Data Breaches are Records Management Problems
As I’ve said here many times, records managers have always provided the same vital service: we manage recorded information – regardless of format or platform – through its entire lifecycle: creation, distribution, use, maintenance, and disposition. This has been true for hundreds of years and it will continue to be true long after all of us are gone.
In the classic movie The Matrix, incomprehensible digital characters scroll down monochrome computer screens like water over a cliff. The cascading characters mean nothing to the movie audience – and they aren’t supposed to. This is data. It takes the movie’s hero, Neo, to put the data into context, providing it with meaning. Neo interprets the scrolling characters to understand the bigger picture, The Matrix. That’s Neo’s superpower: turning meaningless data into vital information.
When the bad guys break into our computer networks – which they are doing with terrifying regularity – they are not doing it to steal billions and billions of meaningless digital characters. Data, by itself, is useless to them. They are breaking into our networks to steal data in context. They are stealing the owner’s most valuable asset: their information.
This distinction is subtle, but important. ‘Data breaches’ are not data breaches. They are thefts of information. More specifically, they are thefts of recorded information – or what we have always simply referred to as ‘records’.
This explains why you always see data breach reports refer to the number of records stolen, rather than how much data was taken.
In 2015, the US Office of Personnel Management suffered a horrific ‘data breach’ in which 21 million records were reportedly taken. The records stolen primarily consisted of background investigation material, including very detailed personally identifiable information, from anyone who had applied for a security clearance over the last several years. (As it happens, this included personal information about myself, my wife, my family and – to my great embarrassment – several of my close friends who I had used as references.)
As I understand it, many of the records stolen during OPM’s breach were from very old security clearance requests that were either denied, expired, or cancelled. How many of those records had long ago met their retention requirements and could have been defensibly destroyed? I have no inside information, so I can’t say. But knowing the current state of records management at every organization, public or private, I can virtually guarantee that some percentage of those records should have been destroyed long before someone broke into OPM’s network and stole them.
And even if none of the records taken from OPM were past due for destruction, effective records management still could have prevented a significant portion – and possibly all – of the information from being stolen. This is because the ‘maintenance’ phase of the information lifecycle has always included moving inactive (or ‘dormant’) records from their original place of creation to a location that provided more security at a lower cost.
Back when records were almost entirely maintained on paper, this often meant physically moving them from the office in which they were created (and typically stored in file cabinets) to much larger, more secure ‘records centers’, either onsite or at a remote location.
Over the last few decades, as records evolved from primarily physical to an overwhelmingly digital format, the ‘maintenance’ phase of the information lifecycle never changed, but the methodologies records managers used to implement it did. Where we were once moving dormant paper records from their physical location, we now digitally transfer records to offline (or near-line) storage, where it is much less expensive to maintain and nearly impossible to steal.
Had OPM been effectively managing the lifecycle of their security clearance records, there is no doubt that the results of their ‘data breach’ would have been far less damaging – and could possibly have even been prevented altogether.
So called ‘data breaches’ are thefts of information and, as such, they are first and foremost a traditional records management problem. Until organizations understand this and include records management as a critical component of their long term cybersecurity strategy, data breaches – and the disastrous consequences they bring – will continue unabated.