Hoarding Data Wastes MoneyBy Anne Kershaw | Posted 2012-04-16 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Eighty percent of ostensibly “active” files and folders have not been accessed for three to five years, resulting in unnecessary IT expenditures. Yet, most of the costs associated with unnecessary data hoarding are hidden.
By Anne Kershaw
Virtually everyone is hoarding data they no longer need, and it’s costing employers significant sums of money and draining scarce resources to maintain and expand electronic data storage. Yet, when hard drives and file shares are analyzed, we find that 80 percent of these ostensibly “active” files and folders have not been accessed for three to five years. This results in unnecessary IT expenditures for infrastructure, disaster recovery, and data migration as old servers and systems are retired.
Some organizations also have tens of thousands of backup tapes in storage, all of which are essentially useless, yet they are generating storage fees and excess costs if included in discovery for litigation.
Most of the costs associated with unnecessary data hoarding are hidden, out of sight and out of mind. One example of such hidden costs is lost productivity when employees have to wade through unused and unwanted information to find what they need. Another example occurs when employees forgo the potential informational value of content management systems because there is too much clutter to wade through.
While specific operational costs are appreciable, the most visible costs can be legal expenses. Even if a company had not been obligated to keep unused data, if it still has that data when a legal matter arises and a legal hold is issued, there is an obligation to preserve and produce relevant or potentially relevant information during discovery in that litigation. In essence, the legal hold trumps the company’s right to dispose of information not needed for specific operational or regulatory requirements.
This can be extraordinarily expensive: The discovery process often involves having rooms full of attorneys examining records to determine their responsiveness to discovery requests or subpoenas and whether the records are confidential or privileged. Billing rates for all this work range from $60 per hour for contract attorneys to between $300 and $400 per hour for associates. Such legal review bills are often the largest single expense in litigation and can quickly mount to hundreds of thousands of dollars.
Average costs for collecting, processing and reviewing electronic data for legal matters can exceed $10,000 to $20,000 per gigabyte, depending on a number of factors. If the data had been disposed of when eligible for disposition, before the legal matter arose, none of those costs would have been incurred.
In other words, managers can do more than complain about the hemorrhaging of corporate funds during litigation: They can proactively and appropriately dispose of unnecessarily hoarded data.
Companies are also increasingly feeling the sting of state privacy legislation that requires notification of state officials and implicated state citizens if private information such as Social Security numbers or credit card numbers is breached or disclosed.
Massachusetts is at the forefront of this movement. Belmont Bank in Massachusetts, for example, recently discovered that a backup tape had been left on a table and disposed of by the cleaning crew. It appears the tape had been incinerated and not actually disclosed to third parties, but the bank nonetheless had to pay a $7,500 civil penalty.
Damages in individual incidents involving the actual loss of credit card information have exceeded $100 million, such as in the TJX credit card breach and the Heartland payment systems breach. And the reputational injury to a company can be even more damaging than the direct dollar damages, as few customers, employees or suppliers want to be told their private information has been compromised.
To state the obvious, hackers and thieves can’t take what you don’t have. The best protection against a privacy breach is to dispose of data as soon as it is no longer needed for business purposes or legal matters.