Chief Commercial Officer (CCO) An experienced senior executive with extensive experience gained supporting Boards and c-suite members on cybersecurity.

I recently read that 99% of all data stored has been accumulated in the last 10 years with companies collecting data, even if it does not support a business function using the justification that it might have some value in the future. Over the last 18 months there has been an increasing volume that data is the new oil, its often said data is worth more than oil and like oil, data has to be refined to increase its value. You only have to look at some of the companies with the highest market Cap’s who collect large amounts of data, Amazon, Facebook, Google and Apple to see there is a lot of truth to this.

Yes, raw data is potential power, refined data can influence presidential elections and change history you only have to look at what Cambridge Analytica did across the world.

If the big companies get hacked or caught out by regulators, they can cope. But what about smaller companies where a cyber breach or fine could put them out of business?

I remember asking a client about 5 years ago, “why do you keep so much data?” and their response was “because it is cheap to do so” and after being asked what they use it for, they said “some for business operations but a lot we just keep, we might need it someday!”.

My view is that up until a couple of years ago, there was business logic that supported the “keep it all” approach however, I have been starting to question whether there is a business case to retain all data and not just because it is cheap to do so, as it this is no longer the case.

New elements have entered the equation that need to be considered for company’s data retention policies, that have the potential to add significant cost and reputational damage to a company, namely cybersecurity breaches and regulatory fines.

When it comes to cybersecurity breaches, it is data that hackers want to steal, gain access to or control. If the company has a vulnerable data lump or is known to hold large amounts of data, it will naturally become of increased interest to hackers and regulators.

Data type v’s potential cost (Inclusive of Cybersecurity Event and Regulatory fine) = Justification to retain.

While a company might apply a tiered category to their data and a cost to maintain each category, regulatory authorities and hackers do not. Regulatory authorities take the view that if you do not take the right precautions to protect the data in your care, the company will be fined. A regulator will not take into consideration that the data on a Tier 3 platform that has been categorised low value to the company (typically the cheapest platform, with low cyber protection). Regulators will take the position that the company had in place low standards for the provision of cyber protection and fine them.

Dependent on the infringement of the EU GDPR this can result in administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater. Suddenly, the value and cost of that data, changes considerably to that company as demonstrated by the fact that the FTC in the US is proposing to fine Facebook US$5 billion.

Hackers look for the easiest way to gain entry to a company’s data, and if it happens that the largest deposit of data is sitting on the lowest cost platform with the least amount of security, then all the better.

Companies need to review regularly and justify why they collect and keep data, and perhaps start to reduce their data lumps. They need to review how they categorise data, the platform and the facilities they use to store that data.  Executives and Board members need to understand that whilst it might be good practice to drive down operational costs, they are potentially exposing the company to more cost and increasing their own director risk with personal fines for themselves.

Executives need to be able to:

  • Justify the data they collect
  • State what the impact would be to business operations should any of the data be compromised
  • Articulate how the tiers of data collected are connected to a business needs
  • Define the potential cost following a cybersecurity breach

Boards and Executive committees need to understand how they categorise data and attach a value, especially data stored with the cheapest 3rd party vendor. While data is seen as the new oil, no one wants a Deepwater Horizon.