That the majority of information organizations must manage is classified as an inactive record is a fact of doing business thanks to long-term retention guidelines and the vast quantity of information generated daily by technology. Out of context, a stack of files that aren't likely to be requested may seem relatively harmless. But, look again. They're an enormous thorn in the side of any RIM program implemented with even the slightest inconsistencies.
FAST FACT: Organizations that don't properly manage inactive records put themselves at risk for security breaches, severe fines and noncompliance.
DID YOU KNOW: 39 percent of organizations surveyed for the 2012 Compliance Benchmark Report take an ad hoc approach to managing inactive records.
In a way, investing resources into storing and managing the life cycle of data that is never to be used again is akin to saying, "Hurry up and wait." That is, until the alternative is considered. The time and resources it takes to properly mind all records is a breeze compared to the severe fines, legal issues and brand troubles that result when even one inactive record is neglected.
Developing a compliant records and information management (RIM) program that covers the storage and classification of data at rest is a guaranteed insurance policy in today's regulatory climate. On paper this makes sense, but the real challenge comes with consistent implementation.
Take a Cue from Gardeners
Information management is a continuous endeavor with multiple moving parts. Policies evolve as the organization they're designed to protect and support grows. By nature, offline records won't literally change, but the method used to handle them should be able to evolve with the overall RIM program.
Gardeners set a perfect example for defining boundaries and performing routine maintenance with an almost mechanical understanding that their domain will gradually change over time. In addition to weeding out unwanted growth and guarding plants from harmful pests, the greenest gardeners have a system for storing different kinds of seeds depending on vulnerability, and they know how to properly dispose of expired material to maintain the health of the whole ecosystem.
A gardener's priorities are similar to a records manager's main objectives. Here are three essential capabilities of both:
1. Identification: According to the 2012 Compliance Benchmark Report, 61 percent of organizations surveyed are able to identify, store and dispose of every inactive record according to their retention policies. While this number has since declined, it shows that companies are on the right path toward unifying RIM practices.
Organizations must have the capacity to distinguish data that is vital to daily operations from files that will not be requested until it's time for the shredder. Otherwise there is unlimited potential for a bad situation to escalate to a worst-case scenario. For instance, the purpose of a hybrid data recovery plan is to store the most important information in a way that allows a company to expedite retrieval in case of catastrophe. Under the same plan, inactive data is backed up using a more affordable, offline method like offsite tape vaulting. Without proper identification, all information is lumped together in one backup system, which makes for painfully slow and costly recovery.
2. Storage: Vital records are classified as such in order to be stored with maximum accessibility, often either onsite or scanned for online use. Identification allows companies to consolidate resources by storing inactive information in a secure offsite facility long term. This can also serve as the organization's archives of historical data and fodder for big data analysis in the future.
Records discoverability is an issue for companies that experience rapid growth, relocate or open additional offices in multiple cities. A trusted storage partner can ease the burden by mirroring a company's onsite indexing and classification system. This, combined with thorough records inventory, allows a company to grow without letting increasing amounts of information create a problem.
3. Disposal: Most data becomes inactive after about 30 days, but regulations dictate that it must be kept for seven to 10 years. During this time, it must be protected and retrievable within a reasonable amount of time should it ever be requested. Once retention is met, it should be disposed of in a secure, timely way. This last stage in the life cycle calls for routine visits to the shredder for paper files. But all that digital data stored on IT equipment shouldn't be forgotten.
Backup tapes, CDs and hard drives are practical devices for storing huge quantities of data for a long period of time, but the secure destruction process for plastic media can make your head spin. If data is not fully eradicated, it's recoverable. Recovered information, whether it comes from inactive or sensitive records, is a legal liability that can lead to a roller coaster of fines and public relations nightmares.
The problem is that few companies have the resources to successfully destroy and safely dispose of IT storage equipment. The right partner will not only incinerate media using an auditable, earth-friendly waste-to-energy process. They'll also provide a formal certificate to guarantee the job is done right.
Remove the Thorn
If data at rest is causing unrest behind the scenes — whether it's proving hard to find, easy to lose or impossible to destroy in-house — a third-party storage partner can help with every stage of the life cycle.
Do you have questions about information management? Read additional Knowledge Center Records Management resources, or contact Iron Mountain’s Records Management team. You’ll be connected with a knowledgeable product and services Records Management specialist who can address your specific challenges.
Filing Systems Are Due for a Tune-Up
The Retail Data Lifecycle: Know When to Fold 'Em
Disaster Recovery Make Sure the Odds Are in Your Favor