Do your assets look fat in your datacenter?

If you have a comprehensive data retention policy in place, you're likely feeling pretty comfortable, even safe, in terms of compliance. But are you aware that your robust retention policy might be exposing you to undue risk if that information is lost or compromised? If your business strategy mandates certain information retention policies, be sure that they're married to an equally robust data destruction policy.

Sun's Chief Data Strategy and Privacy Officer, Michelle Dennedy, shares with Inner Circle readers her perspective on marrying a data destruction policy to a data retention policy so that business needs are met, customer information is protected, corporate risk is reduced, and efforts can be focused on moving the business forward.

Inner Circle (IC): What risks are companies taking by holding on to information they no longer need?

Michelle Dennedy (MD): Sensitive information that no longer gives insight into customers or provides financial reward makes you vulnerable to huge loss. We've all seen the news stories about retailers, banks and government agencies that were stung by maintaining (and then losing) information they no longer needed. If you keep information you don't need, you create conditions that lead to undue risk and loss. Additionally, it becomes very difficult to access useful customer information because it's buried under heaps of excess data. When it comes to datacenters, most backends are just too fat.

IC: Where is the line between keeping information I need to be compliant and destroying information that puts me at risk?

MD: When and how you clear information should not be an exclusively legal determination. It should encompass business strategy as well. If you view information as an asset, you gain insight into how, when, and where that asset is best used and when it starts to become a drag on your people, technology, and time. The line between keeping useful information and destroying useless data is different for everyone. Depending on the way your IT or HR systems are set up, it may not be prudent to keep information for seven years and one day just because the legal limit for retaining information is seven years. You may have a good reason for keeping it longer. It's a matter of strategy and finding the right line for your company, the risk profile you have chosen, and the type of information that benefits your customers or employees.

IC: Is there a difference between data and information?

MD: There are PhD dissertations rising and falling on this question. As a non-PhD who thinks about this issue pragmatically, I consider information to be a subset of data. Discreet pieces of data, when added up, can create information that can be used to make decisions, build a plan, keep you compliant with legal requirements, or keep you informed.

Information in this context is a compilation of data points about people, places, things, points in time, processes, and other meaningful bits. Your systems are storing data and serving it up with the hope that either the applications, the people, or both can turn the data into information.

IC: Is there an upside to understanding what information I have?

MD: Most of us in business today have rallied around risk. We're all about compliance, risk, and fear — often of the unknown vulnerability or unforeseen regulation. We protect data because we know there will be fines and dissatisfaction if we lose it or use it unwisely.

But reward is the other side to this risk equation. The only reason you spend time or resources to protect something is because it has value. The upside of information is that it drives decisions that can be translated into currency — earned or saved.

At the beginning of the year I plan my budget and strategy to do X, Y, and Z. At the end of the year, I look back to see how much I spent and what results I achieved that align to my corporate goals. Information is one step more powerful. I think the day is coming where we'll account for information on our balance sheets. In the 1960s, Rear Admiral Grace Hopper theorized that information would one day end up as its own discreet entry on the corporate balance sheet.

Business intelligence is the upside of information. Likewise, profit is the upside of business intelligence used efficiently, legally and ethically.

IC: Are there times when my data is more at risk than other times?

MD: Absolutely. It's a matter of data type and timing. For a retailer, a sensitive time would be before the holiday rush. A breach between Thanksgiving and New Years could be devastating. Separately, a breach of strategic plans or highly sensitive intellectual property could wipe out an entire industry. Consolidating banks may lose precious account data, which may cause them to lose the very customers who can help them recover and thrive. Timing is everything in currency and information.

The vast majority of U.S. states have breach notification laws, and it's a matter of hot debate in Europe and elsewhere. Data like credit card numbers and PINs or social security numbers can pose a very high risk. And there is a hard number attached to that risk. Think of the implications if you lose a laptop with that kind of data. Or say one of your datacenter disk arrays goes bad and you send it in for repair without protecting it. You can lose hundreds of thousands, or millions of accounts. For each one of those accounts, both due to legal obligations and cultural expectations, you may have to pay for credit protection for two years for each customer who has trusted his data to your care. At around $90 per customer it doesn't sound too bad until you multiply it by 100,000 customers. When you multiply it by a million customers it sounds horrible — and it's happening today. These costs don't include lawyers, auditors, consultants, press agents, and brand repair specialists that will occupy your time after you've suffered such a breach. If it's determined that there was negligence or malicious intent when data is lost, there can be jail time as well.

IC: Can an effective data destruction policy offer competitive advantage?

MD: I believe it can. If you have a retention policy and have determined what information you need to be successful and compliant, then having and adhering to a data destruction policy frees you to do the daily stuff and stop worrying about yesterday's inventory. That's a huge advantage. Most people agree that if they don't have to worry about last quarter, they can spend energy on customer relationships, employee retention, public policy, events, etc. Keeping too much "stuff" not only opens loopholes to vulnerability, but keeps you from focusing on the reason you're in business. Keeping things clean, efficient, and modern has to be a competitive advantage.

IC: What options do companies have to get rid of data?

MD: Data privacy is tied very closely with security, and customers have to decide what level of security is right for them. Sun's recently-announced Data Protection Service, Data Erasure (SDPS-DE) is our newest offering. It provides on-site data erasure services that physically keep assets within your control. It's important in a global economy to have services delivered consistently by one provider, so all your locations can adhere to your policies. SDPS-DE meets the rigorous data destruction policies of internal security departments and the guidelines of regulatory agencies that audit those policies.

SDPS-DE also helps with asset management by destroying data instead of destroying the asset. You can redeploy existing assets, which also solves the environmental dilemma of destroying equipment. This is one more tool that can be an important part of your overall strategic plan to manage your data assets and enhance your information profile.

IC: How do I determine my cost/risk ratio so that I know what to spend in order to protect my customers, my organization and myself?

MD: I use a very unscientific formula. There is data value. There is data risk. Data value (DV) must be greater than data risk (DR) to equal success. Determining that DV is greater than DR depends on cumulative factors such as how much data there is, what the nature of that data is, the age of your company, how your IT infrastructure is set up, what time of the season it is, who the management team is, and whether or not you're global.

Questions you should ask yourself about the DV or DR decisions you've made should include: Are you containing risk without considering if the information is worthy of risk containment? Should you stop collecting X information and collect Y information that you know is valuable? Should you start storing data intentionally rather than "just in case"?

IC: How do data destruction requirements vary around the world?

MD: The problem with data destruction requirements is that we don't have them in many parts of the world. There are different standards for different countries on retention as well as validating that the data is gone. The European Union requires that data not be stored for any time period beyond the stated purpose of that data when it was collected. That sounds like a specific requirement. For example, in certain EU countries, there is a requirement of data destruction once data is no longer necessary. But the HR laws in these same countries say data about employees must be kept for an extremely long period of time. This directly conflicts with the requirement to delete data as quickly as possible. In other countries, data destruction laws are very rigorous and data is destroyed soon after it is collected. So the challenge for your systems and IT gear is to translate cultural and human-rights notions into a technical, binary system.

Similarly, various countries have differing standards on what it means to eradicate data to a government-approved standard. Sun's Data Erasure offering adheres to most of the major standards globally and has been certified by a number of agencies to validate that the data is no longer accessible. Using Sun's Data Erasure services wisely is one more way to think and act globally for both compliance and for assurance that your data assets are looking good so that you can sleep at night.