Current worldwide data center storage capacity is estimated to be 770 exabytes – and forecasters expect it to increase to nearly 2,000 exabytes by 2020. Having an abundance of the right data at your fingertips can create enormous benefits, such as increased productivity and personalization. But its storage also carries responsibility and even liability. Although this might sound dramatic, when you think about how much personal and sensitive data this includes, the need to be vigilant is even greater.
Each time an organization fails to permanently erase the data they are holding when the time calls for it (i.e. customers request it, the data is no longer needed or IT equipment reaches its end of life), they are putting themselves and their customers’ data privacy at risk. As of May 25, 2018, they will also be at risk of failing to comply with the EU General Data Protection Regulation (EU GDPR).
Organizations need to have a much better idea of what data is stored and where all that data resides, as well as what processes they have in place to permanently erase it when required. Furthermore, due to the new regulations, customers will be taking a greater interest in the contract terms around data erasure, many of which are currently not fit for purpose.
The right to be forgotten
EU GDPR will both strengthen and unify data protection for individuals by requiring organizations to align their data management policies and practices with its stringent rules. An important part of the incoming legislation means that anyone will have the right to request the erasure of their personal data “without undue delay” under a number of circumstances, such as by removing their consent for its processing.
In order to be compliant, organizations need to be able to remove each and every record relating to that particular person as soon as they make the request. The directive also introduces huge fines for companies that fail to protect the data they collect from consumers. However, it would seem that not all businesses understand the steps they need to take in order to ensure a user’s data is erased securely and verifiably.
Data Sanitization – what it really means
There tends to be a lot of confusion about the definition of data sanitization and the varying methods for achieving it. For example, many businesses mistakenly implement certain data removal methods, such as a factory reset, reformatting, data wiping and data clearing, because they believe these methods are capable of achieving data sanitization, when in fact they are not. As a result, the vast majority of organizations today aren’t undertaking the necessary steps to implement a data sanitization process and are leaving themselves vulnerable to a potential data breach.
If security processes are not up to scratch, an organization cannot guarantee that it is able to adequately protect customers’ sensitive information. If they are requested to erase a particular person’s personal data, but they use the incorrect method of data removal, they will not be doing so adequately.
It’s clear that confusion around the difference between data deletion and data erasure isn’t confined to everyday users alone. When looking at the language and terminology used within legal contracts by SaaS vendors and cloud infrastructure providers, they don’t always include the necessary terminology to specify if and when data is permanently erased when customers end their services/relationship with the providers. And when they do, they often use incorrect terminology in their contracts, such as ‘data deletion’ or ‘data wiping’ to indicate that a customer’s records are being removed when services are terminated. But as we know, data deletion and data wiping do not meet the criteria for data sanitization and therefore, can leave data accessible or exposed.
Here are some examples of contract language that could put the companies in legal trouble.
Salesforce: “After such 30-day period, we will have no obligation to maintain or provide any copies of your data, and as provided in the documentation we will thereafter delete or destroy all copies of your data in our systems or otherwise in our possession or control, unless legally prohibited.”
Microsoft Azure: “If you do not fully address the reasons for the suspension within 60 days after we suspend, we may terminate your Subscription and delete your customer Data without any retention period.”
Dropbox: “After a commercially reasonable period of time, Dropbox may delete any Stored Data relating to Customer’s account.”
Proper education about the correct definitions and terminology must be provided, otherwise organizations could find themselves facing both legal and financial issues. What’s more, a company should provide assurances and proof that when a request for data removal has been made, the data has been permanently erased so that it can never be recovered and a certificate of proof is provided for audit trail and compliance purposes.
Sanitize your data
Data protection audits can help organizations identify existing gaps and problems within their IT infrastructure and security posture. This will allow them to both correct such problems, as well as implement the necessary corrective actions so they can be in regulatory compliance in the future. The more often audits take place, the more equipped organizations are to know how much data they are responsible for.
If you’re unsure of the types of data you hold, you have a lower chance of being able to understand how to properly prioritize actions to protect that data and prevent it from being accessed or exposed to a data breach. Without a comprehensive picture of your data landscape, it would become all but impossible to fully comprehend the scale of a data security breach and how many people it may have affected.
The threat to our data privacy is increasing, with data continuously being stored and security breaches continuing to dominate headlines around the world. However, organizations are still not changing how they handle things. With so much important data running through any corporation, it’s hard to believe that security risks such as these, for which there are such simple preventative measures, continue to be overlooked.
Richard Stiennon is Chief Strategy Officer of data erasure specialist Blancco Technology Group and director of the IDSC.