Confidential data: Delete it or eat it, say security experts
Hoarding sensitive information is easy and inexpensive, but as the collected information grows, so do the risks
Wisniewski said every enterprise will have different priorities. "It depends on what you consider valuable. From my perspective, I say keep nothing. But if you're going to keep stuff -- information on customers and marketing that include some [Personally Identifiable Information] and if you can't sort between what is sensitive and what's not, at least protect all of it with encryption."
Kevin McAleavey, cofounder and chief architect of the KNOS Project, said it should take only moderate effort to program a database to purge data that is no longer needed, and it is well worth it.
"All it takes to ruin any company's reputation is one single breach," he said. "The cost of such an incident far exceeds the cost of properly husbanding sensitive data, but sadly too many operations only realize those cost justifications after it's too late."
McAleavey said that when he and his wife started their business, "We designed technical diagnostics in the product so that absolutely zero PII is gathered, only technical data." And even data that "should be archived and moved offline as quickly as is possible."
Wisniewski says every enterprise, in both the public and private sector, should set up a system of classifying data. "Companies used to think they were inside a wall. Now with mobile, there isn't an inside and outside," he says. "Data is being accessed all over the globe by your own people and by the bad guys. So we are seeing some of them classify the data better. Almost like the military. Class A is always encrypted, so if it ends up on data stick that gets lost or stolen, it's still protected."
Still, he says, "We keep seeing breaches, because things like this just aren't on their [company CEOs] radar." He recalls the Sony breach from three years ago, because the company forgot about a server with credit card data. Or, the much more recent breach of medical records at the Utah Department of Health because data was not being erased daily, as its own security protocols required.
He suggests that companies too small to have a skilled security team should "outsource to a company that knows how to do it. If you are not prepared to invest in taking these steps, you shouldn't collect the data to begin with."
Read more about data privacy in CSOonline's Data Privacy section.
Other stories by Taylor Armerding