When headlines hit that the IRS was missing data, most information technology professionals jumped to the same conclusion: how could data ever really be gone?
Data loss is not common in this day and age as millions of dollars have gone towards most organization’s data centers just to make sure data doesn’t get lost. In fact, the opposite can actually be the issue: there’s too many copies of the same data.
For example, an email sent is immediately stored on the sender and receivers PC as well as the server. Nightly, each email box is backed up on the company’s server for disaster recovery – in case of a computer crash or something more disruptive. After a week goes by, there’s seven or more copies of that email stored somewhere. In addition, there’s a good chance that a copy of that email has been copied to archive for long-term retention based on Lerner’s senior status.
If that email becomes lost from the desktop or email server, there should be many copies that exist in other locations. There are few reasons feasible that data could ever really be gone even if a company attempted to destroy its data, Enron taught us that, but breakdowns in policy and lack of information management and data center search solutions could make it lost.
Where does data go
Most mid to large-sized organizations store copies of their legacy data on a troublesome format called backup tape. Resembling a VHS that has been cut in half, data is backed up nightly from all the servers to sets of backup tapes.
Unlike a VHS that may be recorded over many times, these tapes are permanent and quickly fill up. Some are stored within a company’s data center, but the bulk of this data is sent to offsite vaults meant to house and protect these tape archives.
Retrieving that data isn’t as simple is putting a VHS in a VCR. Systems advanced and organizations changed storage vendors over the last 20 years, making many of these tapes inaccessible as they were originally recorded on proprietary technology that wasn’t compatible with other vendors.
The original software to access some tapes hasn’t been around for over 10 years and requires either specialty direct tape indexing technology or expensive restoration of the original software. In addition, knowing which data is where at a company with thousands of employees, years later, is no easy task and can be claimed as burdensome in a less high profile situation.
The less certainty about where the data is, the longer and more costly finding is, but the data still exists – somewhere.
Why can’t we find data
The backup environment at these organizations is massive and finding needed data is traditionally a long, expensive process that is only compounded by the breakdown in corporate policy.
Managing corporate data should be a unified effort between the IT department, legal team and records management, but in all actuality each assumes its own part and it causes large policy gaps.
Without this proactive communication and a partnership between legal and IT organizations, IT will continue to store information that no longer has business value but can turn into a liability. eDiscovery costs, finding and collecting data, will also remain high as every time a request is made a new and time consuming search must be commenced through thousands of legacy tapes.
In the past if legal asked IT what data exists where, there would be a blank response. If IT asked legal about data policies, what they should keep and what they can dispose of, the answer would not come easily and each department did “their” job. IT stores the data. Legal requests data. Records management recommends policy. Legal and IT can’t decide who implements policy so no one does.
The data stays on legacy tape, but no one knows exactly where.
Perception versus reality
The lost Lerner emails should serve as a wakeup call for enterprises to understand the lifecycle of data. In order for data to truly “no longer exist,” an organization would need to access all environments (all those backup tapes) and apply a defensible deletion policy. Otherwise claiming that data is “gone” is a weak excuse.
However, permanently removing email can be done, and is actually a beneficial way to control the long-term risk of aged data once it outlives its business, compliance and legal value. This isn’t a back-door ad-hoc job of users hitting a delete key or dumping tape in shredders, but firm policy dictated by those who are charged with protecting the company from any liability.
Deleting corporate data must be done under the guidance of legal and records management professionals – with the key challenge of ensuring the enterprise is keeping what is required for regulatory, compliance and legal purposes, while disposing data that can be misinterpreted or cause a security breach.
The only accurate and defensible way to get rid of data in a corporation is to define a solid policy, and apply it to not only your current production data, but the legacy data as well. By ignoring the legacy data, all an organization does is lose some of the copies. No data should ever be lost. It should be archived, managed or purged.
***for more information on backup tapes, or for quotes contact firstname.lastname@example.org***