Bad Tapes Part 1: Unwinding Data Immortality
Storage Costs, Difficulty of Data Retrieval and Threat of Regulatory Action Loom Over Companies Who Use Backup Tapes As Archives
-
March 28, 2024
DownloadsDownload Report -
This is part one of a five part report which explores what led to data over-retention on backup tapes, defines the current situation and outlines how to remediate data holdings to reduce ongoing operational costs and regulatory risk. Find out more about this report by reading the introduction or downloading the full Bad Tapes report here.
Once Heralded As the New ‘Oil’ That Kept the Corporate Engine Running, the Glut of Data Is Now Creating Oil Spills.
For decades, corporates have been hoarding data.
- Business and strategic operations have long adopted the philosophy of “Don’t delete that! Let’s keep it… just in case.” This has led to many business units amassing massive data caches, without specific purpose and with little insight into what they hold. This often includes digital landmines, such as unneeded personal information or discoverable emails that legal teams would prefer were destroyed as soon as defensibly possible.
- The big data gold rush saw companies scraping their systems to fill data lakes and warehouses, with no clear idea of how to leverage it — leading to an uncontrolled environment with mountains of uncategorised data and hazy access controls, including messaging data, email archives and voice recordings.
- Cost and convenience, with historically low penalties for over-retention of data and low costs to keep it compared with the time and expense required to defensibly destroy it.1
Data Risk Has Increased Exponentially
Now, the needle has moved on data risk.
In Australia, penalties for breaches of the Privacy Act have dramatically increased — to a maximum of AUD$50 million or 30% of adjusted revenue in the period of non-compliance.1 The privacy regulator — the Office of the Australian Information Commissioner — has been newly empowered with increased staffing and funding.2 And in the wake of data breaches of increasing severity and scale, the regulator is looking to crack down on theover-retention of personal data.
It’s not just regulators. Class actions are on the rise — in response to data breaches, inadequate controls and loss of over-retained data, both customers and shareholders are looking for recompense and someone to blame.
And the regulatory burden is increasing — proposed amendments to the Privacy Act 1988 (Cth) promise new regulatory powers, more protections and personal rights, a direct right of action and a statutory tort of privacy to enable individuals to directly sue organisations for privacy infringements.
Penalties for Privacy Act Breaches1
- AUD$50 million;
- three times the value of any benefit obtained through the misuse of information; or
- 30% of a company’s adjusted turnover in the relevant period, i.e., the period of non-compliance.
Costs Are Skyrocketing
At the same time, corporates are feeling the pain of storing billions of unnecessary legacy files. Bloated storage mechanisms and countless stacks of magnetic data tapes abound, groaning with data that is misunderstood, unloved, and wholly unnecessary to the business.
Once touted as the pinnacle of long-term data storage, magnetic tapes have evolved into a data albatross around the necks of corporate Australia. Beyond the storage cost, accessing data via tape restoration is highly inefficient. Simply finding the right tape poses a challenge. Paying a vendor with an antiquated drive to read tapes can be expensive. Tapes go missing. And, as the life of tapes tops out at eight to twelve years, often, companies discover the tape they want is corrupted. The loss of a tape — whether misplaced or corrupted — could comprise a reportable incident, bringing the baleful eye of the regulator down upon the organisation. And the watchdog’s gaze could uncover over-retention and other uncorralled data risks.
It’s Time To Bite the Bullet on Remediation
Keeping everything forever is not an option. To reduce data risk while ensuring regulatory compliance, corporates need to assess and remediate their data holdings urgently. The goal is to identify and transfer records of business required for regulatory requirements, legal hold data and data of high business utility to secure and accessible storage — and defensibly dispose of redundant, obsolete, trivial (“ROT”) or duplicative data.
This is easier said than done. Getting the balance right on over- or under-retention of data is a difficult juggling act, bounded by business needs, legal hold obligations and regulatory requirements. Companies need to show that they know what they have and why they have it. It’s a time-consuming, whole-of-enterprise activity involving multiple systems and stakeholders, including IT, legal, risk and compliance. However, the risk is too great to continue to ignore.
Despite the difficulty and complexity, corporates must begin remediation as soon as possible:
- Identify what is needed, and what isn’t
- Preserve what you must in secure and searchable storage to enable inspection and use
- Get rid of files and data that exposes the organisation to risk and liability.
Ask Yourself These Questions:
- Do you have a data inventory?
- What is your most historic record?
- What is your most sensitive data?
Footnotes:
1: Tim de Sousa and Devina Potter. Australia Is Getting Serious About Penalties for Privacy Enforcement, FTI Consulting (31 October 2022).
2: Office of the Australian Information Commissioner, OAIC welcomes additional Budget funding, (9 May 2023).
Published
March 28, 2024
Key Contacts
Managing Director