What’s a data retention policy?

A data retention policy dictates how long and under what circumstances you either keep or delete data.  While you can have reasons for wanting to save in perpetuity every record you file, this makes you a tempting target for malicious actors on the prowl for valuable data. In addition, saving data beyond its intended lifespan can come with legal and contractual ramifications.

Why less records can mean more security

Many organizations have years or decades of historical data saved on backup tapes or stored online. Sometimes you truly need to save data, such as historical employment records necessary to calculate and verify pensions. But more often, records are retained because no one’s taken the time to delete them.

Stolen historical data can be pricey to fix. Some industries have data records that, if stolen, cost more to remediate than data elsewhere.  For example, a stolen record from the health industry costs $408 on average to remediate while an education industry record costs $166 on average to remediate.

The costs can be even higher if you’re retaining more records than you need. Suppose you’re a school system with student records dating back 30 years. If you welcome approximately 1,000 new students each year, that means you have about 30,000 unique student records which, if stolen, will cost you an average of $4.98M to remediate. But according to your data retention policy, you really only need to save 16 years of student records.  If you’d followed your policy and deleted the older 14 years of records, your average liability for the remaining records drops to $2.656M, or a $2.324M reduction in out of pocket cost.

Considering it should cost significantly less than $2.324M to dispose of the older records, why would anyone not make deleting old data a priority?  It may not seem worth the effort. But that old data represents a clear business issue when put into a dollars and cents perspective.

What’s covered by a data retention policy

So what kinds of data should be covered in a data retention policy? The answer is anything that could be used by a hacker to exploit a victim. This includes paper records, emails, personal health information (PHI), personally identifiable information (PII), financial records, corporate letters or correspondence containing any information your organization would not want released to the general public and other items.

If you don’t currently have strongly enforced data retention policies in place, we strongly recommend you address the situation as soon as possible. Save yourself the risk, and considerable headaches, by deleting that old data now!