Data Minimization Policies: A Key Requirement for Effective Cybersecurity
- Bill Tolson |
- December 28, 2022 |
- minute read
The accumulation of unmanaged corporate data has reached an inflection point for data security and information management professionals. It is estimated that by 2025, 463 exabytes of data will be created daily, and by 2025, the "cloud" will house 200 zettabytes, up from 4.4 ZB in 2019 and 44 ZB by 2020. The bottom line is, in general, data is multiplying, and corporate data is accumulating at an unprecedented rate. Add to that challenge that the majority of organizations continue to adopt the cloud, and you can see why the cloud will store 200 ZB by 2025.
These global statistics tend to be mind-numbing and difficult to comprehend individually. Just think about the number of emails and chat messages you create, send, and receive daily. For most corporate employees, that number is probably in the hundreds. How many of those emails and Teams chat messages include an attachment?
Companies almost universally rely on individual employees to actively manage their own data. The long-standing individual employee challenge is that they don't have the time, training or inclination to act as full-time information managers, so many simply move on as soon as they send the email or finish the chat, leaving it unmanaged in the application.
For example, how many of you have thousands of emails in your corporate mailbox? If you do, you have surely received a message from your Exchange Admin stating that your mailbox is reaching its storage limit and you must delete emails so that your email box continues to work. Many employees will simply delete the oldest 1000 emails to free up space or, worse, create a PST and move it into their desktop or file share.
Data Minimization Policies: If you don't need it – delete it
What is data minimization? Data minimization is defined as the practice of limiting the collection, storage, and processing of data to only what is strictly necessary for business operations, regulatory requirements, and legal proceedings. While organizations should implement policies regarding management of data for individual employees, management of customer data is more complex. Multiple regulatory laws, including the GDPR Article 5, as well as California, Virginia, Colorado, Utah, and Connecticut data privacy laws, have mandated organizations (via new privacy laws) to practice data minimization as a best practice to ensure compliance with all data privacy law requirements as well as to meet best business practices. These new data privacy laws stipulate that collected PII can only be kept and used for the specific purpose for which consent was granted.
For example, New York's SHIELD Act specifies that companies that own or license private information of New York residents must comply with the SHIELD Act's requirement to "implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data." Organizations can comply with the SHIELD ACT requirement by ensuring the organization disposes of PII within a reasonable time or after it is no longer needed for ongoing business.
Additionally, the Federal Trade Commission recently updated its Safeguards Rule for Financial Organizations. The update requires financial institutions to adopt procedures for "the secure disposal of customer information" within two years of that information being last used unless keeping it longer is necessary for a legitimate business or legal purpose.
The over-retention of data leads to increased risk
The Lifecycle of Information Chart below shows how individual employee data accumulation can quickly get out of hand. The right side of the chart shows the possibility of reference or reuse over time. As you can see, the possibility of ever viewing that data again drops below 1% after 30 days. At that point, the data's value (potential of reference or reuse) to the business drops to, but never quite reaches zero.
The point of the above chart is to show that approximately 60 to 70% of all data created, sent, and received by individual employees becomes valueless quickly and should be deleted as soon as possible.
The risks organizations face in respect of data retention can be compounded from:
- Keeping data for too long (high-watermark retention policies) or forever
- Not being able to respond in a timely fashion or accurately to Data Subject Access Requests (DSARs) or Freedom of Information ACT (FOIA) requests due to unconsolidated and unmanageable volumes of data
- Exposure of poor data retention practices in response to DSARs or regulatory investigations due to reliance on employees as information managers
- Data that is "managed" by individual employees on laptops/desktops – not indexed or searchable by authorized IT or other employees
- Multiplier effects in the event of a data breach
- Unnecessary costs of retention - management, backup, storage
- Additional and unnecessary costs of search and discovery because of the volume of data
- Increased eDiscovery cost due to potentially a much larger data corpus, including expired data and a more significant number of false positives
The current data privacy laws around the globe, including the EU's GDPR and Canada's PIPEDA, all point to a data minimization requirement. New privacy laws emerging in the individual U.S. States, the US federal American Data Privacy and Protection Act (ADPPA), and Canada's C-27 bill in the Parliament show a clear path to requiring data minimization of PII.
Data minimization, effective cybersecurity, and emerging legal precedent
The information security risks of data over-retention are numerous. The impact of a corporate data breach will be magnified with ongoing data over-retention. For example:
- The volume of records involved in the breach may be more extensive and could affect many more individuals causing data breach response requirements to be more complex and costly due in part to sensitive data held and managed by employees on local devices and not visible by central IT management. Specifically, the breach response team could be required to inventory all employee-managed data to determine what data was accessed – even on employee laptops/desktops.
- If a regulator investigates and discovers specific data involved in the breach has been kept for longer than necessary or violated the consent justification, the risk of enforcement action could be raised and potentially more severe
- Damage to the organization's reputation, brand, and existing customer satisfaction could be much greater
A PII breach inexorably creates inquiries and potential class action lawsuits on behalf of individuals who have been affected. It can also raise hard-to-answer questions from individuals asking why their data has been kept so long.
Data minimization is increasingly becoming an express requirement in resolving data privacy and security cases. In March of 2022, in an action against CafePress, where the defendant failed to secure consumers' sensitive personal data and covered up a major breach, the FTC ordered the e-commerce platform to bolster data security by requiring that the defendant must:
- "Minimize the amount of data they collect and retain."
- Not" misrepresent [its] information deletion and retention practices."
- Establish and implement "policies and procedures to minimize data collection, storage, and retention, including data deletion or retention."
In another case example from October of 2022, the New York Department of Financial Services found that EyeMed, a licensed life, accident, and health insurer, had committed seven violations of the NYDFS Cybersecurity Regulation. These included failure to have an appropriate annual risk assessment, failure to implement multifactor authentication (MFA), and failure to implement policies and procedures for the secure disposal of personal information. This last violation is tied directly to data minimization requirements. NYDFS commented:
"In this matter, NYDFS found that "because EyeMed failed to implement a sufficient data minimization strategy and disposal process for the Mailbox, the compromised shared Mailbox contained old data that was accessible to the threat actor. Proper disposal processes minimize the amount of NPI accessible to an unauthorized third party during a Cyber Event." Settlement."
The settlement included a $4.5 million fine and an agreement to address the seven provisions they were not compliant.
Data minimization policies in 2022 and beyond
Disposing of valueless and expired data is becoming a corporate imperative in today's environment of data overload. Because of regulatory requirements, legal precedent, and rising corporate data retention costs, managing all data within an organization with more defined and stringent data minimization processes has become a cost and risk mitigation necessity.
Five key steps for data minimization
For organizations that are yet to implement data minimization policies or uncertain whether their existing policies are sufficiently robust, the following are five critical steps that I recommend:
- Realize that all corporate data must be managed, including all employee-controlled data
- Convince the legal department to allow regular data disposal
- Map all individual data privacy law retention disposition requirements so that PII can be disposed of when required by each data privacy law
- Audit and enforce data capture/syncing
- Automate the indexing, categorization, and retention/disposition processes to ensure data is available when needed and disposed of when required
As companies progress in this effort, new information management solutions must be adopted to accurately consolidate, capture, index, categorize, and apply retention/disposition policies to a much larger data environment. The goal of only retaining valuable business data, regulated information, and information involved in litigation should be the end goal.
Archive360 offers a Zero Trust cloud-based intelligent information management and archiving platform installed in the customer's own cloud tenancy, providing complete control and ownership of their data.
The Archive360 Open Archiving and information management platform provides complete records management, information management, and case management/eDiscovery capabilities with auto-categorization and retention/disposition for ongoing data minimization.
To learn more about Archive360's data minimization solutions, please visit our corporate web page at www.archive360.com and our resources page, which includes many podcasts, webinars, and blogs on data minimization.
Additionally, we have just recorded two webinars for MER on data minimization with two information management experts:
Leigh Issacs from DLA Piper Click Here to listen to the replay
Jay Cohen from Compliance Systems Legal Group Click Here to listen to the replay
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.