The document discusses how companies need to implement strong data retention policies and procedures to comply with increasing data privacy regulations, properly classify and manage data through its lifecycle, and ensure all data is securely erased at end-of-life through an information lifecycle management approach involving key stakeholders like IT, legal, and data owners. It highlights how simply deleting or formatting data is not enough and certified data erasure tools and processes are needed to prevent data breaches and regulatory fines from non-compliant data disposal.
Data Retention Is a Team Sport: How to Get It Right
1. Data Retention Is a Team Sport: How
to Get It Right
Richard Stiennon
Chief Strategy Officer, Blancco Technology Group
2. 4,800-70,998
Number of Canadian
breached records per
incident*
Data Breaches Are Both
Dangerous and Costly
$6.03MM
Average cost of a data breach
in Canada*
2
5 months
Time to detect a data
security incident*
*Source: The Ponemon Institute, June 2016
25%
Data breaches caused by
human error*
3. More Data Stored Means Increased
Responsibility to Protect and Prevent Data
Loss
2009 2010 2011 2012 2013 2014 2015 2016 2017
40,000
(Exabytes)
30,000
20,000
10,000
2018 2019 2020
Quantity of Data with Corporate Responsibility: https://www.emc.com/collateral/analyst-
reports/idc-the-digital-universe-in-2020.pdf
4. Medicentres Data Breach Exposes
Patient Data
4
Operates 27 clinics in 4 Canadian cities
IT consultant working for Medicentre Family
Healthcare Clinics in Edmonston stole
unencrypted laptop
Affected as many 620,000 patients
Patient data included: names, dates of birth
and health information numbers (but not full
medical records)
Waited 4 months to notify Ministry of Health
5. Common Data Security Methods Aren’t
Always Effective and Reliable
77%
Hit ‘delete’ button and/or drag
files to Recycle Bin on
computers/laptops from 6-10
times a day to once a week
51%
Believe files are permanently
gone once they’ve emptied the
Recycle Bin on their
computers/laptops
51%
Believe performing a quick
format or reformatting an
entire drive permanently erases
data so it can never be
recovered
Source: Blancco “Delete vs. Erase” Study
6. We purchased
200 used hard
disk drives and
SSDs from eBay
and Craigslist
Personal & Corporate Data Are
Easily Recovered from Used Drives
Source: Blancco “The Leftovers: A Data Recovery
Study”, June 2016
7. 111 Data Protection
Regulations…and Counting
7
48%
Concerned with protecting
reputation
40%
Concerned with avoiding
regulatory penalties
54%
Concerned with staying
compliant
8. 2017
Digital Privacy Act (Bill S4)
Notify individuals in cases of breaches
Report data breaches to Office of the Privacy Commissioner of Canada
(OPC) if it is “reasonable in the circumstances to believe that the
breach creates a real risk of significant harm to an individual”
Notify third parties of data breaches where those 3rd parties could assist
in the mitigation of harm
Keep and maintain records of every breach involving personal
information under their control (must be provided to Privacy
Commissioner upon request)
Canada’s Stance on Data Protection
9. 1
111
2017
2017
Number of
data
protection
laws
EU General Data Protection Regulation: Right to
be Forgotten
27,000 new Data Protection Officers needed
FINES - Non-Compliance could result in up to 4% of
turnover OR €20 MM (whichever is GREATER)
ANY EU citizen can demand their records be expunged
– and the company must provide proof of erasure
UK will adopt GDPR by May 2018, even post Brexit
EU GDPR Is a Game-Changer
1998
10. 13%
Companies don’t erase
digital files/folders when
they are no longer needed*
Reasons to Implement &
Enforce Data Retention
Policies
10
22%
Companies don’t have written
data disposal/destruction
policies to handle data that’s
no longer needed*
*Source: Blancco, “Data Governance Inside the Enterprise” Study, April 2017
Comply with government regulations and industry
standards
Reduce storage costs
Support defensible data erasure
Reduce risks associated with keeping everything
forever
22%
Companies keep data
forever*
11. What Is A Data
Retention
Policy?
Classifies data by type,
business value, criticality,
and regulatory requirements
such as Personal Data
Protection regulations
Retention periods defined
based on classification
Should define proper
procedures for certifiably
destroying data at end-of-
life
12. How Can You Get Data Retention Right?
12
BUILD THE
TEAM
CONDUCT A
DATA
ASSESSMENT
IMPLEMENT
& ENFORCE
POLICIES
WITH ILM
13. Who Should Be on Your Data Retention
Team?
13
Data
Owners
Information
Governance
IT
14. It’s Data
Assessment Time:
Questions to Ask
Yourself
Do you have an up-to-date record retention
policy and schedule?
Is your record retention policy enforced and
audited for compliance?
Can you implement a litigation hold and cost-
effectively sustain it for a period of time?
How about multiple, overlapping holds?
Can you easily discover email, files and
other electronic documents across the
organization, including laptops and remote
offices?
Can you complete your discovery within
days or weeks?
Can you be certain that you have found
everything during your discovery?
Can you provide all electronic documents in
their original format if required?
Can you (and your legal counsel) easily and
effectively review all discovered documents
to produce a smaller set suitable for review
by outside counsel?
16. Active
Take an Information Lifecycle
Management Approach
• Classify
• Assign Rights
• Activity Monitoring &
Enforcement
• Rights Management
• Logical Controls
• Application Security
• Access Controls
• Encryption
• Rights Management
• Content Discovery
• CMP (DLP)
• Encryption
• Logical Controls
• Application Security
• Encryption
• Asset Management
• Crypto-Shredding
• Secure Deletion
• Content Discovery
17. The Dangers of Keeping Data Forever
17
A single unnecessary
document or email (that
wasn’t erased) could contain:
Data that hackers can use
to attack your organization
or customers
Dormant malware, waiting
to be triggered as part of
an advanced attack
A “smoking gun” that
could be used against you
in court
19. Customer Demand
The Right to be Forgotten allows EU citizens to
request removal of their data from your
system.
Employee Onboarding &
Departures
Protect against data breaches at transition
points in your hardware’s chain of custody
and use.
Tech refresh and asset
decommissioning
When a server, storage, device or other IT
asset is ready to be reused, resold or
discarded – any data must be erased.
Data Migration
When data is moved from one location to
another, from an old server to a new one, or
virtual machine to another – the original data
location must be erased.
Disaster Recovery Exercises
Following the successful restoration of
production systems, any data left on the
recovery disks should be erased.
Data End-of-Life
When data is no longer needed on any storage
device, policies can enforce the erasure of virtual
machines, files and folders with automated
routines within your existing systems. Should be
added to data retention policy and process.
Key Scenarios When Data Erasure
Is Needed
Cloud Exit
When you are exiting a cloud service or a
managed services provider is handling
your data, data erasure policies must still
be enforced to keep control over the data.
20. 8 Ways You Can Strengthen Your Data
Governance & Regulatory Compliance
20
What is the tagline?
Matt Anderson
Joe Mount
Sia Jihadi
Miguel (Mexico team)
Russ
And overcoming these challenges is extremely important for your organization- because the consequences are steep.
Global security regulations and standards which are increasingly demanded for and adhered by Cloud providers and their end-customers.
Add a reference to the 3.8M –
Average number of records for about a millions records
Average cost per record is $4 – 50% of that data should have been erased anyway, you can save yourself millions.
And there are several challenges that you have to overcome to ensure a more secure environment. Especially since we know that the amount of data that you will be responsible to protect will only continue to rise. In fact, over 40K exabytes of data will be produced by 2020 (according to IDC’s Digital Universe Study).
Data classification becomes extremely important – you don’t need to secure 100% - just the most IP related (source code, legal contracts) – public company – accounting information.
Source of Stats: Blancco “Data Governance Inside the Enterprise” Study, April 2017
**Japan’s Act on the Protection of Personal Information – right to erasure
Global standards – like PCI – both remove any stored data with polices and procedures
Security frameworks & regulations – NIST: SP 800-88r1 – sanitization in US
ISO 27001 – requires any sensitive data be securely overwritten prior to disposal or re-use
And overcoming these challenges is extremely important for your organization- because the consequences are steep.
Global security regulations and standards which are increasingly demanded for and adhered by Cloud providers and their end-customers.
Add a reference to the 3.8M –
Average number of records for about a millions records
Average cost per record is $4 – 50% of that data should have been erased anyway, you can save yourself millions.
Key roles to include from Data Owners:
Marketing
Finance
HR
Operations
DBAs
Key roles to include from Information Governance:
Chief Information Governance Officer (CIGO)
Chief Privacy Officer
Data Protection Officer (EU)
Chief Counsel
Key roles to include from IT:
Infrastructure
Cloud
Architecture
Security
Include data end-of-life (erasure) with auditable reporting into your cloud security eco system.
As we transition to Cloud Computing, our traditional methods of securing data are challenged by cloud-based architectures. Elasticity, multi-tenancy, new physical and logical architectures, and abstracted controls require new data security strategies. With many cloud deployments we are also transferring data to external — or even public — environments, in ways that would have been unthinkable only a few years ago.
The Data Security Lifecycle is different from Information Lifecycle Management, reflecting the different needs of the security audience. The Data Security Lifecycle consists of these six phases