Archived Insight | February 9, 2021

Data Retention Policy: Follow Through to Stay Secure

Data is the heart of many businesses — and the same commodity sought by cybersecurity hackers.  And the more data they steal, the greater your liability becomes. That’s one reason why you need to create and follow a data retention policy.

Data Retention Policy Follow Through to Stay Secure

What’s a data retention policy?

A data retention policy dictates how long and under what circumstances you either keep or delete data.  While you can have reasons for wanting to save in perpetuity every record you file, this makes you a tempting target for malicious actors on the prowl for valuable data. In addition, saving data beyond its intended lifespan can come with legal and contractual ramifications.

Why less records can mean more security

Many organizations have years or decades of historical data saved on backup tapes or stored online. Sometimes you truly need to save data, such as historical employment records necessary to calculate and verify pensions. But more often, records are retained because no one’s taken the time to delete them.

Stolen historical data can be pricey to fix. Some industries have data records that, if stolen, cost more to remediate than data elsewhere.  For example, a stolen record from the health industry costs $408 on average to remediate while an education industry record costs $166 on average to remediate.

The costs can be even higher if you’re retaining more records than you need. Suppose you’re a school system with student records dating back 30 years. If you welcome approximately 1,000 new students each year, that means you have about 30,000 unique student records which, if stolen, will cost you an average of $4.98M to remediate. But according to your data retention policy, you really only need to save 16 years of student records.  If you’d followed your policy and deleted the older 14 years of records, your average liability for the remaining records drops to $2.656M, or a $2.324M reduction in out of pocket cost.

Considering it should cost significantly less than $2.324M to dispose of the older records, why would anyone not make deleting old data a priority?  It may not seem worth the effort. But that old data represents a clear business issue when put into a dollars and cents perspective.

What’s covered by a data retention policy

So what kinds of data should be covered in a data retention policy? The answer is anything that could be used by a hacker to exploit a victim. This includes paper records, emails, personal health information (PHI), personally identifiable information (PII), financial records, corporate letters or correspondence containing any information your organization would not want released to the general public and other items.

If you don’t currently have strongly enforced data retention policies in place, we strongly recommend you address the situation as soon as possible. Save yourself the risk, and considerable headaches, by deleting that old data now!

Have questions? We have answers.

See how we can help. 

Speak With Us

See more insights

Diverse business colleagues have a meeting

Reporting and Disclosure Guide for Benefit Plans 2025

Segal’s comprehensive Reporting and Disclosure Guide for Benefit Plans is the go-to guide for navigating compliance requirements.
Happy Mature Couple Looking Outside The Window

Multiemployer Pension Plan News for Q4 2024

Multiemployer retirement plan sponsors: Get caught up on 5 hot topics in our recap of fourth quarter news impacting multiemployer pension plans.
Business Team Discussing New Ideas At The Office

Most SECURE 2.0 Plan Design Options Fully Available for 2025

The Treasury and the IRS have issued guidance for recordkeepers to administer the plan design options SECURE 2.0 made available to DC plan sponsors.

This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.