As customer data storage requirements have risen exponentially, data and document retention and how long data should be stored for is becoming increasingly important. Download this white paper to discover how your organisation can view data retention.
The Dangers of not Addressing the Data Retention Issue Who should read this paper Compliance officers and IT decision makers Confidence in a connected world. Content Introduction........................................................................................................1 The importance of information management...........................................................................2 Deciding what to keep and for how long...............................................................................3 Data Protection Act.................................................................................................3 A. General data retention legislation (applicable to most organisations)..................................................4 B. Communications Sector........................................................................................6 C. Financial Services Sector.......................................................................................1 D. NHS Public Organisations.......................................................................................7 Recent case law and decisions by Judges..............................................................................8 Controlling your data................................................................................................9 Importance of data retention and documents in judicial determination of factual issues....................................9 Duty to preserve documents before proceedings..................................................................... 10 Location of data and documents.................................................................................... 10 The importance of archiving and eDiscovery......................................................................... 11 Summary......................................................................................................... 12 The Dangers of not Addressing the Data Retention Issue Introduction As customer data storage requirements have risen exponentially, data and document retention and how long data should be stored for is becoming increasingly important. Not only must organisations ensure that they adhere to the wide-ranging legal requirements for retention but they should also have appropriate data retention policies so as to save themselves significant storage space and costs. Organisations sometimes view data retention as purely an IT issue. However, this paper highlights why data retention is a significant business issue for organisations and why data retention should be addressed by the boards of organisations rather than being left to the IT department alone. Note that this document refers to specific British laws - for example, the Data Protection Act. However it is understood that similar laws exist across Europe and therefore local laws and regulations should be reviewed for other jurisdictions. 1 The Dangers of not Addressing the Data Retention Issue The importance of information management As background, Symantec recently released the findings of its Information Retention and eDiscovery Survey (2012), which highlighted that the majority of organisations were not following their own advice when it came to information management - 82% of respondents believed in the value of a proper information retention plan to sanction the deletion of information, but only 52% actually had one. Survey results also found that 43% of organisations saved information indefinitely instead of implementing policies that allowed them to confidently delete unimportant data or records, and therefore suffered from rampant storage growth, unsustainable backup windows, increased litigation risk and expensive and inefficient discovery processes. The survey highlighted that • Organisations are retaining far too much information. Respondents stated that 36% of the data they back up is not needed for business or should not be kept in a backup. • Organisations are misusing backup, recovery and archiving practices. 76% of organisations routinely use their backup software to implement legal holds and 52% preserve the entire backup set indefinitely. In addition, enterprises cited that 36% of information is unnecessary due to litigation risk. On analysing that survey it seems that many organisations are unsure as to what approach to take regarding data and document retention from a legal point of view and how to consistently enforce appropriate data document and retention policies. Although many organisations agree that to be as efficient and streamlined as possible they need to get rid of unimportant or useful information, there seems to be reluctance by many organisations to address these issues head on. This means they continue to incur huge costs and significant risks by keeping data that they do not need or by keeping data for too long. 2 The Dangers of not Addressing the Data Retention Issue Deciding what to keep and for how long One of the key drivers determining what your organisation needs to retain and for how long, is determined by local laws. This section includes an overview of the Data Protection Act then an examination of recent case law and decisions by Judges. Data Protection Act The Data Protection Act 1998 is one of the cornerstone acts which govern an organisation's data retention obligations within the UK. The Data Protection Act 1998 applies to the private and public sector organisations alike. The Data Protection Act 1998 gives individuals (not companies) the right, on producing evidence of their identity, to be provided with a copy of personal data held about them. Personal data covers: information that relates to a living individual from which that individual can be recognised and where that information is processed (whether automatically or manually). Without the ability to retrieve reliable information, and an accurate audit trail, an organisation will be exposing itself to unnecessary risks. The Data Protection Act 1998 does not specify periods for the retention of personal data. It is left to data controllers to decide how long personal data should be retained, taking into account the Data Protection Principles, business needs and any professional guidelines. For example, organisation would need to look at the following: • The need to balance the requirement of the fifth Data Protection Principle - that personal data should not be kept for longer than necessary - against the need to prevent the premature or accidental destruction of data which would damage the interests of data subjects, contrary to the seventh Data Protection Principle. • The relevant exemptions provided by the Data Protection Act 1998 which allow the permanent retention of data should not be endangered by the overzealous destruction of data that could be retained as historical archives. • The fact that the Data Protection Act 1998 does not override provisions in other legislation (e.g. health and safety legislation) which specify retention periods for personal data. Because the Data Protection Act 1998 does not specify periods for the retention of personal data, organisations must consult the large number of other data retention statutes, regulations, professional guidance and case law which will apply depending on the organisation's business structure, sector of operation and financial operations. Not many organisations have the time, resources or money to do this but, by way of illustration, below are some of the areas that should be considered when looking into legal obligations regarding data retention. 3 The Dangers of not Addressing the Data Retention Issue A. General data retention legislation (applicable to most organisations) (i) Limitation Act 1980 This is an Act of primary importance. It generally gives someone a limited amount of time to bring legal action against another party - if legal action is not taken within this specific amount of time then the claim can be time barred. Although the Limitation Act does not specify a document retention period, it does indicate the length of time documents are required to be kept in order to bring or defend proceedings. These limitation periods can vary hugely between jurisdictions (generally between 6 years (in the UK) and 30 years in some other EU countries). Included are some examples by way of illustration: Nature of Action Starting Point Length of Period Relevant section of Limitation Act Simple contract (i.e. not a deed) Accrual of cause of action (the date of breach of contract). 6 Years Section 5 Tort (other than for personal injuries, under the Consumer Protection Act 1987, for latent damage, or for defamation) Accrual of cause of action (the date the damage is suffered). 6 years Section 2 Personal injury or death Later of: - Accrual of cause of action. - Date of knowledge of the person injured. 3 years. The court has discretion to exclude this time limit if it would be equitable to do so (section 33, Limitation Act). Section 11 and 12 Latent damage other than personal injury (in the tort of negligence) Later of: (a) accrual of cause of action (the date when the damage occurred), or (b) starting date (the date on which the claimant first had both the knowledge required for bringing the action and the right to bring such an action). (a) 6 years. (b) 3 years. Overriding time limit: 15 years (section 14B, Limitation Act). Section 14 (a) (ii) Freedom of Information Act 2000 The Freedom of Information Act 2000 (FOIA) gives a right for people to access information held by 'public authorities'. The important point to note is that under the Freedom of Information Act 2000, it is a criminal offence for a public body to deliberately alter, deface, 4 The Dangers of not Addressing the Data Retention Issue block, erase, destroy or conceal data which has been the subject of an access request under the Data Protection Act 1998 or the Freedom of Information Act 2000 with the intention of preventing the release of the data (see s77 of FOIA). However, data may be amended or deleted after receipt of the access request but before disclosure of the data, if the amendment or deletion would have taken place regardless of the request (e.g. under a retention schedule). (iii) Companies Act 2006 The Companies Act 2006 provides a comprehensive code of company law for the United Kingdom, and made changes to almost every facet of the law in relation to companies. The Companies Act 2006 sets out certain data retention periods. For example, • Under s.388(4), a company must preserve its accounting records for three years from the date they were made in the case of a private company, and six years from that date for a public company; • All companies must keep minutes of directors' minutes from 10 years from the date of the meeting (s.248); and • Company formation records must be kept indefinitely. (v) Income Tax (PAYE) Regulation 2003 Regulation 97 of the Income Tax (PayAs You Earn -PAYE) Regulations 2003 requires employers to "keep and preserve" their "PAYE records", other than those that have to be sent to HMRC, for a period of not less than three years following the tax year to which they relate. Put another way, employers must keep the current year's records, plus those for the previous three years. PAYE records are defined as: • All wages sheets, deductions working sheets, P46 forms for low-paid employees that were not sent to HMRC, and any other documents and records that relate to - The calculation of employees' income for PAYE purposes, - Any other relevant payments to employees, and - The deduction of tax from such payments, e.g. P45s, coding notices; and • All documents and records relating to any information which an employer is required to provide on forms PUD and P9D. These definitions refer to paper records but, where the information from paper records is retained on computer instead of on paper, e.g. the figures needed to complete year-end P14s, P46 details, P38(S) details; the employer must ensure that the computer records are kept in such a way that an HMRC officer would be able to inspect them. Similar provisions are to be found in the Regulations relating to NICs, statutory payments, national minimum wage, payments to subcontractors, gains on share options and student loan deductions. The three-year retention period applies, therefore, to all records that are created solely for PAYE and related purposes. An employer's PAYE records, including those of employers based abroad must be available for inspection by HMRC at a location in the United Kingdom. However, some records that are relevant for PAYE and other payroll-related purposes are, strictly speaking, accounting records and, as a result, they must be retained for the periods defined for accounting records. Examples of such records would be expenses claims relating to business travel, business entertaining and staff entertaining. The Companies Act 2006, sections 386 to 389, requires public companies to keep accounting records for six years. This means, for corporation tax purposes, six years starting from the end of the company's accounting period. Although the retention period for most payroll records is three years, most employers keep such records for six years, to match the general retention period for accounting records 5 The Dangers of not Addressing the Data Retention Issue (vi) Taxes and Management Act 1970 Minimum retention periods for certain financial records are dictated by the Taxes and Management Act 1970. These include wage and salary records which are to be retained for 6 years (sl2B(2)). (vii) US Sarbanes Oxley Act 2002 The Sarbanes-Oxley Act ("SOX") is US legislation that regulates financial reporting. SOX was passed in the wake of the Enron collapse and several other notable financial scandals in the US that involved suspect financial reporting. SOX was designed to revive investor confidence by compelling US companies to produce accurate and transparent financial information. Any company with a listing on NASDAQ or the New York Stock Exchange has to comply with the SOX, even if it is a US company with headquarters outside the US. UK subsidiaries of US corporations are also usually required to ensure that the transactional data that they hold and share with their US parent will meet the requirements of the Act. Section 404 of SOX requires all annual financial reports to include a statement attesting that a company's management has implemented an adequate internal control structure over financial reporting and the effectiveness of the control structure (including any failures). Internal control structure is defined as including measures to ensure that records are maintained in a way that accurately and fairly reflects financial transactions in reasonable detail. Those records must be adequate enough to permit preparation of financial statements in accordance with applicable regulations. The structure should also include controls that will prevent or quickly detect unauthorised use of the company's assets that could have a material effect on a company's financial statements. These provisions apply equally to records contained in email communications as to any other form of communication. Companies will need to ensure evidence of their financial transactions contained in emails is properly preserved and is capable of being retrieved. Checks will also have to be in place to ensure that email communications are properly monitored to enable the prevention or detection of any unauthorised transactions. (viii) The Employers Liability (Compulsory Insurance) Regulations 1998 The Regulations were introduced to address the problem of long-latent disease where claimants are unable to trace employers' insurers and failed to get compensation where employers are no longer trading. The Regulations require employers to retain employers' liability insurance records for 40 years. B. Communications Sector The contentious Data Retention (EC Directive) Regulations 2009 came into force on 6 April, in the face of opposition. The regulations oblige notified communication service providers (CSPs) to retain communications data for 12 months from the date of communication. The regulations cover fixed, mobile and e-mail telephony, communications over the internet and email data. CSPs were obliged to retain electronic and traffic data that might identify the sender and recipient of the communication, the date and time of the call or e-mail, and the geographical location (and direction of travel) of users. The regulations do not require CSPs to retain the content of communications. But notified CSPs must retain data that shows when you made (or received) a call or email, the number you were calling or address you were emailing, the length of the call and where you were when you made the call. Data to be retained includes voicemail, call forwarding and transfer, and unsuccessful call attempts. Furthermore, the United Kingdom has a system of voluntary data retention which derives from Part 11 of the Anti-Terrorism, Crime and Security Act 2001. Telephone operators and Internet Service Providers retain some data [see below] under a voluntary arrangement with the UK Home Office. 6 The Dangers of not Addressing the Data Retention Issue The Part 11 of the Act contains a number of sections which deal with the retention of communications data by fixed line and mobile telephone service providers and internet service providers [service providers]. Communications data includes data which identifies the users of services, data which identifies which services were used and when they were used, and data which identifies who the user contacted. It does not include the content of communications. For example, in the case of a call from a mobile telephone the data to be retained would include data identifying the owner of the phone, who was called, the duration of the call and the approximate locations of both parties. It would not include what was said during the call. The Act requires the Secretary of State for the Home Office to issue a voluntary code of practice on data retention. This has been done. A code of practice has been issued and contains the several requirements as set out below: • Telephony Data - retention period 12 months • Subscriber Information - retention period 12 months - SMS, EMS and MMS Data - retention period 6 months. - Email Data - retention period 6 months. - ISP Data - retention period 6 months. - Web Activity Logs - retention period 4 days. C. Financial Services Sector The Financial Services Authority ("FSA") is the independent body that manages the regulation of financial services providers in the UK. The FSA lays down strict requirements to protect the consumer against malpractice, and has wide investigatory and enforcement powers to ensure those requirements are observed. The FSAs regulations require all financial institutions to store all business emails sent and received for up to six years (and some emails indefinitely). Other data types and retention periods for the Financial Services Sector are as follows: • Record of election to comply: indefinitely. • All other financial records: 3-6 years. • MiFID: 1-5 years. • Basel II risk legacy data: 2-5 years. D. NHS Public Organisations Retention of records for those who work within or under contract to NHS public organisations in England are governed by: • Legal requirements i.e. (a) common law e.g. confidentiality etc., or (b) statute e.g. Limitation Act 1980 etc.; and • Professional best practice e.g. 'The retention and storage of pathological records and specimens' (4th Edition, 2009) issued by The Royal College of Pathologists etc. The 'Records Management: NHS Code of Practice' ("NHS Code") issued on 30 March 2006 is based on these legal requirements and professional best practice. 7 The Dangers of not Addressing the Data Retention Issue The NHS Code - Part 2 sets out in detail the prescribed retention limits and methods of disposal for different types of records (medical, business etc). Such retention limits and methods of disposal are derived from legal requirements and professional best practice. The list is very extensive running up to tens of pages. However, included are some examples by way of illustration: • Genetic records: 30 years from date of last attendance. • Immunisation and vaccination records: For children and young people - retain until the patient's 25th birthday or 26th if the young person was 17 at conclusion of treatment. All others retain for 10 years after conclusion of treatment. • Maternity records: 25 years after the birth of the last child. • Research records (other than clinical trials of investigational medicinal products, health records of participants that are the source data for research: 30 years). Recent case law and decisions by Judges The courts have recently considered the importance of effective data and document retention. Generally the courts are unsympathetic to sophisticated commercial parties that fail to implement proper document preservation procedures. In most cases, a wronged party has six years from the date that a contract has been breached or a civil wrong committed to bring a court action. Even when a court action is taken promptly, a case may not come to court until several years after the event, and memories of the exact events may be hazy, or those involved may be unwilling, or unavailable as witnesses. Often the only clear and contemporary evidence will be contained in emails. Conversely, an organisation may need email evidence to launch its own action to protect its position. A party in a dispute may have a significant advantage over its rival if it can retrieve the evidence faster and more efficiently. Practice Direction 31 of the Civil Procedure Rules ("PD 31") makes it clear that email and electronic communications are documents capable of being disclosed by the parties to litigation. PD 31 also highlights that even where an email has been deleted, if it is reasonably possible to retrieve it, it should be retrieved. In Digicel (St Lucia) Ltd v Cable and Wireless pic the court held that the defendants had not carried out a reasonable search "in so far as they had omitted to search for, and in, the specified email accounts, to the extent that those email accounts might exist in the back-up tapes which had survived." Additionally, the weight that can be attached to favourable evidence is based on the reliability of that evidence. Evidence obtained from an insecure and unreliable system that is not governed by clearly documented and enforced rules will be open to dispute and questioning by the opponent. Organisations that are able to demonstrate that the email evidence has been created, compiled, stored and retrieved in accordance with good industry practice is likely to be attributed higher probative value. Failure to have the best possible archiving system and procedures could mean the difference between winning and losing an important case. It may also have a significant impact on the cost of the litigation. A poor retrieval system would mean added expense to filter all the available data and to identify potentially relevant documents, to remove duplicated documents and process electronic data. Further, the cost of electronic disclosure is also taken very seriously by the courts and the courts in determining costs will give separate consideration as to the cost incurred in relation to e-disclosure and the nature of the e-disclosure, and the conduct of the parties. 8 The Dangers of not Addressing the Data Retention Issue Controlling your data Given the potentially large expense of court actions, organisations need to think about how they manage their data to reduce their risk. Practical steps that organisations can take include: • Enhancing the reliability of email evidence (which now form a large part of any disclosure exercise) by using a system that can manage emails in line with good industry practice. • Having internal procedures in place that control the use of email in order to avoid damaging disclosures being made. • Understanding the legal rules which may allow the disclosure of emails to the other party to be limited. For example, in Timothy Duncan Earles v Barclays Bank PLC  EWHC 2500 (Mercantile), the court had to decide whether to believe the evidence of the claimant, a customer of the defendant bank, or that of the defendant, as to whether the claimant had authorised and instructed the defendant to process certain bank transfers. The claimant's case was that he had not authorised these transfers from his own personal business account to the account of a company of which he was, at the relevant time, a director. He claimed that as a result of these unauthorised bank transfers, when the company went into administration, he suffered consequential loss and damage of approximately GBP2.4 million. The primary issue for the court to decide was whether certain telephone calls and e-mails, which the defendant (i.e. the bank) claimed were made by the claimant (Mr Earles), authorising the transfers were, in fact, made. The interesting point arising from this case was that there was a lack of disclosure on both sides, and in particular, a lack of e-disclosure of key documents, including e-mails from key bank personnel, despite the bank being represented by "first class legal teams, both in and out house". Judge Simon Brown QC concluded that the failure to disclose such documents rested on erroneous decisions on relevance and proportionality by the bank's legal team, rather than being to gain any tactical advantage in the litigation, and ultimately decided the merits of the case in the bank's favour. However, the judge was extremely critical of the bank's failure to give proper disclosure, particularly e-disclosure. He concluded that there can be no excuse, and that it is "gross incompetence" for those practising in the civil courts not to know the rules on e-disclosure, or to practice them. He penalised the bank by awarding it only 25% of its costs (this also took into account that this case, which was heard in the Birmingham Mercantile Court, was not one that merited top class city rates, both for solicitors and counsel). The case should serve as a warning regarding data retention and thinking about e-disclosure at an early stage in the litigation process and to have in place proper procedures so that electronic documents can be quickly located, particularly in relation to employees who may have left a client's employment by the time a dispute arises. Importance of data retention and documents in judicial determination of factual issues In Onassis v Vergottis  2 Lloyd's Rep 403 at 431, Lord Pearce considered the issue of credibility of a witness. He noted that in accident cases, a witness, however honest, can rarely persuade a judge that his memory is better than something taken down in writing immediately after the accident and noted: "Therefore contemporary documents are always of the utmost importance." In Grace Shipping v Sharp & Co  1 Lloyd's Law Rep 207 at 215-6, Lord Goff noted: "... reference to the objective facts and documents, to the witnesses' motives, and to the overall probabilities, can be of very great assistance to a Judge in ascertaining the truth." 9 The Dangers of not Addressing the Data Retention Issue Duty to preserve documents before proceedings While there is no duty to preserve documents before proceedings in this country (British American Tobacco Australia Services Limited v Cowel  VSCA 197, approved in Douglas v Hello 2003 EWHC 55 (Ch)), the position after proceedings are issued is different. In Woods v Martins Bank Ltd  1 QB 55 at 60, Salmon J said: "It cannot be too clearly understood that solicitors owe a duty to the court, as officers of the court to make sure, as far as possible, that no relevant documents have been omitted from their client's list." So, when an organisation is involved in a dispute, one of the pieces of advice given is that they have a duty to preserve documentation that is relevant to their case (whether or not that documentation supports their case). Further, if a client can provide complete and accurate details regarding their case at an early stage (via implementing good documentation retention systems and policies) then it allows them to review the strength (or otherwise) of their case at an early stage which can significantly improve their bargaining approach and position in litigation. Location of data and documents An important decision for an organisation is where to store its data and documents. Organisations are now using on premise or cloud (SaaS) solutions to retain their data for archiving. However, businesses should be aware of certain data protection aspects of storing personal data in various locations. Principle 8 of the Data Protection Act 1998 stipulates that personal data is not to be transferred to a country outside the EEA unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to its processing. This principle applies only to information transferred outside the EEA, not within it. The EC recognises a number of countries which it deems to meet the adequate data protection criteria, including Canada, Switzerland, Argentina and Israel, with the transfer of personal data to such countries not being in breach of Principle 8. Likewise, Principle 8 will not be breached if the transfer of personal data occurs to a recipient in the US which has signed up to the US Department of Commerce Safe Harbor Scheme or the transfer is made under a contract which includes the EEA model data transfer clauses (which stipulates a number of safeguards for the data). On this basis with the proliferation of cloud, it is important for organisations to be aware where personal data is held and to put in place appropriate protections where necessary. 10 The Dangers of not Addressing the Data Retention Issue The importance of archiving and eDiscovery This paper has looked at laws governing data retention as well as the duty an organisation has to present information in a timely fashion if challenged as a result of an investigation or court case. However, we live in extraordinary times. Each year the amount of data we produce increases dramatically, driven by the numbers of people using diverse communication channels and adopting social media and collaboration platforms, such as Microsoft SharePoint®. The market research company, Radicati, indicates that the enterprise messaging and collaboration markets will growing at an annual average rate of between 15% - 35% over the next four years. Whilst the average corporate email user sends or receives 110 emails a day and this is set to grow to 125 by 2016. That's around 10.5 MB email storage per user per day, expected to increase to 12.7MB email storage per user per day by year end 2016. Whilst overall, it's estimated that, despite spam filters, over 107 trillion emails have been i produced worldwide already. Each year the challenge of what to do with this data increases. How do we store, manage and protect this data until we need it again. Can we find it again if we need it? For example; it's time consuming and expensive to find, collect and preserve emails for internal investigations (like a HR manager that needs to see every email from an unhappy ex-employee sent 2 years ago) or a Director asked to produce emails as evidence in an external regulation enquiry. These investigations are disruptive and time consuming for anyone in the organisation but particularly for an IT department. They may not have the tools or the resources needed to pinpoint exactly what you are looking for. You cannot even be sure that the email was saved in the first place. Your company is exposed to significant financial and legal risk if the archiving, retention and expiration of data is done poorly - or not done at all. Archiving provides tools, and processes that you need for fast access, visibility and control of your data so HR, IT and Legal teams can feel confident about facing internal audits, compliance and legal matters. When choosing an archiving and eDiscovery vendor, you need to consider: • Archiving is a long term solution. You want confidence that business records will be maintained and made available to you for as long as you are in business so look for archiving solutions from well established, well-funded vendors with a history of financial stability. Ones that are unlikely to collapse or be acquired. • Vendors with long term product roadmaps and evidence of investment in technology will be endorsed by analysts and offer customers that will share their experiences with you. Vendors you can trust will arrange site visits to see their archiving solutions working for small, medium and large customers so you know they can scale up or down according to your needs both now and in the future. • Look for a security focused vendor that understands your concerns about archiving in the cloud. One with a focus on mailbox management and continuity so you can stay in business during an outage and look for a vendor that can talk to you about discovery? How quickly can they help you find a record when you need one in a hurry? • Consider vendors that offer a choice of on-premise and in the cloud solutions (or a hybrid of the two). This gives you maximum flexibility as your company grows and lets you decide the degree of control you want to maintain over your data. In addition, it lets you control archiving costs as it best suits your organisation. For example, some organisations prefer to reuse existing infrastructure and manage the systems for themselves, incurring capital expenditure that can be written off over a certain period. Whilst others prefer the reassurance of a fixed monthly fee and unlimited storage, payable out of operating expense, as offered by some cloud vendors. • Look for archiving & eDiscovery leadership. Copies of industry standard reports, such as Gartner 2012 "Magic Quadrant for Enterprise Information Archiving Solutions" and Gartner 2012"Magic Quadrant for eDiscovery Software" give a clear and unbiased summary of the key vendors in this space, including both their strengths and weaknesses. i- Information Archiving Market, 2012 -2016 (The Radicati Group, Inc, July 2012) 11 The Dangers of not Addressing the Data Retention Issue Summary As an organisation, addressing data retention (what data you keep and for how long) is paramount in order to keep the right data for the right amount of time and to avoid unnecessary storage costs. Organisations can start looking at their data retention issues by segmenting the kind of data they hold and then reviewing the legal obligations they are under regarding how long they have to hold that data for. This can then be distilled into a data retention policy which can be updated regularly. Data retention is an important business issue for organisations to address rather than simply being viewed as simply an IT issue. Many organisations leave data retention issues to their IT staff to decide upon but organisations should be addressing the issue of data retention at board level, because it needs to be at the heart of how they manage their business. 12 About Symantec Symantec protects the world's information, and is a global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment - from the smallest mobile device, to the enterprise data center, to cloud-based systems. Our world-renowned expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at www.symantec.com or by connecting with Symantec at go.symantec.com/socialmedia. http://enterprise.symantec.com Symantec EMEA Headquarters Copyright © 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other names may be trademarks of their respective owners. 4/2013 21291269 350 Brook Drive,Green Park Reading, Berkshire, RG2 6UH, UK +44 (0)870 243 1080 www.symantec.com