Earlier this month, a Missouri state senator led a filibuster to block the vote on the creation of a new prescription-tracking database within the state -- on the grounds that should a breach occur to expose this database, it would expose embarrassing information about citizens. Though extreme, the event offers good evidence that awareness is growing both in the public and private sector that one of the best ways to protect sensitive and personally identifiable information (PII) from a breach is to eliminate its existence.

"Rule No. 1 in data-breach prevention is that they can't steal it if you don't have it," says Alan Brill, senior managing director of Kroll Advisory Solutions. "It would be a lot better if people remembered that one."

Obviously, protected identifiable information and other sensitive information fuels enterprise business today. And then there are certain classes of data that are required to be kept because of litigation or to maintain a legal hold for discovery issues, Brill explains. But beyond that, he believes organizations need to do a better job probing the necessity of retaining data -- particularly PII -- and making every effort to limit its stay on company databases.

"You have to start asking, 'What's the value of the data? What am I doing with it? Does it represent positive value? And who wants me to keep it?'" Brill says.

[ No matter how long you keep PII, it is key to keep it safe within the database. See Three Security Snags That Expose The Database to find out what you might be doing to jeopardize sensitive data. ]

As Dean Gonsowski, senior eDiscovery counsel for Symantec, explains, there's a yin and yang of retaining lots of data.

"Yeah, that information may be useful, but there's also a latent information risk associated with having it," says Gonsowski, explaining that the three biggest risks include risk of data breaches, risk of compliance issues if the data isn't kept according to regulatory demands, and risk of added litigation cost when it comes time to sift through data to find specific information a judge may ask for. All of those risks increase as the volume of retained data within an organization mounts.

Unfortunately, with the cheap cost of storage these days, all too many organizations are allowing that volume of data to grow unchecked without enough consideration of how much data they should keep and how long they should keep it.

"I liken it to a garage that you've got. When your garage is big enough, you feel like it is just OK to open the door and throw everything in it. But no matter how big your garage is, you can't do that perpetually because the day will come when you need to find the fire extinguisher, and you're not going to be able to do it," he says.

On top of that, when valuable things are thrown in there with trash, it is hard to tell whether someone has taken the important stuff out of the garage while the back door was left open.

"Fundamental to this discussion is the fact that when you talk to organizations, they say, 'I know about 10 to 15 percent of what I have is valuable. I just don't know how to distinguish it from the other 85 percent," Gonsowski says. "That's a problem."

According to a poll conducted by consulting firm Protiviti earlier this year, the majority of organizations -- 81 percent -- do have some sort of record retention/destruction policy. The problem is that these policies may not be written with enough specificity to make a difference in reducing the volume of PII kept by the organization. And more importantly, organizations may not yet have the maturity in IT practices to support the policies.

Protiviti found that only 50 percent of organizations actually have a plan in place to perform data categorization. So even if an organization has a policy to get rid of certain categories of risky information in a given time frame, without any means to classify data and find the data within a given bucket, that policy is moot.

According to Cal Slemp, managing director and head of Protiviti's IT security and privacy practice, that understanding of what makes data sensitive is a crucial part of managing information throughout the life cycle, particularly when it comes to destruction of data.

"Without this foundation, companies open themselves to needless costs and legal, regulatory, and reputation risks," Slemp says. "It is our view that data with different sensitivity needs to be treated differently from an information security perspective. In addition, knowing what to keep and what to purge also helps organizations avoid falling into a default process of saving 'everything forever,' which comes with its own costs and risks."

As organizations begin to think more critically about PII, they need to find ways to better categorize data and tie it to specific deletion policies. And they need to look to stop the problem from getting bigger by addressing policies to new forms of data being collected at the outset.

"I would say when you start to capture a new type of information, you want to make sure you've got the security around it, you want to make sure you've got the access controls, that you're anonymizing it, and things like that," Gonsowski says. "But once you've done all that and it's safe, you want to make sure that you don't keep it forever. If you only need it for 30 days, then you keep it for 30 days and have an automatic system that once it is categorized and labeled, it just gets deleted after 30 days."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.