Data Hoarder Intervention

Ted DeZabala


March 1, 2010

If your company is like most, you have a data problem. Your digital file cabinets are overflowing with customer records, employee files, financial info, trade secrets, emails, regulatory paperwork, account numbers, passwords, health information-and probably a whole lot more. And it is stored everywhere from servers, laptops and mobile phones to spreadsheets, databases and websites.

You may not know exactly what you have or where it is, but one thing is certain: you spend huge sums compiling, updating, storing, backing up and protecting this data. In my experience, however, up to half the information that companies collect and maintain is neither needed nor used. And while you pay dearly to care for that unnecessary data from cradle to grave, that is not the half of it. It also carries immense potential legal liability costs. Hundreds of companies have hurt their bottom lines and sullied their reputations over the loss of data that they never had much use for in the first place.

Of course, much of the data that your company possesses does have value. The problem is that many companies cannot tell the difference between the good and the bad. And because so much data has accumulated so quickly and quietly now is the time to clean house. It is time for a data intervention. The problem has become too unwieldy and too dangerous to ignore any longer.

Here are a few steps to consider:

Link Policies with Operations

Many companies have policies around privacy and security, but far fewer test or enforce them. If a policy or process is unworkable or ignored, it should be revised or discarded. Ground your policies and processes in the real world.

Don't Dump It All on IT

In a recent Deloitte survey of Fortune 1000 executives, 90% stated that data security and privacy is primarily an IT problem. But most data breaches involve more than IT and include human resources, corporate governance and risk management. Saddling IT with sole responsibility is not the solution.

Inventory Your Data

You cannot effectively manage the problem until you know its scope. You need a window on what you collect, where you keep it, who has access to it and why you need it. And make sure your inventory project includes any outsourced service organizations you engage.

Balance Your View

Data can simultaneously be the most overexposed liability and underexploited asset in the entire enterprise. The risk is not just that data will get into the wrong hands, but also that you will not extract the full value from the data assets that you possess.

Untangle the Regulatory Knot

If your company operates globally, you already know that the patchwork of regulatory requirements around data security can be maddeningly complex. Look at common requirements and then develop programs to take advantage of the similarities.

Get Destructive

The best way to prevent data from falling into the wrong hands is to never collect it in the first place. The second best way is to destroy, rather than store, the data once it is no longer of use to you. Just remember to consult corporate counsel before you start filling the virtual trash bins; some legal requirements may apply. (Remember, too, that the computer's delete key does not permanently delete files. Make sure you employ secure destruction techniques.)

Solve the People Puzzle

Many security breaches are perpetrated by insiders with nefarious intentions. But a large number can be more benignly attributed to fatigue, carelessness or inattentiveness. Combat this problem by adding security topics to training and establishing a corporate culture that makes data security and privacy everyone's business.
Ted DeZabala leads the security and privacy practice of Deloitte & Touche LLP.