Document DRM: Enforcing Electronic Document Retention Policies
Electronic document retention and document DRM systems
It is a little known fact that Digital Rights Management (DRM) systems have a really valuable role to play in electronic document lifecycle management because they can enforce document retention periods and document destruction.
Electronic document lifecycle
is all about ensuring that enterprise documents are created correctly, only issued when approved, are retained and are available only for the time period required by regulation. After that point documents must cease to be available. This also has to apply to documents that did not originate from inside the enterprise, but came from outside sources (typical examples of documents from outside include purchase orders consultant's reports business correspondence reports on product tests).
difficult problem for the Information Manager (and their DMS) is to solve how to control the life of electronic documents that go outside of the enterprise, and therefore outside the control of a Document Management System (DMS). DMS systems only ever control documents inside their own databases – they don't control documents as part of email, or in long term storage and backup. But, most importantly, they don’ t ensure that all instances of the document are removed from wherever they have gone to.
should this matter?
Well, in most industries there are two critical things – to be absolutely certain that you have all the information that regulators require, and that you have no information whatsoever that is not required.
This is not to suggest that enterprises are doing anything wrong in only keeping information as long as is necessary. Far from it. Corporate bodies (and governments) are obliged to take all reasonable steps to protect the interests of their shareholders, and that
means removing theoretical liability by never having any documentation that is not actually necessary.
The major problem is that if information is also in the hands of people outside the direct control of the enterprise, then the enterprise cannot guarantee that the information will not be revealed.
But help is at hand! Document DRM systems are the only ones capable of providing the extended use controls over electronic documents that have gone outside of a DMS. But even then,
not all Document DRM systems are equal.
At one level, a Document DRM system must be able to enforce that an electronic document cannot be used once its time is up.
At another level, a Document DRM enforcement system must be proactive in ensuring that access is prevented, by deleting it from the computer system on which it is held. Of course, with modern backup systems, you can likely always recover the original protected file, but the important point is that if the Document DRM enforcement
system is actively preventing any access to the information, then it can be argued that it is not, and never can be accessible, and therefore does not exist.
At the same time, if, as a result of litigation, the process of discovery is taking place, then as soon as information is found under discovery then it must continue to be available regardless of any enterprise policies that may be relevant.
So this means that any Document DRM system must be capable of supporting several administrative functions.
It must be possible to extend access to electronic documents beyond the date at which they should have been deleted. It must also be possible to delete all permissions for controlled documents so that they can never be recovered and accessed even if the controlled versions can be found.
And, the Document DRM system must actively prevent continued attempts to access documents once they have passed their 'use by' date.
Ordinary encryption systems simply do not 'cut the mustard' in this environment,
because once the recipient has decrypted the information there are no abiding controls being applied to the documents. That is the power of DRM – to continue to apply the controls that the original information owner required, regardless of the desires of the recipient of the information.
Ensuring your electronic document retention & destruction requirements are met
When looking at a Document DRM system to achieve these results, make sure that it will impose an end date of
use, so that you can be sure it will not be available past that date. But also make sure that you can change the end date! This is important because if the information has to be disclosed during litigation or the inquiries of a regulator, then you need the ability to make sure the information stays available until that process has ended, and once it has that access is ceased.
Make sure that you can remove the rights to use from recipients once their need to use the information has ended, and
that you can delete any references to the protected documents so that once electronic document destruction has taken place the document contents cannot be recovered even if the protected document is available.
DRM controls provide you with a very effective means of enforcing electronic document retention and destruction without the need to reprocess backup tapes or try to recover information from email systems or other organizations.
Enforcing electronic document retention policies with
LockLizard Document DRM software
LockLizard Document DRM products enable you to enforce electronic document retention and destruction policies for your PDF documents and web based content. Information can be set to expire on a given date and once that date is reached, content is no longer viewable.
LockLizard Document DRM enforces electronic document retention and destruction policies inside and OUTSIDE the enterprise ensuring document retention periods are kept, and your digital document
retention and destruction requirements are met.
| || |