You can't have everything. Where would you put it?--Comedian Steven Wright

It's a never-ending headache for many fast-growing companies: They're constantly acquiring new stuff while grappling with how to store what they've already got. And their digital assets are no exception.

For something you can't actually see or touch, information demands an awful lot of storage space. And the longer and more securely you need to keep your data, the more complicated--and often, more expensive--those storage requirements can become.

In fact, proper data storage is more critical now than ever before. That's not just because you need to protect your data from disasters such as fires, power outages, and computer viruses. Nor is it just because you need to safeguard confidential information about your company, your employees, and your customers from security threats such as disgruntled employees and hackers.

Those are excellent reasons to securely store your digital assets. But there's a third, more recent reason that more directly influences decisions about what information to store, how to store it, and how long to keep it. That's the raft of new laws--and lawsuits--that can require companies to produce large amounts of data on demand.

Right now, of course, the regulatory focus is primarily on large public companies in response to the massive financial scandals at Enron Corp., WorldCom Inc., and Tyco International Ltd., among others. The most sweeping corporate-reform legislation, the Sarbanes-Oxley Act of 2002, laid down strict new requirements about record-keeping, particularly regarding financial practices and accounting. Meanwhile, as anybody who's had to sign an acknowledgement form in a doctor's office knows, the Health Insurance Portability and Accountability Act of 1996 sets new standards for protecting private records.

What does such legislation have to do with small, privately held, non-health-care-related companies? Plenty.

New expectations: First, the regulations have changed the entire business environment. These days, just about everyone--regulators, suppliers, partners, customers--expects companies to effectively manage valuable, confidential and sensitive information. Those demands apply to every business: public and private, large and small, and in every industry, regardless of whether and how they're regulated.

New standards: In addition, when private companies go public, they are, of course, bound by the same stringent requirements as other corporations, including those governing data protection and retention. If you're planning to file an initial public offering of stock someday, it can't hurt to work toward meeting those standards now.

New headaches: Then there's the other "L" word: litigation. Companies of all sizes are ever more vulnerable to lawsuits that can require them to produce astonishing amounts of information, from sales records to electronic timesheets to accounting spreadsheets to e-mail correspondence. In at least a few cases, companies responding to lawsuits have spent weeks or months and thousands of dollars trying--sometimes successfully, sometimes not--to retrieve all the required data.

That's led to a tendency to save everything, forcing information-saturated companies to consider Steven Wright's question: Where do we put it?

For all those reasons, many growing companies are embracing a storage trend called information lifecycle management, or ILM. The underlying concept is being able to track information from its creation to its final resting place, whether it's been archived on in-house systems, stored offsite on tapes or disks, sent over the Internet to a service provider, or (intentionally or accidentally) destroyed. Companies with effective ILM strategies can pinpoint any information's location and, usually, retrieve it quickly.

ILM is really a business strategy rather than a technological one, according to Nancy Marrone-Hurley, a Portland, Ore.-based senior analyst with the Enterprise Storage Group of Milford, Mass.: "ILM is a process. You cannot buy an ILM product."

That process starts with a strategy, which, in turn, starts with setting priorities. "You have to put values on your data according to the value of the data to the business," Marrone-Hurley says. Those values, of course, vary from company to company and industry to industry.

For instance, a medical practice typically wants to secure personal records for years or decades, both for ongoing patient treatment and to comply with federal regulations. A retailer may be far more concerned with information from last month or last quarter or the last couple of holiday seasons. At the same time, the medical practice may need to access patient information instantly in an emergency, while the retailer could, if necessary, wait hours or days to get historical sales data.

So in setting those priorities, it's important consider, for each type of information:

  • Who needs access to it?
  • How often do they need to access it?
  • How quickly do they need to access it?
  • How valuable is this particular information to your business survival? What's the potential impact on your company if you can't access it?
  • Will its value change over time? Will you change how it's stored as a result?
  • How securely must it be protected--now and in the future? E-mail, for instance, probably doesn't need as much security as financial data.
  • What regulations, if any, govern its retention?
  • How likely is it to be required in a lawsuit or other legal case? If that happens, how easily can you find it?
  • How long must or should you keep the information? When should it go from short-term to long-term storage?
  • Can it be destroyed to free up space? If so, when?

Finally, communicate those priorities to everyone in the company, with instructions for storing and accessing each type of information. If possible, have your IT staff automate access and storage processes, so that, for instance, employees can't delete or misplace data that you're required to keep for a certain time.

In the end, even the most effective ILM strategy may not let you have everything--but it can go a long way toward making sure you've got everything you need, when you need it.