically possible to distinguish the nature of a single email asit pertains to multiple regulations.

   It’s all or nothing! Please discuss!

   Kind regards

   Ralph Harvey
   CEO FCS -the Cryoserver people

4. 4 dferris Apr 3rd, 2008 at 12:48 am

   (Emailed in so have removed the person’s contact info to preserve anonymity)

   Q1. Rough # people in your organization/company? 105,000

   Q2. What type of business/industry are you in? education

   Q3. What is your retention policy? Do not have one

   Q4. Did any internal policies, laws and/or regulations have impact on your retention policies? If so, which? no

   Q5. What advice would you give to peers trying to formulate and implement their retention policies? Need a policy that is implementable and that meets legal requirements

   Q6. How will your retention policies change over the next few years? We will have one

   Q7. What are the main archiving products/services you use? If you have a home-grown solution, please tell us about it. Enterprise Vault

5. 5 dferris Apr 13th, 2008 at 6:28 am

   (Have removed the person’s contact info to preserve anonymity)

   Q1. Rough # people in your organization/company? 500+

   Q2. What type of business/industry are you in? City Government

   Q3. What is your retention policy? See attached

   Q4. Did any internal policies, laws and/or regulations have impact on your retention policies? If so, which? We are currently working on expanding our document imaging system and implementing a new retention policy.

   Q5. What advice would you give to peers trying to formulate and implement their retention policies? Take a sales and marketing class

   Q6. How will your retention policies change over the next few years? It will probably take about a year to inventory and implement and by then we will need to update it

   Q7. What are the main archiving products/services you use? If you have a home-grown solution, please tell us about it. LibertyNET Imaging is used for about 5 departments in the city. Other than that it is departmental

   Q8. Are there additional retention-related questions on your mind? (will likely be added to this discussion topics list so others can respond) How do others enforce their policy? Other than threatening employees? Incentives???

6. 6 Tony Whitby Apr 15th, 2008 at 7:14 am

   Q1. Rough # people in your organization/company? 8000

   Q2. What type of business/industry are you in? Manufacturing

   Q3. What is your retention policy? None (at present)

   Q4. Did any internal policies, laws and/or regulations have impact on your retention policies? If so, which? Yes, SOX

   Q5. What advice would you give to peers trying to formulate and implement their retention policies?

   Q6. How will your retention policies change over the next few years? Attempting to formulate now

   Q7. What are the main archiving products/services you use? If you have a home-grown solution, please tell us about it.
   At present just local Groupwise personal archives, Evaluating M+Archive right now

   Q8. Are there additional retention-related questions on your mind? (will likely be added to this discussion topics list so others can respond)
   As we are just formulating our policy I would be interested to know of others actual experience. Do people have a fixed retention period for all mail (say 2 yrs) and allow users to mark other for longer retention or use mail content to determine retention. Or just keep everything for 10 years then delete it?

7. 7 Teresa Werner Apr 16th, 2008 at 8:16 am

   Q1. About 180

   Q2. I am a contract consultant. I am assisting my client in the implementation of a RM program.

   Q3. Consulting; currently for a water authority.

   Q4. We have 11 Retention Schedules that contain 225 record series (types)

   Q5. Yes, about 98% of them. Are you asking which record types or what laws? Either way, there are too many to mention.

   Q6. Triple the time you ‘think’ it will take because it potentially involves everyone in your organization and your will have to work on ‘their’ time if you want cooperation. Realize you will have to dig up records from the most bizarre places. Develop tactics for getting answers out of different personality types. Don’t be surprised when they only tell you 25% of what they have (or know). Remind them that you need to know about records they no longer create, but still have stored because you need authority to destroy them. Drill it into their heads constantly, that its not the media, its the content! Be prepared, that unless you have complete top management support and have the BEST RM professional leading disposition efforts, you will be lucky if 5% of your organization follows the retention policy.

   Q7. Retention policies should change every year. New records will be created, laws will change, policy will change, organization/responsibility structures will change, you will uncover record types they ‘forgot’ to tell you about, you will uncover new record types in closets, basements, attics, utility rooms, etc. You will find yourself in a legal discovery and re-evaluate your policy, you will realize that there are databases, electronic files, e-mail that you never knew existed, you will find cds, video tapes, microfilm and have to review them for new record types, etc.

   Q8. Archiving products? Do you mean enterprise records and information management/content management solutions? We use the new Oracle version of Stellent to manage and track the disposition of our records and information.

   Q9. Always. There will never NOT be more questions. My only comment is that your questions were very vague so I am not sure how the answers can possibly help you as there was no clear ‘goal’ identified as to what you plan to do with the information collected. Do you have ’survey results’ on your retention schedule? How long do you plan on keeping these?

8. 8 Peter Apr 30th, 2008 at 3:08 am

   Q1 - 4000 in our Division, 26,000 in group

   Q2 - IT Compliance & Forensic Analyst. Forenscis means investigating individual computer incidents (mostly checking leavers’ PCs). Compliance means - well, complying with legislation, industry and internal standards

   Q3 - Energy Services

   Q4 - None really, see Q8

   Q5 - N/A

   Q6 - Keep it as simple as possible. Speak to users, not just managers. Make sure it’s technically and practically possible to implement. Be prepared for resistance, change, and constant monitoring.

   Q7 - Hopefully we’ll get some!

   Q8 - Symantec Enterprise Vault currently being rolled out for Exchange, all archived email will kept in perpetuity. File archiving with EV didn’t work, looking at other options compatible with our SAN.

9. 9 dferris Apr 30th, 2008 at 9:55 pm

   (Have removed the person’s contact info to preserve anonymity)

   Q1. Rough # people in your organization/company? 200

   Q2. What is your title and what do you do? EVP ISO & Loan Operations

   Q3. What type of business/industry are you in? Banking

   Q4. What are your retention policies? 90 days for e-mail in your in-box or sent-box. 18 months for all other docs & archived e-mail unless it is labeled “keep permanently”

   Q5. Did any internal policies, laws and/or regulations have impact on your retention policies? If so, which? Yes- all

   Q6. What advice would you give to peers trying to formulate and implement their retention policies? Involve legal counsel

   Q7. How will your retention policies change over the next few years? This is a new policy so we will find out if it works or needs to be adjusted

   Q8. What are the main archiving products/services you use? If you have a home-grown solution, please tell us about it. Microsoft Outlook, SAN

   Q9. Are there additional retention-related questions on your mind, or do you have any other comments? Enforcement & Training

10. 10 dferris Apr 30th, 2008 at 9:56 pm

    (Have removed the person’s contact info to preserve anonymity)

    Q1. Rough # people in your organization/company? 150

    Q2. What is your title and what do you do? VP/IT Manager

    Q3. What type of business/industry are you in? Banking

    Q4. What are your retention policies? We currently follow FDIC and Tax laws

    Q5. Did any internal policies, laws and/or regulations have impact on your retention policies? If so, which? FDIC, Tax, and State laws

    Q6. What advice would you give to peers trying to formulate and implement their retention policies? We have a lot of work ahead of us

    Q7. How will your retention policies change over the next few years? They will change a lot

    Q8. What are the main archiving products/services you use? If you have a home-grown solution, please tell us about it. We use normal backup software along with an archiving software for email

    Q9. Are there additional retention-related questions on your mind, or do you have any other comments?

1. 1 Retention Policy Survey » Archiving101.com Pingback on Feb 29th, 2008 at 3:17 pm
2. 2 Electronic Discovery Blog - A weblog on electronic discovery issues by an attorney and former IT manager » Ferris Research retention policy survey Pingback on Mar 6th, 2008 at 7:52 am

Leave a Reply