Data Risk Management
Data Retention: The One Big Thing
March 18, 2021
What is Data Retention?
Modern organizations have embraced the notion that data has value. Business leaders focus organizational time and attention on capturing this value. In addition, technological change enables the IT community to radically change the costs of keeping and processing information. This creates new opportunities to collect more detailed data and to predict the behavior of systems, machines, and people. But along with value and costs come risks. The risks associated with data depend entirely on what data you have and how much of it you have. Risk reduction consists of either not collecting data, or getting rid of data you do not need.
Data Retention Laws
However, data cannot be deleted at will. There are thousands of laws, regulations, and contractual agreements that require data be kept for specific periods, or until specific conditions are met, as well as laws defining when data must be deleted. These laws are actually record-retention/deletion laws, in that they specify a type of record (for example, an invoice that includes payment status and sales tax collected, or a record of personal information for a consumer) Each of these record types has a set of rules about how long the organization must keep records. In some cases, there are so many rules they conflict with one another. Often, there are industry-specific conventions about which rules to follow when faced with jurisdictional conflicts or other issues.
But the fact that laws have existed does not mean that they were followed. Or rather, the rules telling people to retain information were often followed. The philosophy was “you had better keep it, just in case”. Deleting information was only done when the subject matter would reveal questionable judgment. This attitude has been remarkably persistent. (We will explore why in a future blog) However, this attitude has to change, as the risks of keeping records too long have dramatically increased.
Data Risks and Data Retention
Data risk was once thought of as a technical challenge. However, the onslaught of data breach and data privacy legislation, and subsequent litigation have changed this outlook. While the technological challenges remain and have even increased, managing the compliance and legal risks associated with data has become paramount. These activities are driving new strategies and new operating practices within legal and compliance organizations, and the businesses that serve them.
Every one of the new privacy and data protection laws requires organizations to delete data when it is no longer needed. CPRA even requires that the user be informed of the policy before collection. And nearly every data breach lawsuit brought under CCPA has been negligence as a result of keeping data too long. These new rules have dramatically increased the risks associated with over-retention of data.
Data Retention Policies and Increasing Data Risks
Most organizations have a reasonable complement of data retention policies. But in practice, the policies are not put into effect. There are many reasons for this, and overcoming these behaviors is a significant part of implementing a data retention program. Data protection laws mandate that organizations remove data they no longer need, and this is a well-established best practice for security. Privacy laws also insist that personal information not be kept beyond its legitimate use or legal requirement, and newer ones are insisting that these retention periods be disclosed at collection time. Clearly, operational data retention is a necessary part of compliance with these regulations. It also helps reduce legal risk, as data that is defensibly deleted does not need to be produced by the organization in any subsequent discovery. And it helps with technological risk because it is impossible to lose what isn’t there. This combination of increased compliance, reduced risk, and reduced costs should be enough to convince any organization to move ahead with a data retention program.
Data Retention Program Urgency
Implementing a data retention program is not as simple as writing a few scripts. Mapping from record types to data is a complex process. Interpreting best practices for overlapping regulations is also complex. Building a data retention schedule from records retention policies and regulations is the first step in operationalizing data retention. Next organizations must create execution methods for data actions. Data inventories must be kept up to date, and the IT organization should be responsible for managing the data that is within their purview. Managing data that is not within easy reach of the IT department, such as paper records, or data on various endpoints (Laptops, phones, etc. ) is always a challenge. Having clear policy management and policy attestation systems will insure that these largely manual tasks can be coordinated effectively.
Data Retention Benefits Everyone
Where data retention programs have been implemented, there have been dramatic improvements in performance and costs of systems, reduced risk exposure and potential attack surface, and increased regulatory compliance. Moving to this state requires automation because the volume of data and its variety make it impossible to manage this on spreadsheets.