If you’ve ever had the experience of nearly throwing away a seemingly useless item but being thankful years later that you held on to it, you know that experience can reinforce the decision to keep things.
Keeping something that turns out to be useless doesn’t really make as much of an impression. Doing it enough times will prolong the inevitable garage purge, but that only comes around every few years. So unless you’ve been featured on one of those reality TV shows about hoarders, the decision normally comes down in favor of holding on to things when in doubt.
Unfortunately, when it comes to business data, the equation is different. Each piece of information your company retains increases its risk.
Some of that risk is unavoidable. Every company needs certain employee data on hand to run payroll, every company needs customer data on hand to take payment. And all businesses need at least one backup of their essential data stored outside of their building and outside of their network. The risk of duplicated data is far lower than the risk of losing everything. Finally, for professional services companies, data is both a raw material and the finished product – there’s no revenue without it.
How Can Old Data Hurt a Company?
But there’s also plenty of data risk that’s not worth carrying. Consider former customers’ expired credit card numbers: you’ll never charge that card again, but if it’s left unsecured and leaked or stolen, it can expose you to lawsuits. If that expired number is successfully used to steal current financial information, it can also ruin a pretty good month (or year) for a former customer. They won’t be happy with you.
Getting rid of old data is important, but most companies don’t set aside “free time” to have a biannual server purge. Unless someone takes the time to organize and purge it, old data is simply copied from one drive to the next over decades without anyone realizing it’s even there.
Unlike taking the time to delete it, retaining old data doesn’t have an immediately obvious cost, in part because the actual cost of storing text and images is now so low. But it does have costs. Here are three of them.
It makes it harder to find useful data
It’s harder to find useful data on a network full of useless data. When employees aren’t sure exactly where something is and need to go searching for it, the haystack will be larger, and the needle will seem smaller.
It increases the likelihood of uncontrolled data sprawl
Old data sprawls over computers and networks and accounts over time. This makes it more difficult to maintain access restrictions on all of it, and eventually, you’ll end up accepting the fact that private data is probably floating around on personal file storage or email accounts that you don’t control.
It makes you a much broader target for cyber attackers
The biggest risk of old and unmanaged data happens when your business network is breached due to a stolen or hacked password. For your most sensitive data, access privilege restrictions may serve as a second line of defense, preventing hackers from stealing it. But folders that nobody has accessed in years are less likely to have strict restrictions on who can access them, in part because best practices on data security have increased substantially since the turn of the millennium.
In this case, your long-lost customers and employees may have their data stolen, adding legal and reputational risks on top of the other costs of a breach. A small disaster can become a big one, and a big disaster can become one that ends a company.
Three Ways to Protect Yourself from Data Overload
#1 Identify PII
Personally Identifiable Information, or PII, is among the most legally protected data in the United States. This includes names, addresses and official identification numbers on driver’s licenses, passports, credit cards and social security cards. These are what hackers use to steal identities, and they’re the most likely culprits in any fine or lawsuit you face in a breach.
Identify any PII on your network, and build a process around determining what data is kept, how long it is kept, and when it is destroyed. A strong process will remove unneeded PII on your network and also prevent it from being retained unnecessarily going forward.
#2 Identify and Control Financial Information
It’s a good idea to follow the same retention process listed above for business financial information, including bank account information, credit card numbers and Tax IDs. Some business equivalents of PII (like addresses) are public information, but most financial information is not. And just because there’s no regulation with a listed fine for accidentally leaking a business’s banking account information, you aren’t likely to come out on the winning side of a civil suit if you’re found to have been negligent in protecting that information.
And while you’re identifying other businesses’ financial information on your network – don’t forget to look for the private financial information of your own company!
#3 Data Minimization
One of the principles in the EU’s consumer privacy laws is data minimization. This principle states that companies should collect data on customers only if they have a known, legitimate use for it. While it’s the law for consumer-facing companies in the EU, it’s a useful principle when considering what data to retain and what should go.
Categorize legacy and archived data to determine which divisions might have a legitimate use for it going forward. Then ask those division leaders if they can think of a good reason to keep it.
If nobody can think of an example of how data would likely be used going forward, it’s probably a good sign that it can be deleted. That’s especially true for data about other companies, or data about people who aren’t current employees or customers.
To learn how WingSwept’s enhanced cybersecurity services can help your company manage new and emerging risks, call us at 919-779-0954 or email us at Team_WingSwept@WingSwept.com.