Data Retention Policies Critical for Risk Mitigation: Baker Hostetler Lawyers
Retaining old data can greatly increase the cost and impact of a breach, two Baker Hostetler lawyers wrote in a blog post Friday. Accordingly, organizations should ensure their security programs address data retention practices, though the authors, attorneys Jon Knight and Eric Manski, acknowledge information governance is "challenging" for organizations of all ages and sizes.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
"When old data is involved, so are your former employees and their dependents," they wrote. "Not only is your notice population exponentially larger, but it is also far more complicated to manage the messaging to these individuals," as you might need to "communicate with estates of individuals who are now deceased," talk to former employees who "were involuntarily separated from your organization" or "have minors involved as dependents." They added, "Each of these groups may need a different approach from a communication and notification perspective."
The authors offer recommendations for risk mitigation, such as through data mapping, which "can help your organization understand what data it maintains and how old such data is," as well as "where the data is stored and how it is protected."
Once organizations know that, they can establish policies "that detail the types of data to be retained, the retention periods and the procedures for securely disposing of the data," as well as review these policies and update them as needed, Knight and Manski said.
Though purging information that's no longer needed is the best practice, the bloggers said that, if needed, older data can be stored outside the network in a more secure location. Storing older data offline or encrypting it are possible approaches, the Baker Hostetler lawyers added.