In February of this year, University of Maryland learned the hard way that keeping data can be more expensive than we think. When they were successfully breached and 287,000 student records were stolen, the University set aside $5 million to pay the cost of credit monitoring services for each victim. The worst part is, the school only needed 63,000 of those records. Afterwards they were able to purge 78% of what they had, but it didn’t help much: The University was still liable for allowing the data belonging to all those individuals to fall into the wrong hands. So what can other organizations learn from this breach?
First of all, we have to reconsider the way we’ve been solving the data storage problem for the last ten years
For quite a while now, the cost of storing data has been low enough that we no longer had to make tough choices about what to delete. It has been preferable to keep any and all data that might possibly have value someday, and as marketing techniques have sophisticated, more PII (Personally Identifiable Information) data than ever before was (and is) being accumulated.
However, when the default decision is to keep data rather than delete it, the company probably isn’t factoring in all the costs of data security. While every IT person knows that cybersecurity is expensive, there aren’t enough conversations happening about the liability cost of losing PII. It’s unlikely that most marketing divisions – the ones primarily responsible for gathering the data – are considering such risk in their decision-making processes. The most probable reasons the University of Maryland kept superfluous PII is either because someone decided there was no reason not to keep it or no one made any decision at all. The data aggregated over time, and the risk of protecting it, was never reassessed.
“It’s time to reconsider data storage and perhaps enforce a little cybersecurity education.” – @cjonsecurityTweet
It’s time to reconsider our stance on data storage, and in the process, perhaps we can force a little cybersecurity education. One solution is to apply “The Three Ps” to every data storage decision a company makes (at least about PII or valuable secrets). The choices are:
- Purge it
- Push it off-line
- Protect it
Purging is the only option which costs nothing, so it should always be considered. The next best solution is to consider whether it can be stored off-line. As long as there’s no active network or internet access to it, this can be an excellent solution for extremely sensitive information. When data owners insist that it stay online, at least they should acknowledge the risk. And when additional (expensive) security steps need to be taken to protect it, we can even consider charging those costs to the data owners’ budget.
Of course this tougher approach may be difficult for sales and marketing groups to swallow (typically the organizations who most aggressively accumulate PII). In order to educate them as swiftly as possible while provoking a speedy response, IT could send the following notice regarding valuable data that isn’t being actively used:
Data Purge Notice
If action is not taken within 30 days, the IT department will presume the data listed below is no longer necessary, and IT will delete the data. As you know, significant costs are incurred by the company to maintain such data. The costs of both data protection and potential legal liability of keeping unnecessary data [which may be stolen] requires the company to take a proactive approach to reducing costs by deleting all unnecessary data.
Then, depending upon the response, the “pushing off-line” option could be offered. Even if the decision is to continue to protect the data in an accessible format, this whole conversation would be a step in the right direction. That is to say, towards a world where non-IT departments begin taking more responsibility for the risk levels they blithely expose the company to on a daily basis, and for which IT continues to be fully responsible.
Cynthia James, Global Director of Business Development, CISSP, spoke in April about the University of Maryland breach in her talk “Takeaways from Higher Education Breaches” at the ISOC Conference for University Systems of Georgia in Savannah.