Less Is More: The Cyber Case for Data Minimization

During the heyday of big data, many organizations eagerly collected more and more data with the assumption that massive volumes of stored information would one day yield a treasure trove of business insight. But as we move deeper into the digital era, it has become clear that not all of this data actually has long-term business value. In fact, in many cases, holding on to too much data can actually lead to greater business risk, particularly cyber risk. Data minimization can help organizations reduce this threat.

Corporate data continues to proliferate at a rapid rate. Over the next five years, IDC Global DataSphere forecasts that the total amount of data created will grow at a compound annual growth rate of 21.2% annually and reach more than 221,000 exabytes (or 221 billion terabytes) by 2026.[1] Nearly three-quarters of C-level executives surveyed last year said they expect the volume of data their organization manages to grow very fast over the next five years, according to a report commissioned by data analytics solution provider Ocient.[2] Put simply, that’s a lot of data not only to manage, but also to protect. And it’s not just large enterprises facing this challenge. A 2023 survey of U.S. middle market businesses by professional services company RSM found that 77% now have a function dedicated to data security and privacy, up from 60% who said so the previous year.[3]

Enterprise data protection has never been more important, and it remains at the core of all Mimecast software and services. However, there are also opportunities for organizations to limit the data that they hold on to — an approach that not only decreases cybersecurity risk, but also can bring down operational costs. Such data minimization can also help organizations comply with existing and emerging consumer data privacy regulations as well. 

As the CIO of a global law firm recently explained, a clear shift is occurring in the way businesses must think of data — from “data as the new oil” to “data as a weapon” that can be used against an organization. While it’s important to leverage data that creates business value, it’s just as important to get rid of data that an organization no longer needs. Balancing tradeoffs between data risk and opportunity requires a change not only in approach, but also in mindset and technology, and cyber leaders can play a central role in making the case for data minimization.

Data Minimization 101

Data minimization is straightforward in theory. It’s the practice of limiting the collection, storage, and processing of data to only what a company actually needs for business operations, regulatory requirements, and legal proceedings. 

Limiting the amount of personal data an organization collects, stores, and processes is the bedrock of many data privacy regulations around the globe aimed at protecting consumer data. The EU’s General Data Protection Regulation (GDPR) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) have data minimization requirements, as do an increasing number of data privacy laws in the U.S., including statues in California, Virginia, Colorado, Utah, and Connecticut, which go into effect this year.[4][5]

More Data, More Problems: Reforming Data Hoarders

While the proper care and disposal of personally identifiable information is critical, it’s not the only type of data governance that companies should consider in their data minimization efforts. As one information governance and compliance expert recently wrote, “the accumulation of unmanaged corporate data has reached an inflection point for data security and information management professionals.”[6] The solution? “If you don’t need it – delete it,” he says. 

While easier said than done, that is the goal for the global law firm CIO who discussed his data governance efforts. The law firm was retaining data on cases that went back decades. “The firm’s position had been to keep all the data that we can,” the CIO explained. But the more data the firm accumulates, the more data there is for cybercriminals to weaponize against the firm or its clients. The CIO’s aim is to get rid of data that the firm no longer actively uses. “There will continue to be cases where partners or clients want us to go back to cases from 20 years ago,” he said. “So, we’re having those conversations about the tradeoffs involved.” It’s a considerable shift in the status quo, so the data minimization effort requires the CIO to work closely with the firm’s leadership and board throughout the process to ensure they understand how this will reduce risk for the organization. 

Balancing Risk and Opportunity 

Significant risks are associated with the unnecessary retention of data. It can expand the blast radius of a cyberattack — increasing the volume of data involved in a breach as well as the number of individuals impacted by it. It can also drive up the cost and complexity of a data breach response and increase the risk of non-compliance with privacy laws and enforcement actions. In addition to these multiplier effects, there’s the increased cost involved in retaining more data in terms of data storage, governance, and backups.

Ultimately, effective data minimization comes down to weighing the business value of data against the risk of its collection or retention. It’s not simply a matter of putting a cap on data volumes but of understanding which data matters and purging the rest. That’s where the art of data minimization comes in. Experts in the practice of data minimization offer these steps for how to begin:

• Establish a strategy of active data management. The powers that be must make clear that all corporate data, including employee-controlled data, must be actively governed.
• Make the case for data minimization. Work closely with the executive team, board of directors, legal and finance leaders, and other key stakeholders to educate them on the risk mitigation benefits and get their buy in.
• Create data management policies. Guidelines should clarify the organization’s policies regarding records management, data privacy regulations, and data disposal.
• Enforce and automate data governance policies. Policy enforcement and automation of key processes — such as data capture, retention, and disposition — can streamline data minimization and governance efforts, helping to ensure the retention or disposal of data as necessary.

The Bottom Line 

There’s no question that data is one of the most valuable assets of any business in the digital age. But not all data has business value. Data minimization can have a positive impact on cybersecurity efficacy, regulatory compliance, and operational costs. Creating policies and procedures to securely dispose of unnecessary or extraneous data can help focus efforts to protect high-value data. Read more about the importance of securing data from unauthorized access, use, or disclosure in protecting your organization against cyber threats.

[1] “High Data Growth and Modern Applications Drive New Storage Requirements in Digitally Transformed Enterprises,” IDC whitepaper, sponsored by Dell Technologies and NVIDIA

[2] “The World Is Moving Beyond Big Data, According to Ocient Survey of 500 Data and Technology Leaders,” Ocient

[3] “2023 RSM US Middle Market Business Index Cybersecurity Special Report,” RSM

[4] “Data Minimization Policies: A Key Requirement for Effective Cybersecurity,” Archive360

[5] “U.S. data privacy laws to enter new era in 2023,” Reuters

[6]  “Data Minimization Policies: A Key Requirement for Effective Cybersecurity,” Archive360