Data has a life cycle that starts when a document is created, continues through the document's various versions, and ends when the document is destroyed. Managing a single document with only one version and no copies is hard enough as it is; add in multiple versions and electronic copies beyond your control and you have a major task on your hands -- and that's just for one document. Imagine managing dozens, if not hundreds, of sensitive documents from start to finish...
According to SANS Institute, data retention policies "...deal with the complex issues of maintaining corporate information for a pre-determined length of time." Data retention policies are often implemented for legal compliance. However, even if your company is not subject to a specific regulation mandating a formal data retention policy, managing your documents throughout their life cycle can mitigate the risks associated with confidential data.
For instance, let's say you must share financial documents with an investor and do so using an online document sharing tool such as Dropbox. Though convenient, what happens if the investor downloads a copy to his or her hard disk to review later or share with co-investors? That document just left your controlled environment. Even if the investor is completely trustworthy, how secure is the investor's computer? How will you ensure that the downloaded copy is destroyed?
While a final document may be considered a sensitive document that must be protected, it's not unusual for various drafts, memos, email messages, text messages, and related documents to be distributed beyond its original destination.
In addition, related documents may not be as sensitive, and therefore may not have as strict data controls in place, but they could contain sensitive information that could be damaging if a data breach occurs. Your data retention policy should extend to auxiliary documents despite the challenges of managing electronic documents.
A virtual data room can complement your data retention policy by centralizing document storage and access. Rather than allowing documents to be emailed or downloaded, you can use a data room to share a view-only version. Rather than having multiple copies stored on various email servers and individual hard drives, you'd have a single version stored in a secure virtual data room.
Virtual data rooms do not replace data retention policies, nor do they ensure that users comply with those policies. However, a virtual data room can secure sensitive documents and reduce the number of electronic copies that must be tracked, found, and ultimately disposed of.