Archived Insight | February 9, 2021

Data Retention Policy: Follow Through to Stay Secure

Data is the heart of many businesses — and the same commodity sought by cybersecurity hackers.  And the more data they steal, the greater your liability becomes. That’s one reason why you need to create and follow a data retention policy.

Data Retention Policy Follow Through to Stay Secure

What’s a data retention policy?

A data retention policy dictates how long and under what circumstances you either keep or delete data.  While you can have reasons for wanting to save in perpetuity every record you file, this makes you a tempting target for malicious actors on the prowl for valuable data. In addition, saving data beyond its intended lifespan can come with legal and contractual ramifications.

Why less records can mean more security

Many organizations have years or decades of historical data saved on backup tapes or stored online. Sometimes you truly need to save data, such as historical employment records necessary to calculate and verify pensions. But more often, records are retained because no one’s taken the time to delete them.

Stolen historical data can be pricey to fix. Some industries have data records that, if stolen, cost more to remediate than data elsewhere.  For example, a stolen record from the health industry costs $408 on average to remediate while an education industry record costs $166 on average to remediate.

The costs can be even higher if you’re retaining more records than you need. Suppose you’re a school system with student records dating back 30 years. If you welcome approximately 1,000 new students each year, that means you have about 30,000 unique student records which, if stolen, will cost you an average of $4.98M to remediate. But according to your data retention policy, you really only need to save 16 years of student records.  If you’d followed your policy and deleted the older 14 years of records, your average liability for the remaining records drops to $2.656M, or a $2.324M reduction in out of pocket cost.

Considering it should cost significantly less than $2.324M to dispose of the older records, why would anyone not make deleting old data a priority?  It may not seem worth the effort. But that old data represents a clear business issue when put into a dollars and cents perspective.

What’s covered by a data retention policy

So what kinds of data should be covered in a data retention policy? The answer is anything that could be used by a hacker to exploit a victim. This includes paper records, emails, personal health information (PHI), personally identifiable information (PII), financial records, corporate letters or correspondence containing any information your organization would not want released to the general public and other items.

If you don’t currently have strongly enforced data retention policies in place, we strongly recommend you address the situation as soon as possible. Save yourself the risk, and considerable headaches, by deleting that old data now!

Have questions? We have answers.

See how we can help. 

Speak With Us

See more insights

Young Woman Reading A Document At Home

New Model Annual Funding Notices and Companion DOL Guidance

The DOL issued new model annual funding notices (AFNs) for single-employer and multiemployer DB plans, which include changes made by SECURE 2.0.
Mature Businessman Brainstorming Notes On A Glass Wall In An Office

Q2 2025 Trends Focus: Cognitive Health in the Workplace

Mitigating the impact of dementia on your workforce: Our Q2 2025 Trends has 7 strategies to help plan sponsors address cognitive health.
Coworkers In A Meeting

Multiemployer Pension Plan News for Q1 2025

Multiemployer retirement plan sponsors: Get caught up on 5 important topics in our recap of first quarter news impacting multiemployer pension plans.

This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.