"I don't know if it's necessary," he said. "If they enforce the stuff they've got, we should be fine."
Savarino, who has been advising IT managers on data retention issues for the past seven years, said that companies that are implementing retention systems today often do little more than keep data for 30, 60 or 90 days and then hit the delete button. In such cases, legacy documents are unavailable, and it isn't possible to show trends over time, he noted.
"I do not subscribe to the 30-, 60-, 90-day policy. I think they are woefully inadequate, and I don't think they comply with most rules and regulations," Savarino said. "When regulators audit regularly and investigate regularly, that's when they're going to start discerning who's keeping e-mail and who's not. They just haven't been doing that on a regular basis."
Savarino said IT managers and corporate legal departments should take the following three steps to prepare for the coming oversight onslaught:
- Learn what the data retention laws require specific industries to do.
- Install packaged archival and retrieval tools because it's too difficult to handle those tasks manually.
- Utilize outside legal counsel.
"I know that sounds self-serving," Savarino acknowledged, "but outside lawyers can help companies figure out what the laws are and establish retention schedules and determine how to set up electronic archive 'buckets' to hold on to e-mail and documents."
Lawyers can also help set policies, procedures and parameters to deal with litigation holds, which require firms that have been notified about a potential lawsuit or government investigation to retain all potentially-relevant electronic documents. Two years ago, Congress approved the Federal Rules of Civil Procedure, which set a baseline for which electronic documents must be retained and retrievable by corporate litigants in a court case.
After completing an initial public offering two years ago, Great Florida Bank installed a complete electronic-documents archive and e-discovery system to deal with the additional regulatory oversight facing publicly-held financial institutions.
The e-discovery system, from Santa Clara, Calif.-based Mimosa Systems Inc. -- along with two Hitachi storage-area networks (SAN), and Exchange and a SQL server cluster upgrade -- cost $500,000, and it was worth every penny, Torres said.
Now all of the bank's e-mail and electronic documents are automatically indexed and stored on the two SANs, which replicate the data for disaster recovery.
Torres said the system is very helpful in the auditing process and will likely help the bank deal with any lawsuits filed against it by ex-employees or customers.
Sign up for Computerworld eNewsletters.