August 24, 2021

Last Updated on January 13, 2024

“Fear of hitting the delete button” has reached epidemic proportions within organizations of all sizes. Policy, process, ownership questions, and a patchwork legal landscape all play a part—as does a fundamental lack of information governance, in many cases.

So, how do we face our “deletion demons” and put them on the run?

David Gould, Chief Customer Officer at EncompaaS, shares his expert view on the vital importance of data deletion (aka “disposition”) and other core information governance questions on a recent episode of The Virtual CISO Podcast. Hosting the episode as usual is Pivot Point Security CISO and Managing Partner, John Verry.

3 top questions about information governance

David likes to ask customers three questions to get a feel for their information governance challenges:

  1. How do you identify content that has risky or high-value information today?
  2. What processes do you have in place to manage that sensitive information?
  3. What are your disposition policies for getting rid of information that you don’t need to keep?

According to David, that last question is the most important—and the most challenging: “That really is probably the biggest [information governance] problem organizations face today. It’s really, really hard to hit the delete button.”

Who moved my data?

Another challenge with deletion is finding the data you want to delete when it’s scattered far and wide.

“It leaks into personal devices, it can be found in database applications, and it can be found in data lakes,” says David. “It can be found in test data management kinds of applications, and in things like Slack and Teams and shared drives all over the enterprise. So, organizations really need a good understanding of what’s out there. And many times, they don’t have that answer.

And when they do have that answer, they say, ‘Okay, I know where my data is, and I know what’s valuable, what’s not, maybe what’s sensitive and what’s not… But now can you help me delete that data?’”

David continues: “We have a consulting arrangement with one of the world’s largest banks. We’ve been working with them for two years, and we’ve just been able to delete the first batches of data. And it was a major celebration, it really was. We had a party over being able to actually hit a delete button and watching the data disappear. Because all the processes that we helped this organization develop, all the attributes that we had to develop, all the policies that we helped them develop, finally came together in one quick push of a delete button. It was actually pretty cool.”

The legal U-turn on data deletion

In the US, the courts used to punish firms for deleting data and not having it available. But that paradigm has recently pivoted 180 degrees. Now firms are sanctioned for not deleting data.

“If you go to court and somebody says, ‘Our retention period on this piece of content is ten years,’ and you still have it in your enterprise, you might as well start writing the biggest check you possibly can, because you haven’t been able to demonstrate legally that you have policies in place and you’re actually following those policies to delete data,” David states.

Retention/deletion is a legal issue

“Are information security consulting firms like Pivot Point Security actually part of this problem?” John asks. “We do risk assessments every day, we’re helping organizations manage information related risk. And I don’t know that we do a good enough job of typically citing what I’ll call information governance risk, or information retention risk.”

“It’s only part of the problem if you haven’t invested in expertise around that element,” David clarifies. “Retention laws really relate to the Code of Federal Regulations (CFRs) that the government has in place to govern all sorts of activity. I think most consulting firms do a really good job at helping organizations build those walls internally to keep bad guys out, and in some cases to keep certain parts of the organization from accessing information that’s [controlled by] another part of the organization. Where most consulting firms don’t have really strong expertise, and it’s still dominated by law firms, is in the area of retention. Because retention relates to legal citation and legal citation spells this out.”

Knowing when to hit the delete button

To know for sure what data you must keep and what you must delete, you might need to sift through literally thousands of retention laws to determine which ones apply to data you have today.

There are applications that can tell you about retention laws. But, as David points out, “The last mile is how do you connect those laws to the actual data? And then how does that tag help organizations better manage the data through its lifecycle and make sure they are hitting delete on the day the delete button needs to be pushed.”

If you have a privacy or compliance related role in your business, don’t pass up this podcast episode with information governance specialist David Gould.

To hear this episode all the way through, subscribe to The Virtual CISO Podcast on Apple Podcasts, Spotify, or our website.

Successful vCISO = All Security Roles Filled

This document outlines the 3 critical roles and responsibilities of a Virtual Chief Information Security Officer: Architect, Builder, and Operator.
Download the free inforgaphic now!