While many executives exclaim that data is their most valuable asset, most organizations do not treat it like one. Managing data as an actual asset involves more than collecting, organizing and storing it, but also knowing when to retain or dispose of it.
Corporate data seems to be perceived as an intangible blob that is overwhelming to control and impossible to reliably manage. That said, it’s no secret that the challenges of managing data in today's business world can be daunting, as most organizations are still struggling to keep their data under control. However, to devise an appropriate solution, we must understand where the problem is coming from.
1. Lack of visibility: When organizations cannot see their data or understand how it is being used, it is difficult to make informed decisions about how to manage and protect it. This can result in valuable data (such as privacy information, trade secrets, or sensitive financial information) being mismanaged, leading to significant data risks or compliance concerns.
2. Data silos: With data scattered across different systems and departments, many organizations struggle to manage and secure it effectively. This can result in duplicate data, inconsistent data quality, and difficulties in accessing data when it is needed.
3. Lack of governance: Without a practical data governance framework supported by policies and procedures, it is impossible for organizations to manage data in a consistent and transparent manner. This can lead to confusion around who owns and is responsible for data, as well as how it should be managed and secured. As a result, organizations may find themselves unable to make informed decisions about their data or identify and mitigate risks before they become problems.
Defensible Disposal Creates Corporate Data Hoarding
This all said, the overretention of data is a growing concern impacting businesses and organizations globally. While retaining data for longer periods may seem like a good idea, it eventually results in data hoarding, which in turn creates significant risks and compliance concerns. Managing legacy data has always been a daunting task for companies, but with the exponential growth in data consumption (doubling every two years), the problem has become increasingly challenging to handle. The longer companies delay addressing data risks, the worse the situation becomes. Kicking the can down the road is no longer an option, as the can is now kicking back.
Federal, state, and local regulations mandating the retention of specific business records for various periods can be complex, confusing, and even contradictory. Failing to comply with these regulations can result in substantial fines, legal action, and reputational harm. Historically, organizations have adopted the concept of defensible disposal with the intent of avoiding the premature destruction of critical business records.
Defensible disposal was originally designed to ensure that any data targeted for destruction underwent a rigorous review process that included legal, records, and business considerations before approval was granted. However, the time and resources required for this process, coupled with the perception that storage costs were low, led many companies to take the path of least resistance and simply buy more storage to retain data rather than going through the rigorous disposal approval process. The result has been that companies in almost every industry across the world have become data hoarders, retaining vast amounts of data that no longer holds business value yet creates significant risks and compliance concerns.
Keeping data well beyond its retention period was viewed as a business benefit with the hopes of yielding greater value in the future from bigger and richer data sets that may also hold future value. However, the risk-to-reward realization never really materialized. The excess data from data hoarding has resulted in:
- Impairing business operational efficiencies
- Expanding the amount of data and systems that needed to meet various compliance mandates
- Creating greater attack surfaces that leads to increased probabilities of a breach
- Incurring greater than expected costs for data storage, backups, monitoring, data protections, and data discovery and investigations
Regulators Are Now Enforcing Violations of Over-Retention
Over the past few years, there has been a major shift in how regulators are now treating the over-retention of privacy data as a major privacy failure. This shift has been driven largely by the EU's General Data Protection Regulation (GDPR), which introduced the “right to be forgotten” and paved the way for a new generation of privacy rights. As a result, many states have followed suit, adopting laws that are derived from the GDPR, and regulatory bodies such as the FTC, SEC, and state attorney generals have issued new guidance on data retention. The game has changed, and the previous practice of “keeping everything forever, just in case…” is no longer acceptable.
Last year, a major health insurance company faced significant penalties due to a large data breach that involved retaining large volumes of health records for patients that had been inactive for years and had no business requirement for keeping the expired data. The insurer was fined $500,000 by New York's Attorney General and then again by the New York Department of Financial Services (NYDFS) for $4.5 million, for a total of $5.1 million. Moreover, the insurer’s notice of privacy practices stated that it would dispose of patient health information once it was no longer needed for business purposes.
The recent Norton Rose Fulbright Data Protection Report, “Forever and Forever, Farewell”: FTC Prohibits Indefinite Retention of PHI in Consent Order, highlighted the FTC’s mandate that GoodRx must implement a data retention schedule that does not permit “indefinite retention of any covered information.” Additionally, NYDFS investigations into recent corporate data breaches also revealed over-retention violations, wherein impacted companies were found to be retaining data on expired customers or patients despite no longer having a legitimate business purpose to do so. NYDFS also uncovered a disturbing trend where several Chief Information Security Officers (CISOs) from major financial and health insurance companies were found to have “falsely certified compliance” by failing to implement essential controls, including the mandate to “implement policies and processes to safely dispose of sensitive information when there is no longer a legitimate business purpose or legal requirement to keep it.”
Defensible Retention is the Modern Approach to Data Minimization
Whether driven by new regulatory concerns or by recent business realizations, retaining large volumes of data indefinitely creates unacceptable business risks. Minimizing the data you keep clearly makes good business sense. Glen Day, the CEO and founder of NVISIONx, a data risk intelligence company, has introduced the concept of “defensible retention.” He emphasizes that defensible retention provides a proactive strategy for effectively managing, safeguarding, and governing data as an asset or a liability throughout its lifetime. Although implementing this approach may present certain complexities, the recent progress in data governance solutions has made enterprise data governance both feasible and enduring.
While there are a broad number of data governance technologies, many products do not provide a true enterprise approach to data governance. Here are some key capabilities you need to have to ensure the solution you choose will meet your data risk and compliance objectives:
- Complete Data Inventories: As opposed to data discovery tools that search and find whatever data you’re looking for, tools that conduct complete data inventories, which also inform you of data that you did not know existed, are crucial for establishing an enterprise data catalog. The ideal solution would accommodate any data, regardless of where it is stored or how large your data estate may be.
- Contextual Classifications: Once the data has been accounted for, each file and each database table must then be classified to identify their data sensitivity levels based on your corporate data classification policy. However, to be effective, the classifications should include sufficient business context so that it is clear not only how sensitive the data may be but also why it is sensitive in business terms. In a business context, the generic classification label “confidential” will not be very useful or actionable.
- Directory Services Integrations– Trying to identify and assign data ownership or accountability using interviews or surveys will be ineffective. The right data governance solution would enable the integration of any of your various directory services to automate the identification of which business unit owns what data. Every file and database should have a clear owner.
- Record Retention Systems Integrations– Many record retention systems have limited, mature capabilities, primarily due to a lack of historical oversight. However, once these systems have reliable retention schedules enabled, the data governance solution should be able to integrate and leverage the retention periods for each data set.
- Legal Hold System Integrations: As a critical review function, before any data is proposed for deletion, it should be queried against any active legal holds to ensure that no controlled data is inadvertently destroyed.
- Workflow Automation: Managing large and varied data disposal requests can be challenging and time-consuming, so workflow automation capabilities to enable process efficiencies and close collaborations across several business stakeholders are crucial.
Hoarding and over-retaining data pose significant risks to businesses, especially when it comes to the privacy of customers, patients, and employees. As regulators and litigators increasingly focus on companies’ defensible retention practices, it is becoming clear that disposing of expired data is becoming a critical risk function. Defensible retention represents a significant departure from the traditional way that companies have handled data. By utilizing cutting-edge data governance solutions that leverage your existing technical investments and automate your administrative policies, gaining control of valuable data while disposing of expired data is no longer a daunting task. By recognizing data as an asset and adopting a defensible retention strategy, organizations can better manage their data assets, reduce the risk of data breaches and compliance violations, and better support their business objectives.