Delete Data To Delete Risk

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/database-security/167901020/security/news/240000521/delete-data-to-delete-risk.html

By Ericka Chickowski
Contributing Writer
Dark Reading
May 16, 2012

Earlier this month, a Missouri state senator led a filibuster to block 
the vote on the creation of a new prescription-tracking database within 
the state -- on the grounds that should a breach occur to expose this 
database, it would expose embarrassing information about citizens. 
Though extreme, the event offers good evidence that awareness is growing 
both in the public and private sector that one of the best ways to 
protect sensitive and personally identifiable information (PII) from a 
breach is to eliminate its existence.

"Rule No. 1 in data-breach prevention is that they can't steal it if you 
don't have it," says Alan Brill, senior managing director of Kroll 
Advisory Solutions. "It would be a lot better if people remembered that 
one."

Obviously, protected identifiable information and other sensitive 
information fuels enterprise business today. And then there are certain 
classes of data that are required to be kept because of litigation or to 
maintain a legal hold for discovery issues, Brill explains. But beyond 
that, he believes organizations need to do a better job probing the 
necessity of retaining data -- particularly PII -- and making every 
effort to limit its stay on company databases.

"You have to start asking, 'What's the value of the data? What am I 
doing with it? Does it represent positive value? And who wants me to 
keep it?'" Brill says.

[...]


_______________________________________________
LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
http://www.layerone.org