“Companies continue to allow the information haystack to grow and grow and grow,” said Bruce Radke, chair of the data privacy group at law firm Vedder Price. The first step in any company’s assessment of its data should be “really looking at the information you need and getting rid of everything else,” he said…

Radke foresees a time when breached companies will be sued for keeping too much data, with the allegation that poor data management led to more data being lost or compromised than would have been the case had the company adhered to stricter policies.

He said data related to legal requirements or to litigation should be kept, along with anything related to specific business needs, with the rest destroyed. After that exercise, what’s left should be categorized by its riskiness. He echoed a standard recommendation among data-security experts that companies should have a breach response plan on what steps to take should a breach occur, rather than figuring it out on the fly.

Taken from Cyber Compliance: Data Excess Magnifies Risk in The Wall Street Journal Online