Discovery is not the only reason for retaining data, of course; data has business uses that often live on after any immediate business relationship with a person has ceased. Consequently, the number of organizations that retain data that needs to be protected, and that retain more data over time, continues to grow.
Of course, holding on to data that is confidential puts a burden on the organization: the burden of compliance. Participants in Nemertes security research tell us that the most burdensome regulations – in terms of cost to comply – are the privacy-related regulations: the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA) and even the Communications Assistance for Law Enforcement Act (CALEA) act.

Coupled with these acts requiring data protection are a newer crop of disclosure laws. Before 2003 no one knew the extent of organizational data breaches — generally, there was no obligation to report the loss or theft of data or the compromise of systems. This led to the passing of CA SB1386, the seminal data breach disclosure law. Since SB1386, there have been tectonic shifts in the breach disclosure landscape. Today, 43 states plus the District of Columbia have breach disclosure laws. The good news is that now we have a much better idea of how secure our data is in all the various hands holding it, and companies are getting even more careful in data handling; the bad news is, compliance with disclosure laws can be very expensive. For example, one of our clients spent over $150,000 just notifying people whose data was breached!
With the amount of data resident in data centers increasing, and with protected voice and video conversations joining the party through the spread of UC, organizations have to take more holistic and layered approaches to preventing leaks.




