Why data retention could be putting your business at risk of cyber attacks
In our data-driven world, we are often told that data is power: the more you have, the more you know. As an organisation, it’s likely you’re collecting and retaining significant amounts of data. However, not all data is necessary, or even useful, and data retention is in fact becoming a key issue in data security and cyber attacks.
Data retention is the practice of keeping data for a period of time, depending on its value, purpose or legal requirement. Many organisations have a system for collecting it - but not all have a policy in place for how long they hold onto it, and how and when it is disposed of.
With cyber crime continually on the rise, it is important for your business to implement effective strategies for managing and protecting the data you collect.
The risk of data retention
Data retention becomes a risk because the more data that is stored, the more opportunity there is for cybercriminals to gain access to sensitive information, increasing the likelihood of data breaches. If not stored and managed securely, personal information that you hold for customers and stakeholders (such as names, addresses, credit card details) can be stolen by hackers and used for fraudulent purposes, such as identity theft.
Aotearoa has seen several data breaches in recent years that have exposed an organisation’s data retention. Most recently, an attack on Latitude Financial exposed over one million past and present New Zealand drivers’ licences - some records as old as 18 years. In another instance, a healthcare provider in New Zealand had to pay a $10,000 fine for failing to delete a patient's personal information after they had requested it. The patient's personal details were accessed by unauthorised individuals, and the organisation was found to be in breach of privacy regulations.
What data should you be collecting?
It’s important to be intentional about what data you are collecting in the first place. Organisations should not be collecting or retaining personal information unless it is necessary for a lawful purpose connected with their function or activity. The Privacy Act 2020 requires organisations to take reasonable steps to ensure that personal information is protected from unauthorised access, use, disclosure, modification, or destruction.
How to manage your business data:
Ensure that all sensitive data is encrypted and stored securely on servers that are regularly backed up.
Only collect data that is necessary or beneficial for your business operations.
Regularly audit the access and use of data to ensure that it is only being accessed by authorised users for the right purpose.
Have a personal information retention policy that aligns with your business goals, needs and constraints that you review regularly. It should detail how long your organisation retains information, how data is created, stored and accessed, and how data is destroyed.
Continue to re-evaluate your data policy based on your own customer lifecycle, the value your data offers, industry regulations or best practices, and the risks that come with retention (eg. data loss, corruption, breach, or misuse).
There are other benefits to getting rid of unnecessary information - reduced storage space and costs, improved compliance and increased relevancy and quality of existing data.
Worried about your exposure to risk?
With cyber crime becoming increasingly sophisticated, organisations need to be vigilant and disciplined in their approach to collecting and managing data. Putting policy in place not only helps to safeguard your customers, but also your own reputation. If you’re wondering what more your business should be doing to protect the information your business holds, get in touch and we can talk more about your options.