
Sales US Tel: 800 707 4492 UK & Europe Tel: +44 (0) 870 766 9379

Compliance -> Document retention

Enforcing electronic document retention requirements and policies

ENFORCING ELECTRONIC DOCUMENT RETENTION POLICIES AND PERIODS

Electronic document retention and DRM systems

It is a little known fact that Digital Rights Management (DRM) systems have a really valuable role to play in electronic document lifecycle management because they can enforce document retention periods.

Electronic document lifecycle is all about ensuring that enterprise documents are created correctly, only issued when approved, are retained and are available only for the time period required by regulation. After that point documents must cease to be available. This also has to apply to documents that did not originate from inside the enterprise, but came from outside sources (typical examples of documents from outside include purchase orders; consultant’s reports; business correspondence; reports on product tests).

The really difficult problem for the Information Manager (and their DMS) is to solve how to control the life of electronic documents that go outside of the enterprise, and therefore outside the control of a Document Management System (DMS). DMS systems only ever control documents inside their own databases – they don’t control documents as part of email, or in long term storage and backup. But, most importantly, they don’t ensure that all instances of the document are removed from wherever they have gone to.

Why should this matter?

Well, in most industries there are two critical things – to be absolutely certain that you have all the information that regulators require, and that you have no information whatsoever that is not required.

This is not to suggest that enterprises are doing anything wrong in only keeping information as long as is necessary. Far from it. Corporate bodies (and governments) are obliged to take all reasonable steps to protect the interests of their shareholders, and that means removing theoretical liability by never having any documentation that is not actually necessary.

The major problem is that if information is also in the hands of people outside the direct control of the enterprise, then the enterprise cannot guarantee that the information will not be revealed.

But help is at hand! DRM systems are the only ones capable of providing the extended use controls over electronic documents that have gone outside of a DMS. But even then, not all DRM systems are equal.

At one level, a DRM system must be able to enforce that an electronic document cannot be used once its time is up.

At another level, a DRM enforcement system must be proactive in ensuring that access is prevented, by deleting it from the computer system on which it is held. Of course, with modern backup systems, you can likely always recover the original protected file, but the important point is that if the DRM enforcement system is actively preventing any access to the information, then it can be argued that it is not, and never can be accessible, and therefore does not exist.

At the same time, if, as a result of litigation, the process of discovery is taking place, then as soon as information is found under discovery then it must continue to be available regardless of any enterprise policies that may be relevant.

So this means that any DRM system must be capable of supporting several administrative functions. It must be possible to extend access to electronic documents beyond the date at which they should have been deleted. It must also be possible to delete all permissions for controlled documents so that they can never be recovered and accessed even if the controlled versions can be found.

And, the DRM system must actively prevent continued attempts to access documents once they have passed their ‘use by’ date.

Ordinary encryption systems simply do not ‘cut the mustard’ in this environment, because once the recipient has decrypted the information there are no abiding controls being applied to the documents. That is the power of DRM – to continue to apply the controls that the original information owner required, regardless of the desires of the recipient of the information.

Ensuring your electronic document retention requirements are met

When looking at a DRM system to achieve these results, make sure that it will impose an end date of use, so that you can be sure it will not be available past that date. But also make sure that you can change the end date! This is important because if the information has to be disclosed during litigation or the inquiries of a regulator, then you need the ability to make sure the information stays available until that process has ended, and once it has that access is ceased.

Make sure that you can remove the rights to use from recipients once their need to use the information has ended, and that you can delete any references to the protected documents so that once electronic document destruction has taken place the document contents cannot be recovered even if the protected document is available.

DRM controls provide you with a very effective means of enforcing electronic document retention/destruction without the need to reprocess backup tapes or try to recover information from email systems or other organizations.

Enforcing electronic document retention policies with LockLizard DRM products

LockLizard DRM products enable you to enforce electronic document retention policies for your PDF documents and web based content. Information can be set to expire on a given date and once that date is reached, content is no longer viewable.

LockLizard DRM enforces electronic document retention policies inside and OUTSIDE the enterprise ensuring document retention periods are kept, and your document retention requirements are met.

Locklizard DRM products are ideal for helping you comply with electronic document retention policies inside and outside the enterprise. Ensure electronic document retention requirements and enforce policy periods with our document retention DRM products.