There are many reasons why organizations need to keep accurate records of online data like website content, official social media accounts, corporate chat tools, and mobile text messages. For instance, the Freedom of Information Act (FOIA) and state-level Open Records laws demand that public-sector organizations keep accurate records of this information in order to respond to Open Records requests.
Similarly, highly-regulated industries like financial services have stringent recordkeeping requirements that demand all communications from regulated employees be retained for possible audit, including emails, corporate chat messages, and mobile texts.
And then there’s the issue of litigation. With so much commerce and communication taking place online, it’s hardly surprising that website content and social media conversations often feature prominently in legal matters. Which demands that organizations keep accurate records of content, including sometimes overlooked content like website copy changes and deleted comments on social media pages.
As the popularity of these communication channels continue to grow, legislation and litigation around them are also increasing, which is why many organizations (both in the public and private sectors) are choosing to get ahead of the challenge and adopt a best-practices approach. Instead of having to react to a sudden lawsuit or new piece of legislation, they want to be ready for whatever lies ahead.
But this begs the question: what do organizations need to do in order to ensure that their records will satisfy a court of law or compliance auditor? Here are seven rules that legal and compliance teams should follow to ensure that their electronic records provide them with adequate protection.
1. Collect All Communications (Websites, Blogs, Social Media, etc.)
These days, most organizations are archiving emails, but many still aren’t collecting content from sources like websites, social media, team collaboration tools, and mobile text messages. While some rules and regulations are explicit in expressing the need to collect this information, others are more open to interpretation, but it’s exactly this ambiguity that makes it important that organizations collect all forms of online communication. Since rules can often be vague, it’s a best practice to collect all data that could be relevant to recordkeeping regulations.
2. Preserve Data for At Least 3 Years
When it comes to government organizations or companies in industries like financial services, required retention periods are typically specified. These depend on the record in question and can range anywhere from three to ten years. However, if there is no clear required retention period, it’s a good idea to retain records for at least three years. For government agencies focused on transparency and companies interested in preserving institutional memory, it makes sense to hold on to these records much longer—even indefinitely—but at the very least, it’s a good best practice to retain records for three years.
3. Store Data in Original File-Formats (HTML, CSS, PDF, etc.)
Many organizations believe that screenshots or backups from a Content Management System (CMS) are adequate when it comes to recordkeeping. If recordkeeping laws aren’t particularly clear, this may be true, but they do not meet regulatory requirements in highly-regulated industries. So for organizations looking to ensure that their records will meet the stringent demands of a courtroom or an auditor, it’s best to ensure that records are stored in their original file format. For instance, taking a screenshot of a webpage or social media post transforms the record into a simple JPEG. Why does that matter? That question takes us directly to our next point.
See why your CMS backups don’t meet regulatory requirements. Download our white paper.
4. Collect Metadata and Apply Timestamps/Signatures
Regardless of whether records are needed for litigation or regulatory compliance, the ability to prove the authenticity of those records is crucial. That’s why organizations should not only collect data in original file formats, but to also collect all associated metadata and furnish the record with a timestamp and digital signature at the time that the record is created. By doing this, an organization is able to prove that the record is an accurate reflection of what appeared on a website or social media account on a particular day.
5. Preserve in Non-Rewriteable, Non-Erasable (WORM) Format
Another important way of showing that archived content has not been edited or tampered with is to store records in an unalterable format—a format that is non-rewritable and non-erasable. A popular and very effective unalterable format is WORM (write once, read many), which allows data to be written to a disk once, after which it’s impossible to edit, rewrite, erase, or rename a file. Apart from proving authenticity, WORM storage also has the added benefit of preventing accidental deletion of records.
6. Serialize and Retain on Duplicate Media
As mentioned, in many cases backups do not meet the recordkeeping requirements of regulators, but that doesn’t mean that an archive itself shouldn’t be backed up. It’s important to ensure that data is serialized and retained on duplicate media in case of a major failure. It’s also important to consider how and where this data is physically stored. How secure is the data center? Is the archiving vendor ISO 27001 certified? Does the vendor have a disaster recovery plan in place?
7. Ensure Records Are Indexed and Searchable
What differentiates an archive of electronic records from a basic backup of data is the fact that properly archived records are indexed, meaning that the content is compiled in a way that makes it easy to search. So when a specific record needs to be found, all that’s required is a simple search and not a labor-intensive trawl through thousands of files. Properly indexed data also maintains relationships between data and users (allowing for the posts and comments of a specific user to easily be identified), and even allows metadata to be searched.
Pagefreezer simplifies compliance and litigation by automatically archiving websites, social media, mobile text messages, and enterprise collaboration platforms in a cloud-based dashboard. To see our solution in action, simply request a demo.