Much of the emphasis on effective data management focuses (and understandably so) on processes that control the creation, transmission, and storage of data. There is, however, the equally pressing concern of effective data destruction.
Records that no longer are useful, and that the organization isn't legally required to maintain, present risks. “If you leave data around, it can come back and bite you,” says Doug Miles, director of market intelligence with AIIM, an organization for information professionals.
Foremost, he says, data sitting on company servers might someday be used in future litigation. According to one recent AIIM survey, 46 percent of respondents said that failure to delete records had a financial effect on their organizations, due to fines, damages and other costs.
Another headache: Even if some piece of data is no longer useful, it might still be confidential—so keeping that piece of data around means risking that the information is breached.
Clearly, then, data destruction policies can reduce a company's risk of harm from data it no longer needs to possess. The need for effective destruction policies is growing more pronounced as more businesses use “the cloud” or other third parties to store their information off-site. When that relationship is ending, says David Navetta, a founding partner with Information Law Group, “you want to make sure the data is returned to you and deleted so it's no longer a risk.”
Steps to Take
First, Navetta says, recognize that a data destruction policy should be only one part of the company's larger approach to information management. “You can't just say one day, ‘We're going to delete data.' It's what data, when, where is it?”
That also means that the company must know what data it has, before it starts destroying any, says M.E. Kabay, professor of computer information systems at Norwich University in Vermont. “The process must use a careful mapping of all the places the data has been or is stored,” he says.
After the data mapping comes the data classification, Miles says, so you'll know which pieces of information are ready for the dustbin and which ones are not. He is emphatic on this point—“you won't have a strong retention and disposition policy unless you classify information properly”—since modern corporate data is likely to be diverse and have many different retention periods, some of them required by law. While classifying data remains a daunting undertaking, new systems are emerging that can crawl through content to tag files according to their content, he adds.
Every type of data needs a defined life-time. “It's not acceptable to engage in data destruction on a whim,” Kabay says. Compliance professionals should be able to state why data is kept for the length of time it is.
“It's much more convincing in court or at disclosure to say, ‘We did hold this data but we deleted it under our retention procedures on date X,' than to say, ‘We have no record of this; we presume it has been deleted.'”
—Doug Miles,
Director of Market Intelligence,
AIIM
Legal or regulatory requirements are the logical starting point for retention periods, but companies might have other needs that dictate other periods as well. Marketing or financial departments, for example, might have their own preferences to conduct thorough research on various projects. Whatever the reason, companies do want a consistent way of treating each type of data.
As Miles explains, if an organization is ever challenged about what appears to be a missing record, “it's much more convincing in court or at disclosure to say, ‘We did hold this data but we deleted it under our retention procedures on date X,' than to say, ‘We have no record of this; we presume it has been deleted'.”
Beyond the Delete Button
Once you determine the data that's ready to be destroyed, compliance professionals can then determine which destruction method to use. Punching the “delete” button merely removes markers on a computer pointing to some piece of data; in most cases, the data itself still sits on the hard drive and can be retrieved by experts.
Re-formatting a disk also doesn't necessarily erase a piece of data either, says Larry Ponemon, head of the Ponemon Institute, a research organization focused on data protection. “In reality, with most programs, data is still resident on the device,” he says.
A more effective tactic is “degaussing,” or using a large magnet to remove the data from a device. Do that sloppily, however, and some data will remain. “The bad guys know that and constantly hunt for re-furbished computers,” Ponemon warns.
ABOUT THIS SERIES
Compliance Week's six-part series, “The Lifecycle of Information Governance,” sponsored by HP Autonomy, will examine all the elements of handling information properly—from creation to storage to destruction—and how compliance departments should address each element. Click on the links below to access this exclusive series.
Part 1: Crafting an Effective Data Security Policy, Feb. 12
Part 2: Catching and Managing New Data, Feb. 20
Part 3: Get Data Classification Right First
Part 4: Protecting Data From Inside and Outside Threats
Part 5: Tracking Data After It Has Left the Building
Part 6: How to Destroy Data … for Good
What's more, tools exist that can recover much of the degaussed data, Kabay says; the results may not be perfect, but “they're too good to ignore.” He therefore advises against degaussing as a method of data destruction.
Another option is to overwrite the existing data, making it difficult for anyone to get back to the original information. The key, according to Rebecca Herold, who runs her own security and compliance consultant business, is to keep writing over the data until thieves cannot possibly backtrack to the original data. How often is that? The National Institute of Standards and Technology currently recommends overwriting a standard SCSI hard drive at least three times, in patterns specifically designed for maximum effectiveness.
Of course, there's always the good old-fashion approach of physically destroying a device, too. NIST's advice from guidance it published in December: “Shred, disintegrate, pulverize, or incinerate by burning the device in a licensed incinerator.”
And yes, once you do destroy your data, document that fact, as well as the policy under which the destruction was carried out, Miles adds. This creates an audit trail for the data.
Data Destruction Challenges
Clearly, effective data destruction policies aren't easy to achieve. Ensuring that all records slated for destruction actually are destroyed can be challenging, especially with electronic records. “The risk is missed data,” Navetta says. “There are so many places data can exist these days.” A spreadsheet, for instance, may be part of an organization's financial records, and also contained within multiple e-mail attachments. Even copiers, fax machines, and printers can store data, Herold points out.
FINANCIAL EFFECTS
The charts below from the AIIM survey reveal how respondents would describe the financial effect (positive or negative) of fines, damages, or costs resulting from cases or potential cases which hinged around the validity, completeness, or retention of their electronic records.
When it comes to the financial impact of cases that hinge around the validity, completeness, or retention of records, there was a [strong] view that there is substantial (38 percent) or even dramatic (8 percent) financial impact, and in two-thirds of cases that impact would be negative.
Source: AIIM.
The human element matters, too. When destruction is supposed to occur manually, employees sometimes hesitate to follow through, Miles says. They may worry that the organization will need the information again at some point, and assume that hanging onto it is a prudent course of action. This can become even more pronounced when a software system asks, “Are you sure?” before allowing a deletion. “The person second-guesses themselves,” Miles says.
Clever employees can find ways around even the most carefully crafted data retention and destruction policy, Miles adds. For instance, if management states that all e-mails are to be deleted after a certain period, employees may send to themselves any e-mails they want to keep, effectively changing the e-mail's date of creation.
Winning support for comprehensive data destruction programs can be difficult, Navetta notes. Such projects are large and require the efforts of individuals in many areas, such as operations and finance. These individuals most likely already are trying to manage overflowing to-do lists and may have little time to tackle another initiative.
Proper training may help counter those tendencies, but a slim 16 percent of companies regularly train their staff in proper information governance, according to the AIIM survey. “Most [employees] need more training and guidance,” Miles says.
Finally, the continual onslaught of new data also complicates data destruction efforts. “It's a moving target,” Navetta says.
Working through those challenges to develop an effective data destruction policy, however, is well worth the effort. As Ponemon observes: “Unless data is creating value, there's no reason to keep it around.”
No comments yet