Policies around data storage and document retention are integral to the smooth functioning of any organization, but these documents must be drafted carefully to ensure that employees actually follow them. R. Jason Straight – senior managing director at Kroll Ontrack, a provider of data recovery solutions and legal technologies – explained the differences inherent in these policies.
"A data storage policy dictates to employees where they can store documents and what kinds of documents they're allowed to store in what places – it's more of a security policy," he said. "A document retention policy is something that defines what a company has a legal or business obligation to retain for some period of time."
Still, both policies are intertwined. "You'd want to approach the creation of either of these policies in conjunction with the other," Straight explained. "You can't start drafting a data storage policy without understanding what your retention obligations are."
Straight offered tips on how organizations can design these policies to maximize effectiveness.
"You have to design a DRP or DSP from the perspective of your employees and the users of your systems," he said. "If you don't balance your security and document retention obligations against the needs of your employees to work efficiently, your employees are going to balance it for you after the fact. If you impose obligations on employees that are unreasonable, that are going to drag them down and keep them from getting their job responsibilities completed, guess what's going to get the priority? They're going to get their job responsibilities completed whether or not they're in compliance with your policies."
Unfortunately, it isn't uncommon for these types of scenarios to play out in an organization.
"When something does go wrong, you have to assume that whatever system you put into place is going to break down – people are going to violate the policy, and there will [likely] be a security breach [in terms of] document storage policies," Straight said.
Imagine it's a Friday afternoon; an employee has to finish up work on a spreadsheet but has tickets to a baseball game or wants to catch his child's recital. So, he decides to load the spreadsheet – which has Social Security numbers and other confidential information embedded in it – onto his personal laptop, allowing him to work remotely. He may or may not be aware of the company's security policy, but trouble can ensue if he unintentionally leaves the laptop in a car or hotel room, Straight said.
This scenario also highlights one of the biggest mistakes a company can make when it comes to security policies: not fully considering their feasibility.
"People who often end up getting tasked with the challenge of developing these policies are [those] in the legal department, compliance department or a security-type function," he said. "From experience, those are often the people with the smallest ability to see the policy from the perspective of the rank and file because their whole world is focused on: Are we in compliance? Are we following our legal obligations? Are we secure? Are we safe? And they don't often have the perspective of: Yes, we need to protect our data and we need to make sure we're in compliance with the regulations that apply to our business, but our people have to be able to operate."