Cyber Security Nordic: Have data? Use it, delete it

Data hoarded without any immediate use also could turn toxic for organisations, warn cyber-security experts

Toxic data in the industry parlance usually means non-consented information obtained from users, which poses the chance of penalties under data protection regulations. However, data hoarded without any immediate use also could turn toxic for organisations, warn cyber-security experts.

The simple process of hoarding makes any data "radioactive", said Diana Kelley, cyber-security field CTO for Microsoft.

"The longer you keep it around, it could potentially be a risk to you," she said, speaking at Cyber Security Nordic in Helsinki, Finland. 

She rebuffed the thought that data is valuable and must be maintained, arguing that at least some of the stash can be deleted without review. She cited the experience at one of her previous employers, where they retained the information mandated by regulators and deleted random business information and email every 90 days.

"They deleted it because they saw the information in those emails as potentially riskier to the organisation," she said.

Regulation helps in addressing the issue of data hoarding and data toxicity, said Rick Ferguson, cyber-security expert and Trend Micro’s security research vice-president. 

"GDPR has set global regulations and expectations around how long can you retain data and how to erase data securely, legally," he told SC Media UK.

"If you if you just keep collecting data and never clean it, never get rid of it. You end up with a toxic liability within your systems that is simply waiting to be a disaster," he said. 

Calls for restricted flow of data and geographic hoarding has been rising increasingly these days. 

Indian billionaire and Reliance Industries chairman Mukesh Ambani has been lobbying for restrictions on cross-border user data movements for some time. He owns telecommunications services company Reliance Jio Infocomm Limited, whose customer base has burgeoned to 339.74 million since its launch in September 2016.

Facebook vice-president Nick Clegg countered Ambani’s demand during his visit to India in September. Countries like India should allow the free flow of data instead of attempting to hoard it as a finite commodity within national boundaries, he said then.

Data compliance is fast becoming a challenge for even the biggest of organisations. A recent survey among marketers saw 71 percent of them agreeing that a lack of compliance could be detrimental on their companies’ ability to conduct cross-border business

Publishers experience an additional degree of complexity due to the quantity of subscriber data that they hold.

The best thing an organisation can do is to make sure that the data is aged out effectively, and collect only the data it needs, Ferguson explained. 

"Use it for the purposes that you have stated. And you get rid of it as soon as you're finished with it."

It's very tempting to hoard data for as long as possible, but GDPR has made it tough to retain information about European citizens. "And it's certainly not wise," Ferguson added.

"Don't keep data that you don't have to after its shelf life. It costs you money. And if it gets uncovered by an adversary, it could potentially be a risk to the organisation overall," said Kelley.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews