Articles | February 9, 2021

Data Retention Policy: Follow Through to Stay Secure

Data is the heart of many businesses — and the same commodity sought by cybersecurity hackers.  And the more data they steal, the greater your liability becomes. That’s one reason why you need to create and follow a data retention policy.

Female IT Engineer In Data Center

What’s a data retention policy?

A data retention policy dictates how long and under what circumstances you either keep or delete data.  While you can have reasons for wanting to save in perpetuity every record you file, this makes you a tempting target for malicious actors on the prowl for valuable data. In addition, saving data beyond its intended lifespan can come with legal and contractual ramifications.

Why less records can mean more security

Many organizations have years or decades of historical data saved on backup tapes or stored online. Sometimes you truly need to save data, such as historical employment records necessary to calculate and verify pensions. But more often, records are retained because no one’s taken the time to delete them.

Stolen historical data can be pricey to fix. Some industries have data records that, if stolen, cost more to remediate than data elsewhere.  For example, a stolen record from the health industry costs $408 on average to remediate while an education industry record costs $166 on average to remediate.

The costs can be even higher if you’re retaining more records than you need. Suppose you’re a school system with student records dating back 30 years. If you welcome approximately 1,000 new students each year, that means you have about 30,000 unique student records which, if stolen, will cost you an average of $4.98M to remediate. But according to your data retention policy, you really only need to save 16 years of student records.  If you’d followed your policy and deleted the older 14 years of records, your average liability for the remaining records drops to $2.656M, or a $2.324M reduction in out of pocket cost.

Considering it should cost significantly less than $2.324M to dispose of the older records, why would anyone not make deleting old data a priority?  It may not seem worth the effort. But that old data represents a clear business issue when put into a dollars and cents perspective.

What’s covered by a data retention policy

So what kinds of data should be covered in a data retention policy? The answer is anything that could be used by a hacker to exploit a victim. This includes paper records, emails, personal health information (PHI), personally identifiable information (PII), financial records, corporate letters or correspondence containing any information your organization would not want released to the general public and other items.

If you don’t currently have strongly enforced data retention policies in place, we strongly recommend you address the situation as soon as possible. Save yourself the risk, and considerable headaches, by deleting that old data now!

Have questions? We have answers.

See how we can help. 

Speak With Us

See more insights

Senior Female Doctor At Hospital Using Protective Mask

The American Rescue Plan Act of 2021 and Plan Sponsors

This upcoming webinar will discuss what the American Rescue Plan Act of 2021 means for plan sponsors.
Female Manager And Engineer Using Technologies In Automobile Industry

Legacy System Modernization: Make it Better Than New

Upgrading your current pension and benefit administration system can help you cost-effectively increase efficiency and users’ satisfaction.
Doctor Giving A Senior Woman A Vaccination

Additional Federal COVID-19 Guidance on Testing and Vaccines

Review the coverage of diagnostic testing and vaccines to ensure your benefits are being provided consistent with this federal guidance

This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.

Don't miss out. Join 16,000 others who already get the latest insights from Segal.