Bookmark and Share Email this page Email Print this page Print Pin It
Feed Feed

Aug 19, 201312:38 PMLegal Login

with Mindi Giftos

Data hoarding: How it harms your business and how a data-retention policy can help

(page 1 of 2)

Storage has become so cheap so fast that we think nothing of storing five slightly different, slightly blurry copies of the same photo on our phones, in hopes that one turns out well. We store old files and folders on our computers, thinking we might use them in the future, but up to 80% of our documents are not accessed for three to five years from the time they were saved. Companies store years’ worth of customer and employee data and internal communications, much of it sensitive and dangerous in the event of a data breach, system hack, or litigation.

These behaviors are ingrained in our technologically overwhelmed brains, but how do we stop the hoarding habit? The dangers are worse than we think:

  1. Storage is cheap, but it still costs money. Hoarding data increases company expenditures on infrastructure, including storage of old tapes, transitions from old servers and systems to newer ones, data migration, and possible disaster-recovery efforts.
  2. Declining employee productivity. More data typically means less organization and more unwanted records, so it is harder to find what is needed, especially in an emergency. When searching records gets difficult, employees may give up or miss relevant content because there is just too much unnecessary information clouding the search.
  3. Organizational breakdown. Who from your business is responsible for storing only relevant data for a relevant time period? Typically, it is not IT, records management, or a member of the C-suite. The quantity of retained information is doubling each year, but budgets are contracting, overseen by the officers of the business. If there aren’t enough internal policies or employees to address the limiting of data, it can lead to internal miscommunication, decreasing organization of records, a lack of focus on thinning unnecessary records, and continued bulking-up of data.
  4. Expenses involved in litigation. A company has the obligation to preserve and produce whatever relevant data a company has when a legal matter arises, including records, emails, and internal company documents. But in order to determine what is potentially relevant for discovery, attorneys must review any related records in what is often a long, expensive process, made longer and more expensive by more data.
  5. Hackers and lost data. Cyber-attacks are becoming an everyday reality for businesses of all kinds, and data-breach litigation has reached an all-time high. The more customer data your business keeps indefinitely, the more risk it takes on in the event of a hack or breach, and the more it will cost you long term, due to state requirements forcing disclosure of the breach to affected customers.


Old to new | New to old
Aug 22, 2013 02:19 pm
 Posted by  bdjohnson

I believe you are co-mingling unrelated issues here. The advice to develop a data retention policy makes sense and should only have positive outcomes. But the decision to permanently delete data to mitigate small risks seems short-sighted and overly simplistic. The technologies required to make sense of and leverage "big data" are only now coming to market. And they are very early stage. The most sought after technical hire these days is that of a data scientist. We are just entering the age of understanding and using big data, and it would be wise to carefully consider the potential value contained in any data before deleting it.

Search and discovery technologies have evolved massively in the last 36 months and are a strong offset to the organizational concerns you raise. In fact, e-discovery (applying machine learning to the costly legal discovery process in litigation) is one of the leading drivers text analytic technologies. Storage is already cheap, but it is also getting cheaper by an order of magnitude every year or 2. You can now buy a thumb drive that will store 1 TB of data. And while there is clearly an over growing threat of being hacked these days, the risk exposed by big data storage can be offset effectively by removing PII or generalizing data such that it provides business value without connecting individuals to their specific data.

Over the next decade plus, the business value of big data is going to be a huge driver in organizational efficiency, productivity gains, new product development, and price/profit dynamics. It will even play a pivotal role in profiling risk, itself. While common sense and smart policies should surely be applied, the opportunity risks of limiting data collection and storage may actually be larger than the risks described with keeping it.

Oct 25, 2013 07:09 am
 Posted by  astrombom

Bdjohnson, thanks for your comment. We agree that managing data is a key priority for businesses today. However, my post does not advocate deleting data to free up space or to “mitigate small risks.”

A data retention policy is about keeping data relevant or necessary to a business. Establishing a data retention policy is essential for a business interested in maintaining the safety of the information collected from its customers and the integrity of its systems. These policies address more than the data itself, often appointing someone responsible for data tracking, or serving to standardize functions of disparate units within the business.

We agree about removing personal data from transactions when possible.
You recommend that “removing [personally identifiable information] or generalizing data” to retain the business value of data without jeopardizing individuals’ information is one way to offset “the risk exposed by big data.” In my post, I also advise that a data retention policy contain a requirement to discard sensitive customer information once a transaction has concluded. However, when personal information is essential to the business’s purpose, as in health care, or when a key part of the business is to facilitate ongoing transactions that involve customers’ information, as in banking. In these situations, deleting information may make it more difficult for hackers to access the PII, but eliminating the data will also handicap the business in its key functions.

Few businesses have the capability or resources to stay on the cutting edge of data search and discovery. Though technologies to manage data are developing, it is advisable for a business to learn how to streamline the content in these systems to ensure compliance with legal and regulatory rules, as well as to establish uniformity throughout the organization.

The key to creating a data retention policy is to tailor it to the business’s needs. There is no one-size-fits-all document.

Add your comment:
Bookmark and Share Email this page Email Print this page Print Pin It
Feed Feed

About This Blog

Mindi Giftos and her colleagues in Husch Blackwell’s Technology Law group handle a wide variety of issues related to emerging and established technologies, including intellectual property, development and licensing, commercial contracting, and corporate transactions across a broad range of industries.

Recent Posts



Atom Feed Subscribe to the Legal Login Feed »

Edit Module