While organisations rightly focus on the security of their corporate data, there is also an issue around at what stage it’s preferable to delete any given item of data. And, if they delete it, what about “zombie” copies that may have been pasted into productivity software on company laptops and file shares? Christopher Surdak spotlights the issues.
In October 2022, a series of regulatory and legal decisions came to light which seemed to signal a substantial change in how privacy and cybersecurity risks were going to be dealt with in the United States. The Federal Trade Commission (FTC), the primary US agency protecting consumers and fair trade, has recently embraced an aggressive stance towards the protection of consumer privacy. This strong stance has been long anticipated by many in the corporate governance arena, and has also been long overdue. But, while trying to turn the RMS Titanic with a soup spoon may take a while, once the turn begins, it continues to grow and is very difficult to reverse.
On 24 October 2022, the FTC announced that it was taking action against online alcohol marketplace Drizly for failure to properly protect the personal data of 2.5 million of its customers. For Europeans familiar with the European Union’s General Data Protection Regulation (GDPR), such regulatory action has become somewhat normalised, if not pedestrian. What is substantially different in the FTC’s latest action is that now they are getting personal. In an unprecedented move, this action against Drizly included specific orders attached to the company’s CEO, James Rellas.
For the next decade of his career, Rellas must personally ensure that ANY company in which he holds an executive role and which has over 25,000 customers implement:
- an information security programme (ISP)
- guarantees of executive involvement in the ISP
- an information security team
- annual security assessments
- regular security testing and audits
- vendor oversight
- annual updates to the ISP
In effect, Rellas now carries with him a cyber-scarlet-letter. For the next decade of his career, any future organisation that hires Rellas must adopt these conditions, potentially adding tens of millions of euros to the cost of engaging him, and the risks associated with increased oversight.
One week later, on 31 October 2022, the FTC announced similar findings and penalties against Chegg, Inc., an online education company, who suffered a similar data breach involving information on over 40 million customers. The language used in this complaint strongly mirrored that from the Drizly complaint, indicating that the personal sanctions against Rellas may be a new normal, rather than an exception.
Of particular note in the FTC’s new regulatory mindset is their expectation that “companies destroy unnecessary data, (and) restricts the data that the company can collect and retain”.This language is the exact opposite of the guidance given by the US federal government, and represents a dramatic change to how companies will be expected to govern themselves for the foreseeable future.
To Keep or Not to Keep? That Is the Question!
In Shakespeare’s play “Hamlet”, the protagonist agonises over whether “to be, or not to be”. Hamlet wonders if struggling with the troubles of his current life may be better or worse than dealing with the troubles that might come to him in death, or “the undiscovered country”. Twenty years ago, American courts struggled with a similar question: is it better to keep all records so that they might be discoverable, or is it better to keep only those business records that are “living”, or of a useful activity and age?
Historically, organisations have followed a “keep everything, forever” approach to managing their data. This erring on the side of caution is not accidental. However, as recently as late 2022, the balance of the risk-reward equation of data retention has taken a dramatic swing towards “delete as much as you can”, forcing business executives to change their companies’ policies and procedures, lest they suffer significant personal loss. This radical change in data governance will lead executives into their own “undiscovered country”, where the previous false sense of security in keeping everything forever must be replaced with a far more complicated approach of balancing data risks and rewards.
How Three Letters Change the World
From 2013 to 2015, I was an active member of The Sedona Conference, a non-profit organisation of legal, business, technology, and regulatory professionals working on advancing the law as it pertains to society. Collectively, we worked to implement a range of changes to the United States government’s Federal Rules of Civil Procedures (FRCP), which are the rules that govern the federal courts in America.
Our team was tasked with making recommendations for changes to the FRCP, specifically the rules that dictate how organisations were required to retain electronic records for use in litigation. These rules, last modified in 2006, stated that if an organisation deleted historic data either wilfully OR maliciously, they could and would be penalised by the court. This change, made with the intent of protecting evidence (or preventing “spoliation”) effectively led to the “keep everything, forever” policies that most organisations continue to follow to this day.
Despite the good intentions of this change, it was quickly obvious that, as data volumes exploded between 2006 and 2015, this “keep everything” approach was not only unsustainable, it was self-defeating. Not only was this rule creating impossibly huge data archives that grew ever more unsustainable, they also represented enormous treasure troves for hackers and cyber-criminals to pursue.
Our Sedona Conference team suggested that the word “or” in that regulation be changed to “and”. This one change would fundamentally change how organisations could and should manage their information. If a company created and properly followed a reasonable policy of data deletion, they would no longer be held liable for inappropriate destruction of data. Whereas the word “or” made such deletion a violation of law, the word “and” meant that having and following a deletion protocol was legally protected.
A Global Trend of Delete to Defend
While the FRCP is specific to America, most of its underlying principles are true of most jurisdictions around the world. Europe’s GDPR, activated in May 2018, forced organisations collecting data on European residents to accurately track what data they had, on whom, where it was being held, who was using it, and for what purpose. More tellingly, GDPR also gave Europeans the “right of erasure”. Upon request by any person, these organisations had to delete all data that they maintained on the requester and be able to certify that all such data had been eliminated. Non-compliance brought steep penalties, up to and including fines equal to four per cent of the organisation’s total global revenues the previous year, per occurrence.
Between July 2018 and November 2022, there were over 1,300 reported GDPR violations, with a total of over €2.1 billion in fines collected. It is important to note that both the occurrence of fines and the value of each fine have been rising steadily since 2018, indicating an ever-increasing risk to any organisation that does not effectively govern its information assets. And perhaps the most important element of such a governance plan is the effective deletion of out-of-date information.
According to the Oxford Dictionary, the word “feral” is defined as: in a wild state, especially after escape from captivity or domestication.
“Feral” is also an excellent description of the vast majority of information being held within organisations today.
While many organisations maintain highly secure, rigorously managed information systems, such as enterprise resource planning (ERP) or customer relationship management (CRM) systems, still more information is kept outside of these controlled systems. Indeed, an entire industry known as “intelligent automation” has been created to facilitate the movement of information into and out of such controlled environments.
What many in the intelligent-automation industry don’t recognise is that by creating automation services that more readily move information in and out of these controlled environments, organisations are facilitating and even automating organisational policy violations. These are violations of the sort that regulations such as GDPR exist to prevent and occasionally punish.
Microsoft Office: The Undiscovered Country
Throughout my career, I have been a user of Microsoft’s Office productivity tools: Word, PowerPoint, Outlook, and Excel. While the word “productivity” may be arguable, it remains true in the 2020s that the vast majority of the world’s economic activity lives in Microsoft Office. This has certainly been a mixed blessing, as the present world of apps, smartphones, and social media operates very differently from the world that first spawned Microsoft Office – a 1990s world of client-server, flip phones, and email.
Vast amounts of corporate data are copy-pasted out of corporate systems and into Microsoft Office files. This is indeed the sort of thing that most intelligent-automation systems are designed to do. Most of this data is ungoverned, if not ungovernable, and represents an enormous risk to organisations who do not keep track of such data. Even if a company has and maintains a data deletion policy, rarely do those policies and processes deal with these feral files, spread hither and yon across an organisation’s laptops and file shares. These undiscovered files, often referred to as “dead data”, are typically only found in response to something bad happening, such as a lawsuit or regulatory action. When enforcement occurs, that dead data can come back to life, like a digital zombie apocalypse. And now that regulators are starting to apply penalties directly to individual business leaders, the stakes have never been higher.
All regulatory trends are pointing to the same conclusion: organisations must adopt the principle of defensible deletion of data. Here, all data is tracked throughout its lifecycle and, once the required retention period has been reached, it is deleted in an automated fashion, according to policy. This notion has existed for two decades and has been technically feasible over this time frame. Despite this, few organisations have enacted defensible delete, either because they were unwilling to do so, or weren’t motivated to do so. Now that regulatory penalties are getting personal, expect to see a substantially greater interest in such governance tools and techniques, whereby dead data will be eliminated forever, pushing it into an undiscoverable country, rather than policy purgatory, where it will be a liability rather than an asset.
Note: This is a topic which I have studied, contributed to, and written about for well over a decade, with varying degrees of accuracy and efficacy. My record here stands on its own merits, with fans and detractors often in equal measure.
About the Author
Christopher Surdak is an award-winning, internationally recognised author and an expert in leading technologies such as blockchain, artificial intelligence, cloud computing, cybersecurity, and social media. He has guided organisations around the world in their digital transformation journeys, and as a Juris Doctor has contributed to regulatory and legislative efforts to keep up with our changing society.