BVS BlogNovember 15, 2019 Dirty (Dark) Data, Done Dirt Cheap:
Imagine the Fines and the Headlines
The rock group AC/DC didn't exactly sing about dirty data in their epic 1976 song, but no one would blink an eye if they did so today. Most organizations, regardless of industry, often share the same mentality when it comes to document, data, and records retention — disk is cheap, keep it forever in case we may need it. So like a bad episode of "Hoarders" we hang onto those old sales presentations, invoices, meeting minutes, e-mails, instant messages, log files etc... with little to no regard of the potential consequences.
The prevalence of this unstructured data — or "Dark Data" as Gartner has termed it, creates extraordinary risk for your organization if left unmanaged. Most institutions have great policies that cover compliance mandated retention requirements for loan servicing documents, credit card applications, and high visibility items that auditors/examiners may focus on — but how about that file the IT person generated from the CRM system to help sales create a custom report? Who knows about it and who now has access to the Personally Identifiable Information (PII) contained within? Could you now fully comply with GDPR, CCPA, or all of the other pending privacy legislation that is imminent? How about eDiscovery?
Chances are you have little to no idea how much of this data exists in your environment, all of the sources creating it, or how quickly it is multiplying to even begin categorizing the risk, let alone mitigating it.
Fret not! (much)
There is a structured approach to your data intervention!
- Curate your data. Find it, categorize it, and organize it. Ideally this will happen as part of your annual risk assessment. If you are truly overwhelmed, there are a number of tools which can automate most of this exercise. Typically, organizations find 80%+ will be Redundant, Obsolete, or Trivial — known affectionately as ROT.
- Classify it. Everyone in the organization should be familiar with the data handling and classification policies of your institution. Make sure every employee knows how to create/handle/destroy the different classifications of data — and formally revisits the rules at least annually.
- Track it. Once you have found it, you have to manage it. Appropriate data loss prevention strategies should be employed along with sufficient, auditable IT controls to safeguard truly sensitive information. Who accessed it? When did they access it? What did they do with it? — are all questions you should be able to answer with confidence.
- Destroy it. Make sure your retention policy clearly outlines when to remove data from your environment. Jobs can be automated to make this more efficient, but it begins with sound policy.
Data management can be overwhelming in today's world of cheap disk and verbose business systems/relationships. It takes a deep, comprehensive understanding of your business and the infrastructure supporting every aspect of that business. Internal systems, cloud services, third party relationships, employees and customers — each independently generate data to support you, yet must be viewed and managed holistically to protect customers and mitigate business risk to an acceptable level. Otherwise, dirty data, done dirt cheap might just become one of your most costly decisions.
"The price of freedom is eternal vigilance. Don’t store unnecessary data, keep an eye on what's happening, and don't take unnecessary risks."
- Chris Bell, former U.S. congressman