The Purge: The New Era of Defensible Retention and Data Minimization

An interesting and very relevant article by Douglas Laney, Unlock Tangible Benefits By Valuing Intangible Data Assets, sheds light on the fact that many Fortune 1000 companies still do not recognize data as a valuable asset. Alternatively, corporate data seems to be viewed by them as an intangible blob that is overwhelming to control and impossible to reliably manage. That said, it’s not a secret that the challenges of managing data in today's business world can be daunting, as most organizations are still struggling to keep their data under control. However, to devise an appropriate solution, we must understand where the problem is coming from:

1. Lack of visibility: When organizations cannot see their data or understand how it is being used, it is difficult to make informed decisions about how to manage and protect it. This can result in valuable data (such as privacy information, trade secrets, or sensitive financial information) being mismanaged and leading to significant data risks or compliance concerns.
2. Data silos: With data scattered across different systems and departments, many organizations struggle to manage and secure it effectively. This can result in duplicate data, inconsistent data quality, and difficulties in accessing data when it is needed.
3. Lack of governance: Without a practical data governance framework supported by policies and procedures, it is impossible for organizations to manage data in a consistent and transparent manner. This can lead to confusion around who owns and is responsible for data, as well as how it should be managed and secured. As a result, organizations may find themselves unable to make informed decisions about their data or identify and mitigate risks before they become problems.

Defensible Disposal Creates Corporate Data Hoarding

This all said, the over-retention of data is a growing concern impacting businesses and organizations globally. While retaining data for longer periods may seem like a good idea, it eventually results in data hoarding that in turn creates significant risks and compliance concerns. Managing legacy data has always been a daunting task for companies, but with the exponential growth in data consumption - doubling every two years - the problem has become increasingly challenging to handle. The longer companies delay in addressing data risks, the worse the situation becomes. Kicking the can down the road is no longer an option as the can is now kicking back.

Federal, state, and local regulations mandating the retention of specific business records for various periods can be complex, confusing, and even contradictory. Failing to comply with these regulations can result in substantial fines, legal action, and reputational harm. Historically, organizations have adopted the concept of defensible disposal with the intent of avoiding the premature destruction of critical business records.

Defensible disposal was originally designed to ensure that any data targeted for destruction underwent a rigorous review process that included legal, records, and business considerations before approval was granted. However, the time and resources required for this process, coupled with the perception that storage costs were low, led many companies to take the path of least resistance and simply buy more storage to retain data rather than going through the rigorous disposal approval process. The result has been that companies in almost every industry across the world have become data hoarders, retaining vast amounts of data that no longer holds business value yet create significant risks and compliance concerns.

Keeping data well beyond its retention period was viewed as a business benefit with the hopes of yielding greater value in the future from bigger and richer data sets that may also hold future value. However, the risk-to-reward realization never really materialized. The excess data from data hoarding has resulted in:

• Impairing business operational efficiencies
• Expanding the amount of data and systems that needed to meet various compliance mandates
• Creating greater attack surfaces that leads to increased probabilities of a breach
• Incurring greater than expected costs for:

1.  Enterprise storage
2. Storage management and backup operations
3. Data governance monitoring and data protections
4. eDiscovery and investigations 

Regulators Are Now Demanding Defensible Retention

Over the past few years, there has been a major shift in how regulators are now treating the over-retention of privacy data as a major privacy failure. This shift has been largely driven by the EU's General Data Protection Regulation (GDPR), which introduced the "right to be forgotten" and paved the way for a new generation of privacy rights. As a result, many states have followed suit, adopting laws that are derived from the GDPR, and regulatory bodies such as the FTC, SEC, and state attorney generals have issued new guidance on data retention. The game has changed, and the previous practice of “…keeping everything forever, just in case…,” is no longer acceptable.

Last year, a major health insurance company faced significant penalties due to a large data breach that involved retaining large volumes of health records for patients that were inactive for years and had no business requirement for keeping the expired data. The insurer was fined $500,000 by New York's Attorney General, and then again by the New York Department of Financial Services (NYDFS) for $4.5 million, for a total of $5.1 million. Moreover, the insurer’s notice of privacy practices stated that it would dispose of patient health information once it is no longer needed for business purposes.

The recent Norton Rose Fulbright Data Protection Report, “Forever and Forever, Farewell”: FTC Prohibits Indefinite Retention of PHI in Consent Order, highlighted the FTC’s mandate that GoodRx must implement a data retention schedule that does not permit “indefinite retention of any Covered Information.” Additionally, NYDFS investigations into recent corporate data breaches also revealed over-retention violations, wherein impacted companies were found to be retaining data of expired customers or patients despite no longer having a legitimate business purpose to do so. NYDFS also uncovered a disturbing trend where several Chief Information Security Officers (CISOs) from major financial and health insurance companies were found to have, “…falsely certified compliance” by failing to implement essential controls including the mandate to, “…implement policies and processes to safely dispose of sensitive information when there is no longer a legitimate business purpose or legal requirement to keep it.”

Defensible Retention is the Modern Approach to Data Minimization

Whether driven by new regulatory concerns or by recent business realizations, retaining large volumes of data indefinitely creates unacceptable business risks. Minimizing the data you keep clearly makes good business sense. Defensible retention offers a proactive approach to managing, protecting, and governing data as an asset over its lifetime. While it may not be as straightforward as it seems, with recent advancements in data governance solutions, enterprise data governance is now both practical and sustainable.

While there are a broad number of data governance technologies, many products do not provide a true enterprise approach for data governance. Here’s some key capabilities you need to have to ensure the solution you choose will meet your data risk and compliance objectives:

1. Complete Data Inventories- As opposed to data discovery tools that search and find whatever data you’re looking for, tools that conduct complete data inventories, which also informs you of data that you did not know existed, is crucial for establishing an enterprise data catalog. The ideal solution would accommodate any data regardless of where it is stored and how large your data estate may be. 
2. Contextual Classifications- Once the data has been accounted for each file and each database table, must then be classified to identify its data sensitivity levels based on your corporate data classification policy. However, to be effective, the classifications should include sufficient business context so that it is clear not only how sensitive the data may be, but also why it is sensitive in business terms. With business context, the generic classification label of “Confidential” will not be very useful or actionable.
3. Directory Services Integrations- Trying to identify and assign data ownership or accountability using interviews or surveys will be ineffective. The right data governance solution would enable the integration of any of your various directory services to automate the association of which business unit owns what data. Every file and database should have a clear owner.
4. Record Retention Systems Integrations- Many record retention systems have limited, mature capabilities primarily due to the lack of historical oversight. However, once these systems have reliable retention schedules enabled, the data governance solution should be able to integrate and leverage the retention periods with each data set.
5. Legal Hold System Integrations- As a critical review function, before any data being proposed for deletion, it should be queried against any active legal holds to ensure that no controlled data is inadvertently destroyed.
6. Workflow Automation- Managing data disposal requests of large and varied data can be challenging and time consuming so workflow automation capabilities to enable process efficiencies and close collaborations across several business stakeholders is crucial. 

Hoarding and over-retaining data poses significant risks to businesses, especially when it comes to the privacy of customers, patients, and employees. As regulators and litigators increasingly focus on companies’ defensible retention practices, it is becoming clear that disposing of expired data is becoming a critical risk function. Defensible retention represents a significant departure from the traditional way that companies have handled data. By utilizing cutting-edge data governance solutions that leverage your existing technical investments and automate your administrative policies, gaining control of valuable data while disposing of expired data is no longer a daunting task. By recognizing data as an asset and adopting a defensible retention strategy, organizations can better manage their data assets, reduce the risk of data breaches and compliance violations, and better support their business objectives.

Sincere thanks to my co-author and colleague Gagan Sarawgi for his invaluable contributions!