Part of your planning and preparation for a security incident should be a review of your company’s data retention practices. What you retain, for how long, who has access to it, and how and where it is stored can make a dramatic difference in the size and scope of a security incident, especially one where accessing and exfiltrating sensitive data is the attacker’s objective.
Many factors go into developing a good data retention policy, including client and regulatory requirements, operational needs, and delivering the services your clients expect, but don’t forget to factor in the risks of retaining too much data, or the need to minimize data and how your risks can be exponentially increased if these considerations are ignored.
Retention
A good data retention strategy should be designed to make sure that it meets your business risk objectives, while also fulfilling your obligations to your clients and to any applicable regulatory agencies. Consider the following when reviewing your own data retention policy.
- Classification of data should be done across the board so that you clearly identify and communicate the sensitivity of each type of data within your policies, procedures, guidelines, and handbooks. This is essential to ensuring that controls are properly designed and implemented to protect the confidentiality and privacy of the data.
- Map your record types to internal, contractual, and regulatory requirements so that you understand dependencies and risks related to operations, contracts, and data legislation. This step helps set retention policies for your records.
- In the absence of a formal records retention policy, your IT staff who are responsible for backing up and recovering data will most likely err on the side of backing up everything, and retaining it for as long as possible. This is probably not a good thing. Be specific and ask for their participation as you develop your policy.
- Look for ways to protect your data from unauthorized access and disclosure, and to detect indicators of attack, configuration issues that leave you exposed, and incidents involving misuse. Here we are talking about the use of encryption, compartmentalization, access controls, and multi-factor authentication, combined with solutions such as DLP and SIEM to give you visibility into potential threats across your on-premise data, as well as data which is stored and accessed via cloud and business platforms like AWS, Azure, G Suite, Office 365, and Salesforce.
Ultimately, the goal is to intentionally manage your data and records so that risks are reduced to an acceptable level, and have the process and executive buy-in needed to back those decisions up.
A data breach of 20M records stored over the past 10 years is going to be a lot more damaging than a data breach of 2M records, owing the size & scope difference to a proper records retention strategy.
Records retention requirements can be daunting to nail down. This is due to variances in regulations, such as HIPAA which has no specific retention term requirements and state laws for example, and the complexities of your own environment and applicable agreements with your clients and business partners.
In Florida, physicians must maintain medical records for five years after the last patient contact, whereas hospitals must maintain them for seven years.
HIPAA Journal – https://www.hipaajournal.com/hipaa-retention-requirements/
In Nevada, healthcare providers are required to maintain medical records for a minimum of five years, or – in the case of a minor – until the patient is twenty-three years of age.
In North Carolina, hospitals must maintain patients´ records for eleven years from the date of discharge, and records relating to minors must be retained until the patient is thirty.
We advise our clients to form a committee that is responsible for researching and documenting all requirements, and providing policy and oversight to ensure compliance. This committee usually includes members from the executive team, business and/or data owners, legal counsel, IT, and Compliance so that all bases are covered in this highly critical part of your overall cybersecurity and risk management program.
Minimization
If your company or agency stores, processes, or transmits highly sensitive data such as SSNs, payment card data, PHI, and other PII, you should consider how minimizing those types of data can positively affect your level of risk, and the potential impact to your clients should a data breach occur.
Minimizing your data can mean retaining only for the length of time absolutely necessary, but here we are talking only collecting data which is essential to your business and services and scrubbing out data you don’t have to store. If your business has to collect SSNs, for example, then you should determine if it’s possible to only store the last-4. The same holds true for any highly sensitive data type. If you don’t need the full value, only store what you need, and only retain that for as long as absolutely necessary. If you don’t need to collect a consumer’s mailing address, then don’t – or at least retain it only long enough to meet a minimalist set of requirements.
If your firm does business in the European Union, or serves EU citizens, the concept of data minimization is especially important.
the European Union has recently included this in new laws of the Data Protection Act that will come into effect soon. The act says, “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”
FOrbes – https://www.forbes.com/sites/bernardmarr/2016/03/16/why-data-minimization-is-an-important-concept-in-the-age-of-big-data/#1e81f2cb1da4
Wrap Up
Your records retention and minimization strategy could be the difference between compliance and non-compliance, and in some cases, between closing your doors after a data breach or surviving. There are some excellent resources available to help you get this done right, and frameworks such as the NIST CSF are invaluable guides in this regard, and for your cybersecurity, risk, and compliance program as a whole.
You can get in touch with us about this and other security and privacy needs here.