Information storage has become a double-edged sword for many organizations that must balance the value of data with potential liability. While many have called data a form of digital gold, two recent cases show how improper information storage and poor enterprise data erasure practices led to an expensive lawsuit and a substantial fine.

David Stegon David is a technology-focused writer with more than 20 years of professional experience. A former reporter, David has written on a wide range of topics. As senior content writer at Blancco, he supports the company’s thought leadership, content marketing, and social media efforts.

Breach exposes PII for New Zealand association’s customer base

This March, a travel association based in New Zealand announced it suffered a major data breach in August of 2021. That breach exposed the personally identifiable information (PII) of hundreds of thousands of customers collected over 15 years. 

The stolen information included names, addresses, contact information, and expired credit card numbers from a division of the association that ceased operations in 2018.

Instead of deleting the no longer needed data, the association kept customer information on connected servers. If the company had followed data sanitization methods and permanently removed unnecessary information, it would have avoided this situation. Company executives acknowledged this and New Zealand Acting Privacy Commissioner Liz Macpherson agreed.

“Companies need a review policy in place to determine if the data stored was necessary,” she said, adding businesses must minimize data collection.

Collecting too much data—and not properly erasing it—provides bad actors with the opportunity to manufacture an identity.

GDPR violation brings hefty fine for Denmark financial institution

A Denmark bank was fined $1.5 million (€ 1.3 million) in the second case for failing to comply with the European Union’s GDPR “right to erasure” guidelines.

GDPR requires personal data be erased by service providers when services end or legal agreements expire. Yet key findings by the Danish Supervisory Authority showed that the bank “has not been able to document whether rules have been laid down for deletion and storage of personal data, or whether manual deletion of personal data has been carried out.”

While there was no breach, the bank held onto customer data longer than regulations allowed. The bank faced a challenge that many organizations encounter: A distributed network of technology systems that made it difficult to build the right functionality. The organization found itself incapable of keeping up with data destruction demands in its more than 400 individual banks. These banks process the personal data of millions of people.

Why organizations keep data

Companies hold on to sensitive data for too long for many reasons. They may want to keep the data for future use, even if they remain unsure how that would look. Some firms lack data erasure software or are unfamiliar with the appropriate processes to erase data properly. Others believe the data will remain secure.

But keeping unnecessary data has consequences. 

Holding on to older data creates unnecessary risks not worth taking. IBM’s Annual Cost of a Data Breach Report shows that the average breach cost $4.35 million in 2022, up 2.6 percent from 2021 and 12.7 percent from 2020. Any unnecessary data not correctly eliminated from storage or live networks remains subject to breach. Even data stored on disconnected data center servers and decommissioned mobile devices can get accessed under certain circumstances. 

In addition to breaches, GDPR infringements of certain types could result in fines. These fines can be up to €20 million, or 4 percent of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. 

Instead of taking these risks, organizations need a proactive, verifiable, and certified process to permanently destroy unnecessary data. Doing so can ensure this data is rendered inaccessible, reducing risk, maintaining customer trust, avoiding potential fines, and limiting breach exposure. Such data erasure also ensures that an organization complies with all national, regional, and market-specific regulations.

Enterprise data erasure best practices

The growth of data privacy laws will provide a framework for many organizations to manage outstanding data. GDPR has become perhaps the most well-known, but more than 100 countries have specific laws that organizations should follow.

Following the spirit of regulations like GDPR can serve as a solid guide. They can strengthen how enterprises protect sensitive business and consumer data. This is especially true for organizations that do not have industry-specific regulations such as PCI DSS, HIPAA, and NCSC, among many others.

Outside of these regulations, take a regular audit of data to determine what no longer holds value. Duplicative data, outdated customer information, information past its mandated retention date, or information related to a defunct business venture should be top contenders for data erasure. One landmark study shows that 85 percent of data could be obsolete.

Leverage scalable, certified data erasure methods to guarantee its permanent destruction, even across complex networks, once you determine what data is no longer needed. Failing to do so can bring additional liability, risk, and stress without proper value in return.

You may be interested in:

What is Data Erasure?

Privacy for Sale: Data Security Risks in the Second-Hand IT Asset Marketplace

Why are Data Erasure Certifications & Third-Party Validations So Important?

How Does Blancco Help Organizations Comply with the EU General Data Protection Regulation?