It has been reported this week that Australia’s Commonwealth Bank lost track of two magnetic tapes containing historical information on almost 20 million customer accounts between 2000 to 2016. While much of the fallout has focused on whether or not customers should have been informed when this was discovered in 2016, the question also has to be asked: given its age, should this data have been retained for so long in the first place?With Australia’s Notifiable Data Breaches (NDB) legislation coming into effect in February earlier this year, it’s great to see a focus on data security and privacy. However, attention must also be given to appropriate encryption and data deletion policies to manage the growing risks around breaches. Frankly, keeping old data for no reason leaves you more exposed to an attack and, ultimately, customer backlash should a data breach occur.
Most organisations have an enormous amount of sensitive data across a plethora of mediums – paper, magnetic tapes, removable hard drives, USB, scanned documents, and obviously servers, storage arrays and cloud storage solutions. For established businesses with a couple of decades under their belts, many of these pieces of data existed before encryption was even available, but absolutely before it was more widely utilised.
The solution? We recommend that, as step one of the data management journey, organisations discover where all their data is stored and who can access it (including legacy paper and other legacy media). They should then systematically work through each area analysing and classifying each document or file to align with the organisation’s information governance policy, and to determine if, where and how that information is deleted, archived or protected. Protection then includes access controls, alerts, audit and reporting, to ensure compliance and regulatory requirements are met.
As we have seen this week, hanging onto large amounts of historical sensitive data is a significant risk that can have damaging consequences, for your business and potentially your customers.