Ignoring Orphaned Data Is Risky Business

A version of this post appeared on CMSWire.


One of the most pressing problems facing Information Management professionals at organizations is orphaned data—data that has no owner.

Without an owner, organizations will experience difficulties managing orphaned data throughout its lifecycle. Organizations need someone to authorize classification by record type or security level, or to pull the trigger on disposition—either to long-term write-once, read-many (WORM) archive or for defensible deletion.

And for most organizations, spoliation isn’t the problem; it’s over-retention. They keep everything forever: from critical business data to junk files—and they incur high levels of risk and cost by doing so.

For all these reasons, handling orphaned data is a mission-critical problem for most organizations. Without the appropriate policy infrastructure and technology capabilities in place, they can’t begin to address ownerless data, and thereby carry the undue risk and cost associated with it.

Let’s take a look at how organizations can get a handle on orphaned data and chip away at those associated costs and risks.

Create a Policy

Start by creating a policy that defines how you'll manage orphaned data. And while the specifics of every organization’s policy will vary, the core of it will typically read something like the following:

Any documents that haven’t been accessed in X years will be considered “orphaned data” (i.e. having no business owner). The Information Management team will take ownership of all orphaned data and will be responsible for managing it throughout its remaining lifecycle, including disposition (deletion or permanent archival).

Once the Information Management team takes over orphaned data, they will determine whether it’s on legal hold.

  • If it's on legal hold, it gets handled according to Legal’s requirements.
  • If it’s not, the Information Management team determines whether corporate records policy requires retention.
  • If it does, the team ensures retention for the required period and then disposes of it
  • If the orphaned data is neither on legal hold nor required by corporate policy to be retained, the team deletes it—full stop.

You can make this approach more granular by including different time periods for different functions (e.g. Real Estate vs. Billing) or by adding additional compliance decision points (e.g. EPA, NERC-CIP). But by finalizing a basic, tailored approach for your organization, you remove the need to ask whether you can delete orphaned data: You simply follow your organization's policy.

Choose Your Technology

With policy infrastructure in place, decide what technology you need to support your efforts. Even small organizations will have far more documents to assess than they could reasonably do manually.

At the very least, you’ll need a tool to scan your unstructured repositories to determine the last time someone accessed the documents, and a tool to act on the scan’s results, moving orphaned documents to a new location where Information Management can manage them according to policy.

At that point, you have to option to get more sophisticated about analysis. For example, the ability to search inside documents for sensitive data, such as personally identifiable information (PII) or protected health information (PHI) or to identify exact duplicates of other documents.

Moving the documents can also get more sophisticated—for example, leaving a stub that links to the file’s new location so an end user can find it if they need it. Even more sophisticated are pop-ups that tell users to request access from Information Management when they click on the stub.

Finally, deploy the technology that allows you to enforce your policy.

Manage Organizational Change

The third piece of the puzzle is dealing with organizational change. You'll ruffle more than a few feathers managing orphaned data in the way I’ve described here. And while no easy answer exists on how to address this challenge, you can anticipate a few usual suspects to react for these reasons:

  • Legal may want to keep everything because 1) they think it will more often exonerate them than damn them and 2) they don’t understand how to create a defensible disposition protocol, so they fall back on over-retention.
  • Records Management often feels that only the business can decide what is a record and what kind of record it is, so the idea of anyone other than the business owning documents is anathema to them.
  • End users might be scared by using a protocol to delete documents without asking their approval every time. What if we delete something we need later?
  • Information Security may be more focused on protecting the walls than cleaning up what’s behind them and may hesitate endorsing efforts to purge documents.
  • IT is always excited to have less data on the systems it runs and maintains, but it may be uncomfortable taking such a confident stand about deleting data that “the business should own”.

The Time to Start is Now

Although a successful approach to managing orphaned data requires much more than I can cover in a blog post, hopefully you’re better aware of the risks, challenges, and opportunities orphaned data poses at your organization and have a basic understanding of what you need to do to begin addressing it.

And while I haven’t seen a vast multitude of organizations effectively addressing orphaned data, chime in and let us know where your organization is at with orphaned data--let’s get the conversation started!

Rich Medina
Joe Shepley
I’m VP and Practice Lead, focusing on developing Doculabs’ InfoSec practice and its applications in a wide range of industries.