By Jon R. Knight and Eric M. Manski, of BakerHostetler
Imagine receiving an email from an unknown actor claiming to have taken approximately 2 terabytes of data from your organization’s network. The threat actor provides a file tree and sample files to substantiate its claim. The file tree appears to consist of your organization’s entire network file share. You quickly scan the file tree and find HR files dating back to … wait for it … 2005. Putting aside flashbacks to the days of flip phones and the iPod nano, your first thought likely is “Why do we still have these files?”
Effective information governance is challenging for organizations of all sizes and all maturities. To quote the 2025 Data Security Incident Response Report (DSIR):
Clients are often shocked to learn that files from 25+ years ago were stored on the File Share or that Jane in Accounting had been exporting and locally saving a monthly payroll report containing all current employees’ and dependents’ names and SSNs for the last several years.
Data retention may increase an organization’s legal and regulatory risk. For example, a data breach of old HR files for an organization of 1,000 employees could result in having to notify approximately 33,000 to 44,000 individuals. How so? Let’s do some math.
Data related to one employee may involve three or four Social Security numbers, when accounting for dependents. This means for a business of 1,000 employees, a data breach involving current HR files could result in notifying approximately 3,000 to 4,000 individuals. But when old data is involved, so are your former employees and their dependents. Let’s say that dating back to 2005, you have 10,000 former employees. This same data breach could result in notifying approximately 33,000 to 44,000 individuals – an elevenfold increase. Not only is your notice population exponentially larger, but it is also far more complicated to manage the messaging to these individuals. In addition to communicating with current employees, you will be communicating with former employees, some of whom were involuntarily separated from your organization. You may need to communicate with estates of individuals who are now deceased. You may also have minors involved as dependents. Each of these groups may need a different approach from a communication and notification perspective.
Every organization should design a reasonable security program to fit its particular needs and risk tolerances. Organizations should develop effective information governance programs that include the following steps:
- Data Mapping: A data-mapping exercise can help your organization understand what data it maintains and how old such data is. Additionally, data mapping can tell your organization where the data is stored and how it is protected.
- Establish Data Retention Policies: Establish policies that detail the types of data to be retained, the retention periods and the procedures for securely disposing of the data. Regularly review and update these policies to reflect changes in regulatory requirements, business needs and emerging threats.
- If Needed, Securely Store Old Sensitive Data: If your organization needs to store old sensitive data, it should ensure that it is stored in a secured location – consider removing the data from the network entirely and storing it offline or encrypting it.
By implementing these steps, organizations can significantly mitigate risk posed by old data in the event of a data breach. Now to go find that old iPod ….