Information explosion is a reality that all organisations, including governments, have to deal with. Information is crucial to a business, for knowledge management or for regulatory compliance. In this context, Symantec commissioned the ‘2011 Information Retention and e-Discovery Survey’ to understand the critical issues in the field of information management.
Vijay Mhaskar, vice-president, Information Management Group, Symantec, spoke to Samir Sachdeva and Shubham Batra about the key findings of the survey. Edited Excerpts of the interview:

Why do enterprises have to retain information for long?
The enterprises retain or discover information for a number of reasons. The discovery could be coming from two angles. The first is for the business reason, to make information available from the operations perspective. The second is the compliance or legal aspect, where a certain legal case is filed and you need to produce some piece of information in a court of law.

Symantec carried out an Information Retention survey. What is this survey all about?
It’s a global survey that we did. We surveyed around 2,000 organisations and 1,000 plus employees. We took a cross-industry sample. The sample included government, banking, financial services and insurance (BFSI) sectors and information technology industry. In India, about 100 enterprises polled for the survey.
Here we found wide variations in information retention practices. On one hand, there are enterprises that take care of the information as part of the formal retention plan. They know what information needs to be retained, what are the policies for retention and for how long the information has to be retained. On the other hand, there are enterprises that do not have a formal retention plan. In some cases, they are using backup tapes or are asking their employees to retain information on their laptops. Surprisingly, only 20 percent of the organisations have a formal information retention plan.

When you talk about enterprises, are you also talking about government enterprises and organisations?
Government is also included but we do not have a split of government as a separate sector. We don’t have a sample size of any vertical of the countries. It’s a hundred enterprise sample. But we know that the sample covers all major verticals.

What were the other findings of the survey?
The second finding is organisations are still not prepared. They know the risks but are taking time to address these risks. They still do not have a formal retention plan. The third key finding is that companies employing best practices are doing much better. They are well prepared for recovering information for business or legal reasons. Another finding is that the digital data is increasing at an alarming rate. Take for example the UID project. The data for one applicant including all the images is stored in a data size of 10 MB. Now we have over one billion population in India. So you can yourself imagine the size of database required.

Can you give more examples of how digital data is increasing in India?
Previously the telecom operators had to store their SMSes for about a week but the home ministry has given a directive that the SMSes have to be kept for at least six months now. It runs almost in trillions of SMSes.

It appears that different kinds of information have to be retained for different periods of time.
Every information or data has a lifecycle. The data gets created, used, referred to and then it expires. That is exactly what the enterprises have to follow. Everything need not be retained and everything has a different lifecycle. If the information has finished its life, it needs to expire and it needs to be deleted. And that is why it is very important to manage the information.
The second point is about the retention regulation. I mentioned a couple of them but, by and large, there is no central law from the government to drive retention of information. We have seen in the US and in Europe, there are laws coming up which make retaining the information madatory. But in the absence of any central direct law, what happens is that each organisation has to decide its own policy for information retention.

Do we have specific guidelines or legislation regarding data retention?
Apart from the ones I mentioned, no central law is in place. And what we have heard is that the Reserve Bank of India (RBI) may come out with some guidelines for the banking sector and there is some discussion on that, but again we don’t have any data points on that as to what are the specific directions from there.
There could be guidelines but there is no regulation. The only ones that we have seen so far are the directives that have come from the home ministry.

What is the average amount of information that an organisation needs to store?
We have observed from the survey that on an average an Indian enterprise has about 121 terabytes of data. So the terabyte club is not exclusive anymore and many organisations have a large amount of data and it’s growing at the rate of 20 percent.  

What is the storage cost factor for information retention?
A third of the backup is not really required, which indicates that that information has really expired and one could have deleted it. Besides that, there have been no fine data points we have. In general, not every piece of information is required by organisations to be kept for that long. Generally, it is very expensive to keep anything for an infinite period. What we have also observed is that how often organisations are required to produce the information for legal reasons and in India you have to provide it at least four times a year.

Are you referring to the regulatory compliances for the corporate affairs ministry for filing annual reports?
It includes all the legal issues including any criminal case against a company. It is really about any legal requirement for a company to put out its accounts.

So, what is your advice to organisations?
First, organisations need to have a formal retention plan. Once that retention plan is put in place, it is required of the organisations to delete the information that has expired.
Second, organisations should back up information where restore is required within 35-60 days. Beyond 60 days, it is mostly the information retention for legal and business reasons and the right way to retain that information really is using the archival technology.
Third, one should be able to audit the information retained. So that right information gets retained for the right period of time and then you can see if your audit is complying with the original plan.
The fourth area is about legal requirements, wherein one has to ensure that the information is not deleted. The last point is about the comprehensive and holistic view. Every year there are new sources of information getting added to ensure that the information in the archives or the retention system put in place has a very comprehensive and holistic view.

samir@governancenow.com