Friday, July 29, 2016

Do your data retention policies match reality?

In a 2009-2010 drug trafficking case, Yahoo was able to produce email that their retention policy stated should not be available. The culprits were convicted in part through email they had written and subsequently deleted. Naturally they would like to know how they surfaced. A US court has now ordered that Yahoo explain how they recovered the email.


Why does that matter to me?


From an information security perspective, data in our possession is both an asset and a liability. An asset in that is can support business operations and enable servicing our customers; a liability in that data that has value to us, may also have value to a third party (whether a public official or someone with criminal intent).

Retention policies serve to manage risk by defining how long an organization believes the value (or regulatory obligations) of data outweighs the risk of that data being compromised. If data remains recoverable beyond the retention policy, it represents an unmanaged and perhaps unrecognized risk.

As an extreme example I once came across a database of customer names, addresses, and credit cards, left exposed on a web server. Incredibly, the database belonged to a company that had stopped using that web hosting business years earlier. There was simply no reason for that database to still exist on those servers. Had the company deleted the no-longer-needed information, there would never have been a breach.

Define retention policies - and then ensure those policies are carried out.


So what? I'm not an information security person


The same principal holds true for personal life. Clean up your data every once in a while.

Pictures may have a lifetime of value. Tax records should be kept for several years (for US readers, the IRS has some guidelines). Credit card records generally can be disposed of once you get your monthly statement (though I personally keep receipts for high-value items until the warranty expires). To grossly paraphrase a quote by Albert Einstein, keep information for as long as it is useful, but no longer.