Best Tips for Secure Data Retention

shutterstock Maksim Kabakou

Corporate retailers including Home Depot, Target, Michaels, Dairy Queen, and Kmart have all been victims of security breaches, and are still feeling the aftereffects. In addition to the financial repercussions, even mainstream brands suffer from diminished trust when customer data is compromised. This trust can be difficult to rebuild, and the negative effects are often even more pronounced for small- or medium-sized businesses.

To find IT security jobs, click here.

Privacy Policies

Being upfront with users about how long you plan to store their data, what type of data you’re storing, and how you plan to use it is a good step to take when it comes to establishing trust. Some companies take this a step further by letting users know when the privacy policy has changed, and by adding easy-to-read explanations in addition to the fine-print terms of service agreements.

Security Measures

Companies need to secure their information in a way that makes sense financially. “It doesn’t make a lot of sense to secure a million dollars’ worth of information with $10 million worth of security,” Trustwave Vice President of Product Management Josh Shaul said in an interview.

Common-sense security measures should be in place for all data, and this begins with a general risk assessment. “You’d be shocked to find out how many companies are storing data, but the compliance and the risk and the security people don’t even know that that data’s being stored,” Shaul added. After areas of weakness are discovered, businesses can adopt new practices and procedures to protect against potential threats, such as installing intrusion detection and prevention technologies, anti-malware controls, and Web-application firewalls, and modifying network access controls to prevent unnecessary access. Some businesses may choose to work with outside experts responsible for installing, monitoring and updating their technologies in response to new potential threats.


Financial information must be retained in order to comply with government regulations, and many businesses choose to store additional information, or save data for a longer period of time than required, if legally permitted.

Upload Your ResumeEmployers want candidates like you. Upload your resume. Show them you’re awesome.

Fresh data is more likely to be targeted than older data because it is more valuable to criminals—numbers for active cards sell better on the black market than older ones, for example—but social security numbers and birth dates do not change, so data stored for longer periods of time is also vulnerable. In addition to a transparent privacy policy, companies should take extra measures for securing data that’s been on their servers for a decade or longer.

Extra steps can be taken to secure data that’s currently dormant, but saved in case it’s useful in the future. “If nobody needs to access it, then there’s no reason not to encrypt the heck out of it and make sure that it’s really, really hard to get at,” Shaul said. Because the data is dormant, it can be protected securely in a way that would be inconvenient for information that needs to be accessed regularly. Dormant data can be protected by strong encryption, and locking away the encryption keys in a place that’s very hard to access.

Related Articles

Image: Maksim Kabakou/

2 Responses to “Best Tips for Secure Data Retention”

  1. Fred Bosick

    Done in 3 steps.

    CIOs must be IT proficient. Target’s CIO was a marketing manager.

    No Cloud, at all! Always control your own computation and storage. Who cares more about your data than you do? It’s easy to open a cage and “borrow” a drive from a mirrored set.

    No offshored or H-1B staff. Choose your poison: offshore churn, or H-1B incompetence? Regarding incompetence; IT shops try to stem it by excessive ticketing/metrics or other ITSM/ITIL3 malarkey to carefully control and limit any individual failing by barely trained and manual memorizing new staff. Say an SSL certificate expires and takes down a webserver. A flurry of tickets and random file copies follow in an attempt to get it going again.

    (Is that the right one? I don’t know. What about the load balancer? Copy it there too!)

    You’ve just lost control of the documents allegedly protected by the certificate!

    Where’s my consultants fee?

  2. I think that you can use the cloud, but work with reliable providers. You should have a reliable network or even IT infrastructure monitoring tool e.g.Anturis or something else, but which is able to see how the network works. As soon as something unusual happens the system alerts the admin and they are able to take the measures they think they are able to do. Such tools can see what is in the network and what is happening etc.
    I think them the only way out at the moment.