October 19, 2022

 Megan Silverman

data hygiene cyber security compliance legal liability

Nowadays, climate change and cyberattacks rank among the most urgent concerns of many. They may seem unrelated — yet one approach can address both of them: going on a “data diet.”

The idea of a diet to help the planet is nothing new. With the growing awareness of the carbon footprint of various foods, people are increasingly choosing what to eat as a way to reduce the carbon they generate – yay for Meatless Mondays, home gardens, and more plant-based menu items! With physical waste, it is even easier to grasp the impact of our choices – every time we take out the trash or recyclable materials, we see our contribution to landfills and recycling centres.[1]

It is much more difficult to perceive the tremendous environmental impact of our digital activity. However, cyberspace has a physical existence—one that is not green. Whenever we send or receive an email, post on LinkedIn, or save a copy of a document, we create pollution. The digital cloud requires vast data centres in giant buildings packed floor to ceiling with computers that consume massive amounts of energy—and generate tons of carbon emissions.

Our approach to digital material makes things substantially worse. Because storing data costs little and is much easier than going through files, photos, emails, and everything else to decide what to delete, we keep vast quantities of digital material we do not need and will never use again. According to Gerry McGovern in his book World Wide Waste, up to 90% of digital data is not used. Tech Target estimates that three months after storage, nearly 90% of data is never accessed again. And the Active Archive Alliance found that in 2018 80% of all stored digital material was never accessed, let alone used.

The environmental costs are tremendous. In his analysis of digital waste, McGovern calculates how many newly-planted trees are necessary to offset a particular unnecessary digital activity. Counteracting the pollution generated by spam email would require planting 1.6 billion trees – a feat that, planting a tree every second of every day, would take 50 years to complete!

There is another high and oft-ignored price to holding on to unnecessary digital material: legal liability. Any data you retain, especially potentially sensitive data, incurs legal risk. Lowering that risk requires reducing the data you have as much as possible.

When it comes to data, the mindset of “more is better” is exactly wrong. In reality, more is worse. The more data you hold on to, the greater the risk. More data means more information for cyber attackers to exploit. The more digital material you retain, the more likely it includes sensitive data – i.e., information that malicious actors can monetise, whose unauthorised release is forbidden under data protection laws and regulations, or whose use is restricted by non-disclosure agreements and other contracts.

Possessing sensitive digital material exposes you to potentially severe legal (and, almost always, business) consequences. Meanwhile, the number and frequency of cyberattacks and data breaches continue to skyrocket – up 15% last year compared to the previous one – as does their cost. Earlier this year, UpGuard estimated that the average cost of a data breach is $4.35 million due to the expense of detection efforts, post-breach response, notification of impacted parties, and lost business.

The figure does not include the damages from legal liability. That makes it even more critical to reduce the risk of cyberattack liability. A crucial part of doing so is reducing the amount of your digital material by going on a “data diet.”

Here are five tips for getting started:

Implement 30-day automatic deletion of unused customer data. Inform customers in advance that their data will not be stored for more than 30-days when not in use and that their data will need to be re-shared if required after the 30-day timeline.

Have your IT and InfoSec teams regularly meet with each department. Using an initial cadence of once a month, have appropriate individuals from IT and InfoSec meet with each department to take stock of their data, where it is stored, and what could be deleted. InfoSec should note any types of sensitive data stored by each department and educate the department on proper storage techniques for sensitive data (e.g., implementing password protection and encryption). It is also crucial to determine if sensitive data should be collected or stored in the first place. Once IT and InfoSec feel confident that a department is storing and deleting their data properly, meetings can become less frequent.

For sensitive customer data, think “cold and local.” If you must store sensitive data due to customer requirements, use password-protected “cold storage” on a hard drive instead of in the cloud. Not only is storing in the cloud much riskier from a cyber threat perspective, but it is also 200 times more energy intensive than storing on a hard drive.

Promote data hygiene throughout your organisation. Encourage employees at all levels to limit their data storage to only what is necessary. If an employee is storing customer data because they want to reuse the work product or formatting, advise them to create a generic template instead and delete any copies with customer information.

“When in doubt, throw it out” – with one crucial caveat. Do not continue to store old organisational data “just in case” or “because that is how it has always been done.” In addition to the cyberattack liability risk and the environmental impact, remember that if unnecessary material you retain becomes relevant to subsequent litigation, it will drastically increase the cost and scope of your organisation’s eDiscovery activity and document review. Always abide by legal hold requirements where litigation is reasonably anticipated. However, when legal holds are not in place, it is legally defensible to automatically destroy data and documents at the end of their information lifecycle. Note that legal holds are an exception to normal document retention/destruction policies.

A “data diet” pays double dividends: it can help an organisation reduce its liability risks due to a cyberattack while lessening the environmental impact of the organisation’s operations. Always remember that storing data has real and substantial physical, ecological, and financial costs. To lower that cost, stop storing digital material for longer than you need, especially sensitive data that exposes you to heightened risk in a cyberattack. Be certain to implement processes for everyone that keep unused or old data to a minimum to minimise the physical and financial cost of storing data and benefit the environment and your organisation’s bottom line.

Questions? Please contact Megan Silverman, Megan.Silverman@elevate.law, for your incident response, eDiscovery, and managed review needs.

[1] Do not get too impressed by recyclable product marketing, as studies show that the US is recycling just 5% of its place waste. See, https://www.theguardian.com/us-news/2022/may/04/us-recycling-plastic-waste.