Companies across all industries process incredible amounts of information. In any given month, emails will be sent and received, blog posts will be written and more formal reports generated. Whether it is an internal document like a corporate profit overview or an external-facing white paper, organizations create new confidential data every day. Due to the ever-changing nature of industry, they must.
Take a corporate payroll for instance – the vast majority of companies use spreadsheets or online services to track this data. However, it is changing all the time. Older employees leave and newer ones join the company. At the start of a new year, a new sheet may be created to remove the excess baggage and focus only on relevant employees.
But what happens to the old document?
Sometimes it is deleted. Other times, well that information may become relevant again so it is best to store it in a digital archive. After all, digital archives are not bound by physical space restrictions: They can be enormous without any seeming drawback. Another apparent advantage of digital archives is that they can be accessed easier than physical copies. Remote workers can pull older reports to use as the basis of newer products. A new HR rep can quickly scan former policy documents to be brought up to speed on corporate structure.
Data storage naturally happens and it is often a positive that it does. Workers quick to delete emails after reading oftentimes have to request a resend or contact IT for support when valuable information is prematurely lost. Deleting older data spreadsheets too soon may handicap current and future reports.
However, there is a dark side to data preservation. When equipment is decommissioned, it can still contain countless corporate secrets. Stolen smartphones and laptops also become that much more of a problem as they can have access to that near-infinite digital record. This data breach can compromise the security of an entire network. Passwords must be changed, permissions altered and government agencies contacted to help restrict the fallout.
Given how vital data is to a company, it is bizarre to think that many do not hire an individual to maintain and safeguard it. Data retention officers can police internal policy, helping companies determine which data needs to be kept and which should be destroyed. In this sense, these employees realistically have two primary duties: data retention and data destruction.
Establishing the role of a data retention officer
According to IT World Canada, data retention officers are now being actively promoted by the office of the Auditor General of Canada. According to Cameron Fraser, information and privacy coordinator for the agency, cybersecurity is a big driver in this promotion.
Too often stories hit the news of corporate information leaks. Many of these result from stolen equipment. Technology has become more portable and thieves do not need to break into a physical location to loot heavy PC towers and server farms. Instead, smaller mobile devices like laptops, smartphones and USB keys are usually the targets.
A 2016 Kensington survey found that nearly 25 percent of organizations had experienced an IT theft in office. Another quarter had mobile devices stolen from within cars while an additional 15 percent reported thefts onboard airplanes. Despite this, over a third of respondents had no plan in place to physically protect these devices or the data that they contain.
The role of a data retention and destruction officer is to keep physical tabs on these devices. To know where they are at all times and, if one is stolen, to act immediately to isolate it from the network. When hardware reaches its natural end cycle, the data retention and destruction officer should also be the one to ensure that no information or network connections remain on the exiting device.
“The data officer needs to know what corporate information is on every device.”
Setting up a data retention and destruction policy
Part of a data retention and destruction policy officer’s role will be enforcing the corporate standards on the issue. In order to effectively accomplish this, the organization must have clearly outlined standards in regards to stolen or decommissioned equipment, as well as flexible rules on the data itself.
For instance, a uniform data regulation might sound like a good idea: Data is only retained for five years. However, this policy may still delete some relevant data from internal files. Regardless of what regulation is enacted, the data officer needs to have complete knowledge of what corporate information is on every device.
When a physician’s laptop was stolen from the University of Oklahoma in late 2015, the university was slow to react. Part of the problem, according to Healthcare Informatics, was that no one in the administration was sure exactly what information was on the hardware. They had to spend valuable time formulating best guess scenarios and acting on general assumption.
A data retention and destruction officer could have kept a record of that laptop’s information, allowing the university to respond with confidence and greater speed. Every time confidential information is copied, the data retention and destruction officer should be made aware of it. This is especially true when classified material is copied onto a mobile device, as these are more frequently stolen.
Removing or regulating the BYOD policy
A significant complication for data retention and destruction officers, and for companies in general, is the ‘bring your own device’ policy. Bring your own device allows employees to supplement their provided work equipment with personal devices from home. This hardware is almost always mobile – typically in the form of a smartphone or laptop. While this can lead to increased productivity, it poses significant challenges in terms of data security.
For starters, the amount of devices that can be stolen increases. Secondly, unlike corporate-provided hardware, organizations cannot fully control what employees do with personal device data.
However, the costs of removing BYOD, which typically entail providing smartphones and other devices for employees, can be prohibitive. Digital Guardian polled IT experts on regulating BYOD policy, should a company choose to keep it. One of the main priorities was encryption. Corporate data must always be locked behind at least one authentication process.
Another step, one that would fall under the data retention and destruction officer’s jurisdiction, is a device registry. If employees want to use personal devices to augment job performance, then the data officer must be made aware of it. It should also be policy to check in on these devices periodically to ensure that they have not been misplaced or given away. Whenever an employee is thinking of replacing a BYOD device, it should be part of the same corporate data destruction policy.
Tracking employee-owned devices and their corporate data will help alleviate some of the risk. However, the most secure option is still to remove BYOD from corporate policy.
Giving retention officers the appropriate tools for data destruction
When data does need to be destroyed, data retention and destruction officers will need the appropriate hardware. Simply deleting a file does not safely remove the information. In fact, file deletion by itself rarely removes the data in question. More often it simply deletes the programmed path to finding that information, so the hardware can no longer access it. It will also label the data as rewritable, meaning that it will eventually get replaced with newer information.
However, this method is far from perfect as even rewritten data can occasionally be recovered. Purchasing a multimedia shredder, preferably one that meets NIST, HIPAA and PCI standards, is a much more secure way to ensure that data from devices like smartphones and USB keys is destroyed.
For laptops and PCs with hard disk drive storage, an HDD degausser is the only surefire method to completely remove all information. Degaussers alter the magnetic properties through which hard drives operate, meaning that the files can never be accessed ever again. Once the magnetism is shifted, it cannot be returned to its original state.
While outside operators provide data sanitization services, they are fundamentally not as secure as developing an in-house solution. A data retention and destruction officer should be given the hardware needed to fully and securely destroy obsolete data, before it can resurface at a later time and cause profit loss and possible legal ramifications.
Data is the lifeblood of most organizations. In a world where cybersecurity is seeing increased importance and responsibility, a data retention and destruction officer is a needed addition to the corporate landscape.