Data Security Begins with Content Minimization: A 3-Step Approach
Only 3 of the worst 10 data breaches of all time happened in 2019, but it was still not a good year for data security. According to CNet, the primary culprit was “unsecured database.” However, one significant contributing factor in many of them was that organizations collected and retained data they generally didn’t need – and if they did, they didn’t need to retain it as long as they had.
The key consideration here is that you don’t have to worry about data being breached if you don’t have it in the first place. Of course, you have to collect some information in order to do the work of the organization. But most organizations collect far more information than they need and keep it for far too long, which creates a number of challenges in addition to data security issues.
In other words, data security begins with content minimization. Effective content minimization requires addressing it at three different points in the information lifecycle: collection, usage, and disposition.
Step 1: Pre- Collection
Do you need to collect that information in the first place? In this, the Age of Big Data, the tendency is to collect everything we can and worry about monetizing it later through the judicious application of artificial intelligence. But Article 5 of the European Union General Data Protection Regulation (GDPR) notes that “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’).” The GDPR also recommends a “Privacy by Design” approach, wherein new systems and processes take privacy into account during the development process. This would certainly include thinking about what information needs to be collected and how it will be managed.
Step 2: Operational Usage
How do you minimize the proliferation of information? Most organizations have one or more “digital landfills” filled with copies, drafts, prior versions, documents that have been superseded, etc. This information has no business value because it is redundant, outdated, trivial, or wholly unrelated to the business of the business. The Compliance, Governance, and Oversight Council recently updated its Information Governance Benchmark Report and, while progress has been made, fully 60% of the average organization’s information has no business, legal or regulatory value. In other words, even if the original collection is warranted, copies only serve to exacerbate findability, manageability, and data security concerns.
Once information is collected, the single best way to minimize its proliferation is to capture it into a repository where it can be managed effectively. A repository supports the findability of enterprise information such that internal staff can locate what they need on-demand rather than saving copies to unauthorized or local locations. Putting information into a modern repository also significantly improves security through access controls and audit trails. Most repositories today are encrypted at the container level so brute force hacks are all but impossible.
Finally, staff can also send links back & forth in support of collaboration rather than downloading and emailing a particular document or version. In turn, those links can require the user to log in in order to access the document – whereas an emailed document can be forwarded quite readily. And sending links should cut down on the aforementioned proliferation.
Step 3: Post-Collection
The information that you have collected should not be kept forever. In this step, it's important to ask, "How soon can I get rid of this information?"
Recital 39 of the GDPR states that: “the period for which the personal data is stored should be limited to a strict minimum and that time limits should be established by the data controller for deletion of the records (referred to as erasure in the GDPR) or for a periodic review.” But it’s not just because GDPR requires it. In our training, we often note that records management is the art of getting rid of information – once it no longer holds business value to the organization, and with appropriate safeguards. Destruction of information is a legitimate and even necessary part of the information lifecycle. Again, it’s impossible to have a data breach of information that no longer exists - a topic the global law firm Norton Rose Fulbright recently explored.
Reduce Content, Reduce Risk
In an ideal world, organizations would secure their information such that data breaches were not an issue. However, most information security professionals agree that data breaches are not so much a question of “if,” but “when.” Good information security practices can definitely help, but organizations that minimize how much information they collect and retain will enjoy significantly less exposure and risk.