Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Data Storage and retention.

Options
  • 02-03-2016 4:03pm
    #1
    FSL
    Registered Users Posts: 1,456 ✭✭✭


    I appreciate the safe place thread has been closed as it was deteriorating into nonsense but...
    Most of us are in the business of collecting storing and using vast amounts of data. We all know that the storage is inherently insecure, despite having the data secured against all/most known threats. Whenever a new threat comes to light we apply the patch but know that it won’t be long before another hole is discovered.
    Therefore should we be paying more attention to what we are gathering and storing. In the case of personal identifiable data should we consider if we really need to store it in the first place. If we do, after it has served its purpose, should it be deleted from the current and all backup’s.


Comments

  • Options
    #2
    FSL
    Registered Users Posts: 1,456 ✭✭✭FSL


    Hi Anvilfive

    I was thinking more about the data we collect store and use in our day jobs.
    If we are competent we have secured it to the highest known standards but we know somewhere there is a hole which will eventually be exploited.

    Should we therefore, in the case of personally identifiable data, question the purpose/need for what we are storing and should we question the period of time for which it is stored.

    When I first started out, which was before some of your mothers were born, data storage was an expensive premium so you stored only the bare minimum. The largest direct access storage discs were 10MB.

    Now for the price of the 10MB then, if you were writing the number not using a power you would probably cover at least an A4 page in zeroes.


  • Options
    #3
    Blowfish
    Registered Users Posts: 5,112 ✭✭✭Blowfish


    FSL wrote: »
    Therefore should we be paying more attention to what we are gathering and storing. In the case of personal identifiable data should we consider if we really need to store it in the first place. If we do, after it has served its purpose, should it be deleted from the current and all backup’s.
    The Data Protection Act already requires this to be the case, if you aren't doing this and the Data Protection Commisioner finds out you're going to run into problems.


  • Options
    #4
    FSL
    Registered Users Posts: 1,456 ✭✭✭FSL


    Whenever a significant hack occurs loads of personal data is often leaked to the internet. There have been several high volume/profile leaks in the recent past.

    What I was questioning was the need to collect or store the data in the first place not whether or not the storage/collection complied with the data protection act.


  • Options
    #5
    Blowfish
    Registered Users Posts: 5,112 ✭✭✭Blowfish


    FSL wrote: »
    What I was questioning was the need to collect or store the data in the first place not whether or not the storage/collection complied with the data protection act.
    Which is exactly what I meant. Collecting surplus data or keeping it longer than needed goes against the Data Protection Act, even if you never get breached.

    [edit]The Data Protection Commision even has case studies of both excessive information and Retention issues on their site.


  • Options
    #6
    liamo
    Registered Users Posts: 1,193 ✭✭✭liamo


    I think the LoyaltyBuild data breach from a few years ago is a good example of what NOT to do with data : data that should not have been stored at all (CVVs), data that was retained far beyond the period of time it should have been (other Credit Card data plus personal data) and data not being kept safe and secure (entirely unencrypted).

    My wife's credit card details and personal details were part of the data taken. The credit card details were not that important as the card had well expired at that point. However, her name, address, email and phone don't expire! Who knows where they are now and to what use they may be put in the future.

    Huge FAIL on almost every level for LoyaltyBuild.


  • Advertisement
  • Options
    #7
    drcortex1124
    Banned (with Prison Access) Posts: 16 drcortex1124


    Blowfish wrote: »
    Which is exactly what I meant. Collecting surplus data or keeping it longer than needed goes against the Data Protection Act, even if you never get breached.
    .

    I suppose Blowfish there might be a difference between what's legal and what companes can get away with


  • Options
    #8
    Impetus
    Registered Users Posts: 1,667 ✭✭✭Impetus


    Blowfish wrote: »
    Which is exactly what I meant. Collecting surplus data or keeping it longer than needed goes against the Data Protection Act, even if you never get breached.

    [edit]The Data Protection Commision even has case studies of both excessive information and Retention issues on their site.

    Who are the biggest long term retainers of personal and traffic data? The phone companies. Depending on the type of data, Germany either bans it completely or limits the retention period to six months. I suspect Eir/Eircom/Telecom Eireann has stuff going back for a decade or more. To be sure, to be sure. Just in case etc. Other big offenders include the payment card companies. I suspect the NSA has Visa and MC transaction data going back since at least 9/11. Because of Visa and MasterCard's international monopoly, this data covers the entire planet. Back in the day Europe had its own Eurocard - which has been allowed to be sold to MasterCard. So Europe has no payment mechanism of its own to defend its citizens against state hackers of all colours.

    Payment card transaction data typically includes which airlines you use, which flight numbers, dates, and locator codes, who was travelling with you, etc as well as car rental car agreement data.

    The French have a 'fiche des louers' which is a real-time database of car rentals - with drivers' license numbers, dates of birth, name, etc. How often is that data systematically destroyed? If ever.

    I know the eircode/ fake 'postcode' is being abused in Ireland by certain data hoarders postcoding old forms drawn up 30+ years ago. So they can link them to where they lived back in the day. No doubt there are address management services who provide postcoding services capable to going through old customer databases and assigning postcodes to them.


  • Options
    #9
    Refor1981
    Banned (with Prison Access) Posts: 20 Refor1981


    Think you guys wold enjoy reading Bruce Schneier's essay : Data is a Toxic Asset. Have posted about it in another thread.


  • Options
    #10
    Impetus
    Registered Users Posts: 1,667 ✭✭✭Impetus


    Refor1981 wrote: »
    Think you guys wold enjoy reading Bruce Schneier's essay : Data is a Toxic Asset. Have posted about it in another thread.

    I presume you mean this?

    https://www.schneier.com/blog/archives/2016/03/data_is_a_toxic.html

    It seems to me that perhaps there should be a data retention tax on personal data held for over six months, applying to private entities as well as governments. If your organization wishes to hold personal data for statistical purposes - fine - de-personalise it by removing transaction, account and other ID info that connect the record held with the identity of the person. Many toxic assets are recycled and cleaned and given a new life, if the waste disposal chain is properly managed to segregate in the flows.

    Schneier also has a security podcast, monthly at
    http://crypto-gram.libsyn.com/


Advertisement