2007-04-13

The heightening "DR3" tension, by which I mean the tension among document retention, disaster recovery, and discovery requests, is highlighted by the current kerfuffle over White House staffer email gone missing, and then rising like the phoenix. Interesting recount of events are reported in today's New York Times and elsewhere.

It appears that, by using the facilities (i.e. email accounts) of the Republican National Committee, as many as 50 WH staffers may have violated the Presidential Records Act. That act generally requires in perpetuity preservation of certain government documents. The RNC, however, has a document retention policy providing for the destruction of all emails after 30 days. Oops.

There have been conflicting statements in connection with these emails. They are "missing," "lost," or "deleted." Some 2400 pages of documents are reported by the NYT to have now been located and provided to Congress. Karl Rove is reported to have understood that "all" of his emails were being archived. All in all, one huge mess.

This points to two major DR3 tensions, the first of which is between document retention programs and statutory or regulatory retention laws and regulations having conflicting requirements.

The second DR3 issue is the "copies" or "backups" of documents which, according to the "document retention" program, now suddenly crop up after they are believed to have been destroyed in accordance with said document retention policy.

This parade of horribles underscores the need for C-level and other top management to be involved in the architecting and actual comprehension of document retention policies (and by this I don't mean having your IT people nod and tell you that "all is ok") and to institute some way to ensure, in a persistent manner, the proper enforcement of those policies.

Guess what, fellas and gals? This is all about information security and legal issues, and none of it is about perimeter defense.