Want to avoid a costly breach? Get rid of old data

In a new feature, attorneys S. Gregory Boyd and Gary Kibel outline one easy way to reduce your company's liability in the event of a PlayStation Network-style breach: delete data you don't need anymore. "Think about what data the company can do without. A company cannot lose data it doesn't have," the pair write. "Reevaluate the company policies and consider not storing and collecting data in each instance. Only collect the data really needed -- and that means data tied directly to business goals." This sounds a bit funny, but it's true: "Consider that data loss was not a substantial problem in the 1990s because companies did not have the data to lose." So how do you avoid having too much data hanging around? "Match the data to the goals of your business. Collectively, we need a better reason than 'marketing purposes' to collect data. There is a 21st century problem across many technically-sophisticated industries: substituting data collection and analysis for good judgment." "Data should only be collected if it is part of a focused, clear strategy for adding value to the game company and preferably that collection should improve the entertainment products and experiences offered to consumers. Stated another way, data should only be collected if it is going to be used and the benefits of using it outweigh the costs of collecting, safely storing, and disposing of the data." By getting rid of data on old games, old demographic information that's already been analyzed, and more, you can substantially lower your risk, since each compromised account can cost "several dollars to several hundred dollars per affected record", according to the attorneys, in the event of a breach. The full feature, which outlines six more important steps to protecting yourself from a security failure resulting in the loss of user data, is live now on Gamasutra.