In a series about cyber compliance issues, the Wall Street Journal takes a look at how collecting enormous amounts of data, without securing the private or sensitive information, can lead to large problems when there are security breaches:
It’s well-known that many companies aren’t aware when they have had their security breached. Compounding that problem is the fact it is hard to determine what might have been lost, because many companies have accumulated data over years in multiple forms.
Ignorance about stored data can magnify the costs of notifying customers and the risk of regulatory or legal repercussions, according to various experts.
“Companies continue to allow the information haystack to grow and grow and grow,” said Bruce Radke, chair of the data privacy group at law firm Vedder Price. The first step in any company’s assessment of its data should be “really looking at the information you need and getting rid of everything else,” he said. […]
Sloppy data management can mean that even small breaches have disproportionately large impacts on a company. In an example from earlier this year, a nonprofit health-care provider was fined $50,000 by the Department of Health & Human Services for losing a laptop carrying unencrypted data from 441 patients. […]
What data are lost also affects what notifications a company needs to make and, by extension, its legal risk. Larger data losses, for example, may require different notifications across multiple states with different laws, while the types of data breached will also affect the action the company has to take. For instance, loss of names without email addresses may require a different level of notification than if names and email addresses are lost together.
Radke foresees a time when breached companies will be sued for keeping too much data, with the allegation that poor data management led to more data being lost or compromised than would have been the case had the company adhered to stricter policies.