In a March 25 front page article in the Minneapolis / St. Paul Business Journal, it was revealed that sensitive records including employee Social Security Numbers, payroll information, and medical records,  from a long-defunct tech company were inadvertently auctioned off along with the filing cabinets they were stored in.  In this instance, the story ends happily; the founder and former CEO of the company was able to purchase the records from the buyer and secure them.  However, it’s not hard to see how this could have turned out for the worse. So what should be done?  In this case, the CEO was advised by his lawyers to retain certain files and so he simply held on to all of them.  In all likelihood, he didn’t know exactly what needed to be kept and so he kept everything.  While that may have seemed like a good idea at the time, not destroying  all but the key documents ended up coming back to bite the CEO a full decade after the company shut its doors.  Due to the fact that the data was outside the CEO’s control for a number of weeks, he is required by certain state laws to notify individuals that the security of their personal data had been breached. While it may seem unnecessary on the surface, especially in this age of ever cheaper digital storage, a good data classification, retention, and destruction policy is of paramount importance to every organization.  While your organization hopefully won’t go out of business any time soon, such a policy also helps to secure sensitive information during the course of regular business operations.  The cost of a data breach is ever-increasing, both in terms of reputation and dollars, and no organization profits from losing sensitive personal data on its customers or employees.  By properly classifying your sensitive data, you can apply controls more appropriately and efficiently.  Also, always remember the rule of thumb for storage of sensitive data: if you no longer need it, get rid of it!

Ryan Wakeham