Taking Out the Digital Trash

Does your organization keep old, stale and useless data? Most do. In our practice we find that about two-thirds of data on file shares has not been accessed in at least six months. While the lack of access does not necessarily identify data that has no business value, it’s a pretty good indicator.

464515667This “stale data” problem is widespread. An Osterman white paper notes that only about 25% of data currently retained has actual business value. Another 5% of data is for regulatory retention and 1% for legal hold — leaving 69% of data ready for deletion “without legal, regulatory or business consequences.”

What Can We Delete?

As I have noted before, there is no one-size-fits-all answer for when data is ready for deletion. Data should be retained if it is needed for:

o   Regulatory or compliance retention requirements, including data identified in an organization’s records retention schedule;

o   Legal or investigative matters (“legal hold”); or

o   Ongoing operation of the business.

Otherwise, the data is “stale” and should usually be deleted.

What Happens If We Don’t Delete?

In the past, organized deletions of data were rare. “We might need it” or “keeping data doesn’t hurt anything” were effective arguments for retaining all kinds of data, whether it was 10-year-old emails from departed employees or data from decommissioned systems. Even today, some suggest that deleting data is a bad practice because “it might be subject to a legal hold.”

In reality, keeping stale data creates significant risks:

o   Litigation and investigative risk. Preserving, collecting and reviewing data for eDiscovery is expensive – and keeping stale data makes it more expensive. Over a decade ago, a famous DuPont study found that half of the documents it reviewed for a legal hold were stale and could have been deleted, saving $12 million. The volume and related costs are both higher now.

o   Operational Risk. Most of the time, the IT department treats all data in a repository (e.g. file shares) equally because it has little insight on the use or value of that data. This comes at an operational cost based largely on the volume of data, plus the personnel time required to handle these tasks.

o   Security Risk. Organizations have a responsibility to protect certain data that they retain, particularly financial and healthcare information in the US. And these responsibilities are growing. Among other moves, the FTC is requiring organizations to protect data in compliance with the representations they make about their data security practices — which are usually very strong.

o   Compliance Risk. There are many regulatory requirements that mandate or imply that stale data must be deleted. In Europe, the Data Privacy Directive requires that “personal data” (which is very broadly defined) can be held for no longer than the original purpose for which it was collected. (Directive 95/46/EC Article 6(1)(e)). In the US, data privacy laws are very different. But the FTC has been taking a strong stance that data should only be kept as long as it serves a legitimate business need (Registration required for link).

What You Can Do

More organizations than ever are interested in deleting stale data, whether it resides on file systems, old backup tapes, email servers or archives. The rewards of reducing a data footprint can be significant in operational cost and reduced risk, and the process of deleting the data is not overly complex. Here are some steps that you can take to get started:

Assemble A Cross-Functional Team

A sound “defensible deletion” project needs people and support from various organizations to be successful. Key players usually start with the IT department and Legal (or Compliance). If your organization has a Records Management group or function, they should also be involved. Executive support, as always, is critical.

Gather Some Data Intelligence

Most organizations know where the stale data resides – typically in an email server or archive, or on file shares or old backup systems. Find out just how much data is being stored, and the age of the data. With file shares, you may be able to gather additional information on how long it’s been since the data has been accessed or modified.

Create Your Case / ROI

Be specific on why deleting this data will matter. The easiest situation is when specific savings can be quantified. Can you free existing storage for other purposes, or postpone a new purchase? Are you licensing storage by the terabyte or paying for a cloud storage footprint that can be reduced? There are often soft cost savings, too. Perhaps having less data – or even retiring a repository – will free up a day or more for an IT resource each week.

And don’t skip the risk avoidance savings. While the likelihood of these savings can be difficult to quantify, the numbers can be significant. For example, a recent survey notes that a 3% reduction in the amount of time employees at large companies spent on litigation holds would save $1 million per company each year.

Conclusions

Just about every organization has data that is stale and can be deleted with little or no risk to the organization. Not only is there an upside to eliminating this data, but also there are growing risks if it’s not deleted. Survey your organization and see where you can save some costs and risk.

Jim Shook

About the Author: Jim Shook

Jim combines his computer science degree and technical experience with over a decade as a litigator and general counsel, helping customers to better understand cybersecurity best practices and related regulatory and legal concerns. Today he focuses on combating the impact of ransomware and destructive attacks with cyber resilience capabilities and technologies. Jim started and continues to lead Dell's relationship with Sheltered Harbor and serves on its Joint Steering Committee. He is also a member of the Joint Steering Committee for the Sedona Conference working group on cybersecurity and privacy.