Not Bad For a Cubicle » Blog Archive » The costs of keeping data

» The costs of keeping data

March 26th, 2005 by Chandler Howell

The academic computer break-in’s continue apace, this time at Northwestern University’s Kellogg School of Management right here in Chicago.

Northwestern University said Friday that hackers attacked the computer systems of the Kellogg School of Management, one of the nation’s pre-eminent graduate business schools, and may have gained access to personal information of more than 21,000 students, faculty and alumni.

At Kellogg, there’s no indication that personal data–names, addresses and Social Security numbers–were stolen, but an internal investigation continues, Northwestern spokesman Charles Loebbaka said.

I have to give these attackers credit. If I wanted to get some top-notch identities, Kellogg would definitely be a good place to find them. If I were responsible for a database of Personal Identity Information (PII) these days, I’d be thinking long and hard about how much of that data I really needed.

Now, even though Kellogg doesn’t know if the attackers got the Crown Jewels–SSN’s, etc.–or not, they have to take the drubbing in the press as if the attackers got away with everything. Just having PII on servers is becoming increasingly risky. Maybe it’s time to reconsider the risks of keeping the stuff around.

This is one of the nasty facts about data–once people get it, they never seem to get rid of it. It doesn’t take up any space, really–a few hundred megabytes on a 250GB hard drive isn’t worth the effort to find and remove. Traditionally, document retention laws have largely mandated the minmum amount of time that information must be stored. People get in trouble for destroying data–look at Enron. The “cut off their air supply” email from the Microsoft Anti-Trust case is a notable exception and has driven a dramatic change in email (but not other data) retention policies in the past couple of years.

So how are the Risk Assessment variables in-play at the moment? First, people’s estimation of the odds of an Incident occurring seems to be going way up. While major incidents like Choicepoint have been getting lots of press here of late, major PII incidents leading to ~~Identity Theft~~ Fraud By Impersonation have been a problem for years.

Next, the expected Average Incident Response Cost is is rising, starting with California SB1386 (the now-mainstream-famous incident disclosure law). If an Incident requires personal notification, that’s going to get expensive in a hurry. Incident Response costs are already high–servers have to be taken down and rebuilt, hitting the business with downtime. There may be Sarbanes-Oxley issues depending on the system involved (i.e. a payroll server) and the incident’s timing. Tack on some Crisis Communications (several thousand dollars if you want it done right) and the cost of stuffing and sending a few thousand first class letters and pretty soon you’re talking serious amounts of Green Money (as opposed to Cost Center/Monopoly Money).

These costs are already the law if the incident involves Californians. Now, it looks like Federal Legislation is right around the corner, too. I don’t know if customers are voting with their feet yet if they believe that a company is not handling their data responsibly, but I think that it will happen sooner than later adding Reputational Damage to the cost of incident.

Right now, people should be asking, “Do we have data we don’t need?” If PII can be purged entirely, then the smart move is to do so. If there is no data to lose, then the risk of an incident goes to zero.

If the data can’t be purged, then it’s probably time to take a fresh look at options for protecting that data, Can the data be converted into a translucent database or otherwise encrypted? Is access to the information being adequately managed? The ChoicePoint Incident was a breakdown of the access management function, not the Network Security function.

Finally, if there isn’t an Incident Response Plan specifically addressing a PII Incident, then one needs to be created–and that’s not free either. One of the main reasons that ChoicePoint, a company that most people had never heard of two months ago has become a household name is because of how badly they mis-managed their response to this incident. While the Incident Response Plan shouldn’t have to contain reminders like, “Don’t lie to the press, not even once,” it should spell out how specific legislative and crisis communications issues will be handled. Now that PII Incidents have become a Mainstream Media item they need to be dealt with appropriately lest the share price, customer base, or future deals take a pounding.

The costs relating to keeping Personal Data are rising fast. People have traditionally considered the cost of keeping data as limited to disks and servers. Keep that in mind when evaluating whether or not you really need to hold onto that Personal Identifying Information next time.