On the TV show Hoarders, the subjects of the program often explain that they allow apparently useless items to pile up around their houses because they might need them someday. Regardless of its implications for household décor, this is a poor model for data management, but we see some organizations follow it nonetheless.
In some cases I’ve seen, organizations store more and more data, even though they have no plans to use it. Often, they justify this practice with the hope that “someday,” they might find a way to monetize the data. The fact that cloud providers have made storage and retrieval of data both cheaper and easier is sometimes a further justification.
But organizations that hoard data unnecessarily expose themselves to risks they might not fully realize. Understanding these risks is essential for IT leaders to determine whether the potential use of the data they’re storing is worth it.
Regulatory Risks and Increased Exposure
The first risk arises due to requirements of data privacy mandates such as the European Union’s General Data Protection Regulation or the California Consumer Privacy Act. These regulations provide the subjects of data records with the right to inspect their records and request correction of their personal information. As the amount of data (and the number of places it may be stored it) increases, so does the risk to organizations required to handle data subject access requests, or DSARs. Tracking down all that data can be a challenge. The situation is made even more pressing by the potential for many data subjects to file DSARs simultaneously, especially with organizations having only 30 days to comply.
Perhaps an even more serious risk is simply the increased exposure that data hoarding creates. The more data an organization stores, the more that can be lost in a breach. In some cases, this data may not be useful, but its loss can be damaging in a breach. For example, a major breach in recent years involving a financial services provider included data that was as much as 10 years old. The company wasn’t using it for any specific purpose, but its loss represented a serious exposure of customers’ private financial information.
In this case, the company should have been more strategic in its data storage. First, it should have asked if the data was even useful anymore — and if it was, it probably could have been stored offline, preventing cybercriminals from accessing it through an online intrusion.
Manage Your Data to Reduce Risk
This is where a good data management policy can help. Organizations should use this policy to establish a common practice for how data is handled. The first step is to ask a couple of essential questions:
- What is your core business?
- Does a given set of data apply to your core business, or will it be useful to the business in the future?
If data falls outside your core business and you don’t have a detailed plan for using it to generate revenue in the future, you should get rid of it. Other important questions your data management policy should consider are:
- How and where should data be stored (on-premises, in the cloud or offline)?
- What data should be encrypted?
- How can you ensure that lines of business aren’t storing data unnecessarily?
- How long must some data be stored for regulatory purposes before you can get rid of it?
For organizations that don’t have a data management policy, some remedial steps may be necessary. These organizations should conduct an assessment to determine what data they have stored and what they can get rid of.
This blog post brought to you by: