Disaster Recovery

Why electronic records could cost a CIO his or her job

Many CIOs, outside of regulated industries such as the financial sector, don't think much about the specifics of data storage until they find themselves in the middle of a lawsuit.

There is one technical decision made by a CIO that could have direct consequences on his or her career: How electronic records are stored. Many CIOs, outside of regulated industries such as the financial sector, don't think much about the specifics of data storage until they find themselves in the middle of a lawsuit. In an interview with Forbes, David Canfield, managing consultant for Kroll Ontrack's electronically stored information consulting group, talked about the direct connection between how data storage technology is utilized and the career of a CIO:

IT doesn't think of content. It thinks of massive amounts of data. They don't know where content XYZ lives. The most common reaction is to hold all the backup tapes. So they've complied with the hold notice, but two years later when legal discovery begins the data they're looking for may only be on backup tapes. That means restoring tens of thousands of backup tapes to find the relevant data. It costs millions of dollars and the CIO didn't budget for this and had no way to know it was coming. The argument starts with legal about whose budget should pay for it and that typically starts the downfall of the CIO.

The solution? CIOs should strive to communicate more with Legal. Make sure you understand their recommendations and that Legal understands the technical and budget limitations you're facing. This means listening to what is required to be legally compliant, and then returning to the table to make sure the steps taken in IT are enough. It also means that CIOs should meet with the IT group to verify everything is happening as it should. A lot of times, a CIO will hand down the "commandment" but won't follow through to see how it's being carried out. And don't forget to revisit the situation in six-month intervals.

About

Toni Bowers is Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.

8 comments
Two Hawks
Two Hawks

...how about access to your data if the backups are stolen or taken by law enforcement ;^) I make sure the client is made aware of all (these) aspects (to the level of my expertise) and makes decisions regarding, or in light of, all of them, and that gets recorded in the security protocol development records. One of the huge problems faced outside of stricter corporate agencies is people's tendencies to be lenient about taking on non-enterprising consumer technologies (the "I gotta have that" syndrome) and expecting IT to cover their behind... even when it is not possible. You can strike fear into the small hospital or medical clinic agencies administration just by pointing to the fed statutes and ramification, but just about anywhere else, forget about it. The way I see it, no matter what you do, you'd better be sure that protocol and decisions by the client are clearly recorded... if nothing else but to preserve your business integrity when looking for another client or job, not to mention covering your behind in court.

dogknees
dogknees

We decided some years back that, given the low cost of storage and the fact the number of new documents grows each year, keeping it all on spinning disks is the safest way to go. They are backed up daily as with all data so the servers can always be recovered from recent backups. We do full backups weekly and differentials daily (or more often). The advise from the business was that in the absence of a specific reason to do so, data should be kept essentially for ever. In some cases, the legal requirement is 13 years, which is as close to for ever as "for ever" in this industry.

C_Tharp
C_Tharp

You had better give a lot of thought to how the data will be used when it is needed. Software and hardware upgrades can make data restoration difficult to impossible. I saw an upgrade in backup hardware that was incompatible with the old media. It would have been necessary to find and purchase old hardware and connect it to new systems to read the old media. I wonder how that would have gone. What about data that does not have clear rules for retention? How long should email be kept? What about system configuration or code changes? Should previous operating systems be maintained? The list goes on and on. Every business is different and equally perplexing. Tracy Walters hit a nail on the head about retention period. A policy that discards the data as soon as possible limits the problems.

tracy.walters
tracy.walters

...most CIOs don't think about this subject, as Toni Bowers said. This article isn't long enough to cover any situation, and it's going to depend on your Security, Disaster Recovery and Backup Policies anyway. (You DO have those, don't you?) Those policies drive what you retain, for how long, and are determined in part by the type of company you are (private or public) and business sector you serve. If you have client data because you are a legal or financial services firm, you're probably facing some pretty well defined rules on data retention. My advice as a security professional, don't retain any data for one day longer than you have to based on requirements and ability to remove it from your systems.

gordon.rudd
gordon.rudd

It's been my experience that the Chief Legal Counsel decides what to keep and how long to keep it. After that decision has been made, the CIO evaluates alternatives and presents scenarios and business cases for each to the senior management team. It is then the decision of the senior management team, eventually ratified by the board of directors, on the scenario/strategy to employ for the organization. All the costs and risks are normally on the table long before this issue appear on the event horizon. IMHO, data retention/retrieval is not an issue a Fortune 2500 CIO will let sneak up on him/her. Data retention/retrieval may be an issue in the SMB space.

CopierITGuy
CopierITGuy

Electronic records don't mean diddly-squat if you don't have a good Electronic Records Management (ERM) software package to control all of those records. Not having one is becoming "not an option" anymore. Backup your stuff all day long on tapes, offsite or online, but if you can't manage what you have backed up, you're in a world of hurt. It's quite an investment, but far less than the millions spent if you don't have what you need! Plus, it gives you what every CIO wants in the end, control over what matters.

C_Tharp
C_Tharp

Ms. Bowers, usually you have something to say worth reading. This was empty. What must be kept? What should be kept? What should not be kept? How long should it be kept? In what form should it be kept? How will the courts expect it to be handled? Who examines the data? etc. "Talk to legal" is obvious, but that is not advice on how to plan.

GSG
GSG like.author.displayName like.author.displayName 2 Like

Each industry is different on what has to be kept and how long. For example, HR records have to be kept for a set period of time, but the medical records of a child have to be kept until age 21 plus 7 years unless the child had a serious medical issue, then the records have to be kept longer. Hospitals have to keep everything, while a private company who is not as regulated can pick and choose what to keep. That's why the "talk to legal". Find out what's required for your type of business, and look at what other businesses have done in your sector.

Editor's Picks