
PCI DSS 4.0 Released with Big Changes
Released March 31, 2022, PCI DSS v4.0 contains significant changes including increased focus on risk analysis, which may open organizations up to legal risks.
Remember when data management meant determining what documents to keep, what documents to toss, and what documents to shred? Most of the time we could get by making different piles and then filing some documents, throwing away some, and destroying some in the shredder.
While we still have to deal with paper documents, most of the information we’re concerned about managing these days is in digital format. There’s also a lot more of it and seemingly many more regulations affecting how we deal with it.
That’s why determining what to hang on to and what to let go of — your data retention policy — is still an important part of data management.
The general thinking is to keep as much data as possible. You never know what will be needed and when. However, storing data isn’t free. And storing more data than is necessary isn’t good business.
The solution: assess and prioritize your data to determine what to keep, how long to keep it, and what to delete.
There are no standard rules for this as it will vary based on your specific company, industry, and numerous other factors. However, organizing your data using the following tips will get you started in developing a data retention strategy.
This category covers any data that must be retained due to compliance, legal, or regulatory requirements — and there are many of them.
There’s the Fair Labor Standards Act, the Bank Secrecy Act, the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Information Security Management Act (FISMA), among others, that all specify data retention requirements.
Make sure you also understand all compliance, legal, and regulatory requirements pertaining to data deletion or data destruction. Under certain mandates, such as the General Data Protection Regulation (GDRP), every piece of information relating to a person — on every file, register, database, mailing list, and back-up server — must be removed forever. It also can’t be recoverable.
Failure to comply with data retention and data destruction requirements can result in costly penalties and a host of other negative results.
Depending on your industry, there may also be requirements — or at least best practices — for retaining certain kinds of data.
For example, while many companies will create data retention policies of five to ten years, architecture firms often retain certain files much longer — even indefinitely. They may need to hold on to them for liability reasons, future renovations, or possibly the historical significance of a project.
Heavily regulated industries are subject to numerous data retention requirements. In addition to adhering to those specified by HIPAA, the healthcare industry is subject to data retention requirements noted by the Centers for Medicare & Medicaid Services (CMS) and individual state laws. The American Health Information Management Association also provides recommendations for data retention.
In the insurance industry, policies established by the Federal Register dictate retaining appraisals, safety records, inspection reports, and receivership records for six years and expired policies and insurance claims for 10 years after termination date.
For human resources, Occupational Safety and Health Administration (OSHA) created a strict rules for data retention that include keeping personnel records for seven years after termination, medical exposure records for 30 years, and drug test records for one year.
Think of this as the data required to keep you in business. It’s critical to your day-to-day operations, and requires the highest level of protection.
If a manmade or natural disaster took out your data center, this is the data you need recovered first so you can resume operations.
This is data that you might not need for day-to-day operations, but it does play a key role in keeping your company competitive.
For example, do you have data that is critical for improving decision-making? Is some of your data essential for creating or optimizing your processes? Do you need the data for audience targeting or discovering customer buying patterns? That’s data you need to keep.
In this category is data you think you need but that may be outdated or inaccurate. It could include any of the aforementioned categories.
Data quality matters, so assess your data carefully. Purge stale, inaccurate, and corrupted data to keep it from negatively impacting your analytics and other processes within your sales and marketing departments.
Ensure the data is checked and cleaned before it is used in any analytics or reporting to improve the accuracy of all metrics pulled from said data.
This is data that you really need — just not very often. In fact, it may be years before you ever need it. This is the kind of data that is ideal for cost-effective object storage.
Once you know what data you have and have categorized it, you can start establishing policies for how long to retain it — and where.
In the meantime, if you’re interested in learning about options for protecting and storing your data, let us know. Contact us today to get started.
To learn more about data management, check out these articles below from our blog or visit our resource center for whitepapers, e-books and more!
Released March 31, 2022, PCI DSS v4.0 contains significant changes including increased focus on risk analysis, which may open organizations up to legal risks.
When an organization works with US Signal, both entities work together to determine who will be responsible for the security of each aspect of the IT infrastructure solution. This includes defining and fully describing what is entailed for each responsibility; discussing the arrangements to ensure complete understanding; [...]
The US Signal approach to IT security entails joint responsibility, regularly tested processes and protocols, and the benefits of a private network.