This is where your legal team isn't doing their job.
Part of the legal team's responsibility is to determine what is the
appropriate retention period for your company's documents. Yes, if you
divulge that you keep documents for all time, you can be forced to produce
them under law and failure to do so can result in penalties or loss of your
case if the judge deems your activities surrounding potential evidence to be
spoliation of evidence (the intentional, reckless, or negligent withholding,
hiding, altering, fabricating, or destroying of evidence relevant to a legal
proceeding).
The $50K for a converting a microfiche doc to a piece of paper is kind of
crazy, since microfiche is no different than regular film and someone could
have used one for the $100 film to digital usb attachments for your computer
to read off the microfiche copy.
If you really wanted to be old school, as in a real Boy Scout, you could
just shine a flashlight through the microfiche onto a wall and take a
picture with your phone. J If you really want to stress your Bot Scout
skills you would a magnifying on the other side of the microfiche to pretend
to be a microfiche reader.
Besides your legal team determining and you enforcing document retention,
you have to be careful about are you really enforcing document retention. An
example from other cases are
Say you have Symantec Netbackup and you expire tapes over time into your
free pool to be reused by future backups. How long does that expired backup
sit in the free pool before it reused? Under the law if the backup hasn't
been overwritten you still have a copy that you could have been provided to
the court.
Similarly you offsite tapes to Iron Mountain and they are pulled to be
returned to you at the end of your Data retention time period, which
normally means they not pulled until the last day of the end of the
retention time period say 3 months. It is normally under regular Iron
Mountain procedures that the pull, load on a truck and return to the client
is 2-3 days for nonemergency retrieval. Once you receive them what is your
policy for returning them to you tape pool or to be sent for destruction. As
long as the tapes are not overwritten or not destroyed you still have a
viable backup that could be served up to legal counsel as a piece of
evidence.
Technical points like these is normally why legal counsel or your CFO
doesn't want the technical guys speaking with auditors or legal people,
because we normally go into excruciating detail about all the steps that
opens the doors to other problems.
This statement "legal team who has made it clear that this is our problem
and not theirs" is odd, as normally legal likes to ensure chain of custody
and verification of unadulterated conversion, meaning they normally want to
use standard service bureaus already used by the legal profession. (Yes
after rolling on the floor for a few minutes, they would accept that camera
picture of image on the wall as it is understandable and reproducible even
for them just like taking a paper copy from some ones desk and running it
through a scanner.)
Dealing with legal cases is always painful if you don't have your processes
down and agreed to by everyone. Sometimes when you have problems with legal
you are dealing with the lower echelons of your legal department. I have
always found it helpful to speak with your chief legal counsel who normally
has a different perspective on the world.
Matthew Parker
Chief Technologist
Dimensional DBA
425-891-7934 (cell)
D&B 047931344
CAGE 7J5S7
Dimensional.dba@xxxxxxxxxxx
<http://www.linkedin.com/pub/matthew-parker/6/51b/944/> View Matthew
Parker's profile on LinkedIn
www.dimensionaldba.com <http://www.dimensionaldba.com/>
From: Scott Canaan [mailto:srcdco@xxxxxxx] ;
Sent: Monday, May 1, 2017 7:40 AM
To: dimensional.dba@xxxxxxxxxxx; dmarc-noreply@xxxxxxxxxxxxx;
oracle-l@xxxxxxxxxxxxx
Subject: RE: Database Retention Question
There isn't a requirement that it be kept online, just kept and be able to
be available within a relatively short period of time, which has not been
defined either.
As far as everything falling into someone else's area of concern, you are
correct with the exception of the legal team who has made it clear that this
is our problem and not theirs.
An example that I was given was that there was a lawsuit a short while ago
that required a purchase order from 30 years ago. Since we keep all POs
forever, we had to produce it. It was found, on microfiche. We didn't have
a working reader and the court didn't care. We still had to produce it. It
ended up costing $50,000 to print that one piece of paper.
Scott Canaan '88 (srcdco@xxxxxxx)
(585) 475-7886 - work (585) 339-8659 - cell
"Life is like a sewer, what you get out of it depends on what you put into
it." - Tom Lehrer
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]
On Behalf Of Dimensional DBA
Sent: Monday, May 01, 2017 10:24 AM
To: Scott Canaan; dmarc-noreply@xxxxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: RE: Database Retention Question
I have a worked at a few companies that has mothballed complete systems
including SW as you don't know if even the hardware will run the software
any more depending on the OS you are running (AIX, HPUX, etc)
This has been a standard problem since the Dec 2007 Supreme court ruling on
evidence being available in its native electronic form.
If your company isn't using one of the email programs that duplicate all
email or haven't turned on MRM in MS Exchange then you may already be in
violation of
"They insist we keep every version of every email because deleting any is
considered "destroying evidence". "
Compliance is fairly straight forward from a database perspective in you
ensuring you have backups and that you test the backups. Everything else
falls in someone else's area of concern such as the backup team, the email
team and the legal team in reviewing processes to meet current to data
compliance rules that morph over time based on ongoing court cases.
Saving the VM images may be problematic also as the versions of the VMWare
ops center moves upward not always being fully backwards compatible older
images. Keeping a copy running can be problematic if something goes wrong
and you have to rebuild and don't have all the components to do so.
Normally there is no legal requirement to keep it online, that part is
probably from your legal team, but in reality when you get to the keeping of
all versions of the backups, you are not keeping a live version of the
system at each backup point online only the last running version of the
system.
You can always take that last running backup of the system and continue to
upgrade the database SW and the OS, so that you don't have worry about age
out, but that doesn't help you with
In some cases this is not a technical problem anymore. I have seen legal
teams use programs to save off the email into single file pdf format instead
of maintaining them in the original Email systems.
Matthew Parker
Chief Technologist
Dimensional DBA
425-891-7934 (cell)
D&B 047931344
CAGE 7J5S7
Dimensional.dba@xxxxxxxxxxx
<http://www.linkedin.com/pub/matthew-parker/6/51b/944/> View Matthew
Parker's profile on LinkedIn
www.dimensionaldba.com <http://www.dimensionaldba.com/>
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]
On Behalf Of Scott Canaan
Sent: Monday, May 1, 2017 6:27 AM
To: dmarc-noreply@xxxxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: RE: Database Retention Question
True, but that's not my call.
Scott Canaan '88 (srcdco@xxxxxxx)
(585) 475-7886 - work (585) 339-8659 - cell
"Life is like a sewer, what you get out of it depends on what you put into
it." - Tom Lehrer
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]
On Behalf Of Reen, Elizabeth
Sent: Monday, May 01, 2017 9:24 AM
To: Scott Canaan; oracle-l@xxxxxxxxxxxxx
Subject: RE: Database Retention Question
This is where calculating the cost of fighting it vs settling
comes in. Sometimes settling is cheaper.
Liz
Elizabeth Reen
CPB Database Group Manager
From: Scott Canaan [mailto:srcdco@xxxxxxx] ;
Sent: Monday, May 01, 2017 9:19 AM
To: Reen, Elizabeth [ICG-IT]; oracle-l@xxxxxxxxxxxxx
Subject: RE: Database Retention Question
There is no pushing back on the lawyers. They insist we keep every version
of every email because deleting any is considered "destroying evidence".
They (and the courts) don't care about cost or technical issues. When they
want the data, we have to supply it or get fined and, most likely, lose
whatever case is against us. In this case the data being saved is the
timekeeping system for hourly employees.
Scott Canaan '88 (srcdco@xxxxxxx)
(585) 475-7886 - work (585) 339-8659 - cell
"Life is like a sewer, what you get out of it depends on what you put into
it." - Tom Lehrer
From: Reen, Elizabeth [mailto:elizabeth.reen@xxxxxxxx] ;
Sent: Monday, May 01, 2017 9:16 AM
To: Scott Canaan; oracle-l@xxxxxxxxxxxxx
Subject: RE: Database Retention Question
Agreed, wish I had that option 10 years ago. Push back on the lawyers. Do
they really need all of the backups or will a couple suffice. They tend to
be very conservative about preserving evidence.
Liz
Elizabeth Reen
CPB Database Group Manager
718.248.9930 (Office)
Service Now Group: CPB-ORACLE-DB-SUPPORT
From: Scott Canaan [mailto:srcdco@xxxxxxx] ;
Sent: Monday, May 01, 2017 8:59 AM
To: Reen, Elizabeth [ICG-IT]; oracle-l@xxxxxxxxxxxxx
Subject: RE: Database Retention Question
This was one of the first things we thought of, however there are 28 backups
to keep running (4 databases x 7 days each), which becomes unwieldly very
quickly.
What we are looking at doing is putting all 4 databases into one VM, then
taking a VM snapshot of the entire environment, which gets us down to 7
snapshots to save and that way the O/S and Oracle software are also
preserved with the databases. That's what I've gathered from the responses
here is the best way to go.
Scott Canaan '88 (srcdco@xxxxxxx)
(585) 475-7886 - work (585) 339-8659 - cell
"Life is like a sewer, what you get out of it depends on what you put into
it." - Tom Lehrer
From: Reen, Elizabeth [mailto:elizabeth.reen@xxxxxxxx] ;
Sent: Friday, April 28, 2017 4:29 PM
To: Scott Canaan; oracle-l@xxxxxxxxxxxxx
Subject: RE: Database Retention Question
What I have ended up doing is just keeping the copy on a
database, upgrading and patching as needed. Expensive, yes. Data always
available, yes. What you have to lose if you lose the case should dictate
how you keep the data.
Liz
Elizabeth Reen
CPB Database Group Manager
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]
On Behalf Of Scott Canaan
Sent: Thursday, April 27, 2017 1:16 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: Database Retention Question
We are trying to find a workable solution to a rather large problem. One
system has an Oracle database in Red Hat 6 and Oracle 11.2.0.4. Last
August, there was a legal request to freeze 28 different backups of this
database. That was done by the systems team, via CommVault (using RMAN).
By asking more questions, it has come to light that any and / or all of
those backups need to be quickly accessible as Oracle databases until Aug.
31, 2023. When I mentioned to our legal department that there's no way that
I can guarantee that whatever version of Oracle we'll be using in 5, 6, 7
years will be able to even open the database files, the response was "you
have to guarantee that the data is available if required in a lawsuit. No
excuses are accepted by the courts.".
We've toyed with a couple of possible options. One is to keep a Red Hat 6 /
Oracle 11.2.0.4 environment running until Sept. 1, 2023, which the SAs hate
(not to mention the Security Office). Another is to restore from backup and
upgrade along with other database upgrades and take a new frozen backup,
which we aren't keen on doing 28 times.
Does anyone have any other ideas on how to save these backups and guarantee
that they are usable through Aug. 31, 2023? I'd appreciate any thoughts.
Thank you,
Scott Canaan '88 (srcdco@xxxxxxx)
(585) 475-7886 - work (585) 339-8659 - cell
"Life is like a sewer, what you get out of it depends on what you put into
it." - Tom Lehrer
