There is a lot of technology for sale to help CISOs and privacy officers mitigate the risk of data breach. But one of the easiest and cheapest is the Delete key.
In other words, keep only the data the organization needs.
“The biggest risk for keeping information too long is simply a [data] breach,” Cameron Fraser, access to information and privacy co-ordinator at the office of the Auditor General of Canada, told a privacy conference Wednesday in Toronto.
“You don’t want to be in the position where four years down the road [from the creation of an email or document] where for whatever reason you’re breached — someone has their briefcase stolen or loses a USB that isn’t encrypted or you’re hacked — and you’re asked, ‘Why did you have this information? It’s useless.’ And the head of the organization says ‘Well, uh, I don’t know’ …
The answer, he said is to create a data retention and destruction policy, with a data retention officer to monitor compliance.
“Someone has to do this. Not only is it responsible but it can significantly decrease the institutional risk.”
Fraser was speaking at the Canadian Institute’s annual Privacy and Data Security Compliance Forum.
An ideal repository for documents and email is a central database where everyone in the organization can send their data, he said – and can access everything if a person is out of town. The database could be partitioned if groups don’t want their data shared.
The solution doesn’t have to be fancy, he added, although there should be a management front end with the capability to record when data was put in and signal when, according to agreed upon corporate policy, it should be archived or deleted.
There’s no rule on how the database should be organized, but it should be approved by a data retention committee.
Data has to have a lifecycle, Fraser argued: It is created /obtained, kept because it has business value for a defined period, and then destroyed.
Generally, Fraser said, it’s accepted that most information can be destroyed after two years unless the organization has to keep it longer for legal or regulatory reasons.
If the organization doesn’t have a data retention team for creating a policy already, it needs to create one. The team should have representation from all business units because they have the expertise on what’s important. The organization should also appoint a data retention officer, which may or may not be a full-time job, who has the responsibility of ensuring the policy is carried out.
“There has to be lots of monitoring,” Fraser stressed.
The data retention policy can have certain rules to help make the job easier – for example, email inboxes are restricted to X megabytes. “People still have 4,000 emails,” said Fraser, “but there are no attachments.”
It will also help if staff are told there’s no reason to keep early drafts of a document; the final version will do.
“We took a day to make a flow chart on how to think of things when you’re saving records or filing papers,” Fraser said. “And it just says, ‘You have an email. Is it important to you personally or to the office? If it’s important to the business you can’t just keep it in the Inbox. Someone else might need that information. Then in which folder do you save it? How long do you keep it?”
Staff in sensitive departments or organization shouldn’t mistake data classification as a reason for data retention, he added. Just because a document is a classified secret doesn’t necessarily mean it has to be kept longer than others.
Don’t be afraid to ask other companies what they do, or talk to a friend in another firm, for inspiration, Fraser said. “There’s no shame in building on someone else’s data retention policy.”
Paper documents should be handled the same way, although they have to be physically destroyed. Make a fun day out of it, he recommended.
He emphasized that monitoring staff for compliance is vital. “If you leave it to individuals it will never be done.” Have regular reminders sent to staff about cleaning their email inboxes.
“There’s no perfect solution,” he stressed “It still boils down to one major factor: Each individual still has to do it. No one’s going to do it for you … It’s work, its responsible…but if this happens I guarantee it will make your job easier because finding information becomes so easy because it’s all in one spot.”
However, in an interview Fraser cautioned against staff getting too enthusiastic about reducing data. “Going too far and destroying things that may have business value,” is the biggest mistake organizations make, he said.