Home Blog DevOps How to Stay Ahead of Data Retention Requirements Part 1 Record keeping tasks such as data retention and disposal are an essential part of business management and regulatory compliance.
More on the subject:
AWS Security, SIEM, the ELK Stack and Everything In Between How to Build a SIEM Dashboard for AWS Using the ELK Stack Using the ELK Stack for SIEMAt its core, data retention is about data control―meaning that an organization has taken steps to identify data throughout its organization, and then assess its importance, determine how long it will keep it, and then dispose of it. This topic also forces a discussion about how to access data, and how to protect data, but it is important to clarify that “data retention” from a compliance or regulatory perspective, is mostly about data governance and does not necessarily specify tools or data management tools.
Why retain data?In today’s world of highly sensitive data categories (e.g. privacy, health, cardholder, financial, tax, etc.) and increasing regulations, organizations are being forced to clarify data management practices and make certain they take retention rules into consideration.
Regardless of whether a business is required to have extensive retention rules, they may find that their customers, vendors, or partners have requirements and include downflow requirements in contracts and agreements that affect your business practices.
Before an audit or an external assessment occurs, it would be prudent to consider best practices and strategies that are most likely to impact your business.
In this series, we will review data retention requirements and challenges as well as some best practices to overcome them.
Regulatory requirementsRegulations and compliance programs across the business spectrum address data management and data retention. If you are not already facing specific regulatory requirements, then you should consider those regulations that impact your clients and partners.
You won’t have to look far.
For example, in the United States, securities broker-dealers must retain customer account records for at least six years after the account is closed. Financial institutions, casinos and other businesses must retain records required by the Bank Secrecy Act for a period of five years. Additionally, bank records that are not authorized for destruction after a specific period of time must be retained permanently.
Companies outside the financial services industry have similar obligations. Employers subject to the Fair Labor Standards Act must retain payroll records for at least three years, and the Equal Employment Opportunity Commission requires private employers to retain personnel records for one year after the employment ends.
The following table outlines some common regulatory / compliance sources by business category and includes a snippet of retention language from rules or standards.
Regulation-Compliance program
Impact
Businesses
Retention language samples
Impacts any business that works with credit cards, or credit card processing, to protect cardholder data.
Banks, retail, anyone accepting payment via credit cards, financial transaction processors.
PCI DSS 3.1 limit protected cardholder data storage to limits specified in company policy, and in alignment with legal or regulatory constraint.
Banks and financial institutions must meet minimum standards for data processing security to protect privacy, confidentiality, and availability of information.
Banks, financial institutions, insurance, lenders.
FFIEC II.C.22 Policies should define retention periods for security and operational logs. Institutions maintain event logs to understand an incident or cyber event after it occurs.
Impacts any business in the healthcare industry to protect the confidentiality of healthcare data.
Hospitals, doctor’s offices, medical services, healthcare billing, health research, Insurance.
§ 164.105 A covered entity must retain the documentation as required for 6 years from the date of its creation or the date when it last was in effect, whichever is later. § 164.512 An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law.
FISMA/NIST 800-171
Addresses security of all IT systems storing or processing government data.
Federal agencies, state organizations, any contractors to federal government organizations that process / store government data.
NIST 800-53, SI-11 the organization handles information within the information system; handles output from the information system, retains information within the information system; and retains output from the information system.
State/Government laws on Privacy
Impacts any business that has information that includes personally identifying information.
Any business with data related to the jurisdiction.
Rhode Island IDENTITY THEFT PROTECTION law (2015)
There is some commonality to all the programs listed above.
First, all these regulations presume that data management is performed as a core function of the organization. Second, compliance with these rules address IT governance and controls towards protecting and maintaining data and processing systems.
A compliance approach for data retentionApplying security controls prescribed by regulations and compliance programs can be challenging.
For instance, failure to retain sensitive data or recall subject data on demand can result in significant fines [vi] and certainly harsh assessment actions. As such, it is important for organizations to create a comprehensive data retention plan.
Identify your dataData must be identified within systems. For instance: regulated privacy information, or cardholder data, is associated with systems and networks. Assessment of data should be specific enough to determine when/where the data enters the systems, if it is transformed and possibly captured in logs and databases, and where it is physically and logically located.
The assessment process might generate artifacts such as a Privacy Impact Assessment (PIA) or data flow diagrams that illustrate where/when data is moved or stored. Assessment should include addressing any specific requirements from regulation or contracts for retention periods.
Secure your dataThose systems with identified data should have strong security (addressing Confidentiality, Availability, and Integrity) to provide assurance that data is protected and accessible to appropriate parties.
For sensitive data, such as privacy information or customer data, this might imply strong access controls, logging of access and important transactions, a
