A common data breach is not by hackers and is not targeted towards big businesses. It happens to a small to medium sized business or government agency or school that looses a laptop through theft or carelessness. What is remarkable is the amount of data that these small entities keep. Take a recent claim involving a governmental entity that stored employee data dating back to 1982 on microfilm. The entity sent the microfilm by mail to be imaged so data could be downloaded. Sure enough, the box with the microfilm fell apart in transit, and the microfilm with 30 years of employee data was either lost or stolen.
What’s the take home lesson here? Destroying all data is not an option. So sit down with the risk manager and lawyers to (1) find out if any regulations tell your business how long to store data, and (2) think about what data you really need and how many years of data you should retain. Develop a written policy about how long to store data and what format to keep it in. With modern technology, it does not cost as much to store or destroy data as when data was on paper in boxes in warehouses. Think about what data you need and how long you need it for, because the next time you loose a laptop or microfilm, you may save yourself a lot of exposure by limiting the amount of data.