Having too much data causes problems beyond needless storage costs, workplace inefficiencies, and uncontrolled litigation expenses. Keeping data without a legal or business reason also exacerbates data security exposures. To put it bluntly, businesses that tolerate troves of unnecessary data are playing cybersecurity roulette … with even larger caliber ammunition.
Surprisingly few U.S. data security laws and standards expressly require that protected data be compliantly disposed of once legal and business-driven retention periods expire. PCI DSS v3.2.1, Requirement 3.1, provides “[k]eep cardholder data storage to a minimum by implementing data retention and disposal policies ….” HIPAA regulations mandate that business associate agreements require service providers, upon contract termination, to return or destroy all PHI received or created on the covered entity’s behalf, if feasible. Alabama and Colorado require that records containing state-level PII be disposed of when such records are no longer needed. And biometric data privacy laws in Illinois, Texas, and Washington generally require that biometric data be disposed of once it has served its authorized purpose.
Instead, most such laws and standards focus on securely sanitizing or destroying storage media. For example, the NIST Cybersecurity Framework v. 1.1 includes as a security control (PR.IP-6) that “[d]ata is destroyed according to policy,” and ISO 27002 (§ 8.3.2) provides that “[m]edia should be disposed of securely when no longer required, using formal procedures.”
But data security is not achieved by simply running through a checklist of explicit compliance requirements – it instead requires assessing risks and establishing effective security controls. And one of the most powerful security controls is to not keep too much data, for too long.
It’s not possible for a breach to compromise the security of information that no longer exists, having already been disposed of when its legally required retention and business value expired.
That’s why the FTC has long counseled organizations to compliantly dispose of information once it’s no longer required for legal or business needs. In the FTC’s Protecting Personal Information: A Guide for Business, this is the “Scale Down” principle: “If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. … If you have a legitimate need for the information, keep it only as long as it’s necessary.”
That’s also why the FTC has pursued enforcement actions against numerous companies for failing to timely dispose of protected information, such as BJ’s Wholesale Club; Cbr Systems, Inc.; Ceridian Corporation; DSW Inc, and Life is good, Inc.
Hacked company systems frequently contain two, three, or even four times more data than was needed for retention compliance or any valid business purpose. The unnecessary data retention is a simple multiplier for the problem, in that breach notifications will be required for two, three, or four times the number of affected individuals. But the unnecessarily retained data may also have exponential impact, for the larger numbers of affected individuals may push the breach beyond notification thresholds for regulators, may tilt economics in favor of a viable lawsuit against the company, and may pass a tipping point on lasting reputational damage.
Sure, excessive data storage is “cheap,” if you ignore the risks. When you tally up the true cost of keeping data beyond any legal or business purpose, don’t forget to add a line item for data security exposure. Because not if, but when, your systems are breached, the data security cost of unnecessary data retention is no longer a risk – it’s a reality.