The Dangers of Forgotten Data

Just about every business works with masses of data every day, much of which is used and then filed away and forgotten. Gartner calls this forgotten data “dark data,” and defines it as “information assets organizations collect, process and store during regular business activities, but generally fail to use for other purposes.”

Forgotten data poses a serious security risk. In fact, Verizon’s 2008 Data Breach Investigations Report found that 66 percent of breaches involved forgotten data—data that companies do not even know is in their system.

Forgotten data includes all sorts of information that hackers can potentially find on the deep web, including old reports and sales presentations, archived emails, outdated customer information, network log files, and metadata. Forgotten data also includes information that your company may store without realizing it, not only on PCs and thumb drives but also on devices such as:

  • Scanners
  • Printers
  • Photocopiers
  • Fax machines

Take the 2012 Affinity Health Plan breach, for instance, in which the hard drives on several leased photocopiers contained confidential health information for more than 344,000 patients.

Affinity failed to delete the forgotten data on the hard drives before returning the copiers to the leasing company. The result? Affinity was fined over $1.2 million by the U.S. Department of Health and Human Services (HHS).

Five Steps to Protect Your Business

What can companies do to protect themselves? Here are five steps you can get started on right now:

  1. Acknowledge the problem. Simply recognizing that forgotten data is out there and poses a potentially serious security risk is essential. Remember that acknowledgement is the first step towards recovery.
  2. Examine your data retention policies. Employees are typically data hoards and storage is inexpensive, which makes it tempting to hang onto massive amounts of data—until you consider what a breach of that data could cost you. Stored data could one day be the source of great insight or innovation, but ask yourself: Does the risk of storing the data outweigh the value of purging it? “Just in case” data could cost your organization tens of thousands of dollars (or more) in fines and lawsuits.
  3. Consider de-identifying or encrypting stored data. If the data must be retained, consider de-identifying or encrypting it. Encryption would make it more difficult for hackers to unlock the contents; and strong access controls and monitoring can limit any damage.
  4. Add forgotten data to your risk assessment process. As part of your risk assessment process, review your data storage policies and inventory the data you have gathered and continue to gather on legacy systems, email systems, backup tapes, content management systems, databases, and more.
  5. Examine your data disposal strategies. According to the 2015 Verizon Data Breach Investigation Report, nearly 12 percent of all miscellaneous errors that lead to a data breach are the result of insecure disposal of personal and medical data.
  6. If a data breach occurs, saying that your company did not know the data existed will not be an acceptable defense. That’s why it is critical to take those five steps now to find, protect, or dispose of all your data—including data that’s been long forgotten.

    Mahmood Sher-Jan is EVP and General Manager, RADAR Product Unit, at ID Experts. He brings over 25 years of experience in developing risk and fraud management, security, compliance, and data beach solutions.

    Originally posted on ID Experts blog. Reposted with permission.