It is somehow already the first week of May, and summer is just around the corner. Hopefully your summer plans consist of a lighter workload, time spent in the water (or near the water, if that is what you prefer), a little bit of a tan (with SPF, of course), and some more free time to review the data you have been slowly accumulating over the course of your career at UMD. We can’t imagine how else you would want to spend a little bit of your free time! Seriously though, not everything needs to linger around forever. Consider using some of your time this summer to go through all of the files you have downloaded to your local storage on your computer, Google Drive, Box, and OneDrive and get rid of things that are simply taking up space. The longer you hold onto files you don’t need, the more risk is involved if you are to be impacted by a breach.
What Kind of Data Should I Look For?
Hopefully, the majority of the data you have lurking in your file storage systems are data that pertains to yourself, but if you work in a role that processes or manages other individuals’ data, then you should be cognizant of what you have, whether it is adequately protected, and you should minimize the amount of time you keep it. If you only have data about yourself, you do still need to pay attention to it, ensure it is properly secured, and minimize instances of unnecessary storage. Here are some common data types to look for:
- “Personal Data:” this ranges from those less sensitive types such as name, email, UID number, residential address, and birth date to those more sensitive data types such as Social Security Number, passport number, drivers license number, taxpayer ID number, credit card number, bank account routing number, insurance number, etc.
- Employee or student records: think about professional development reviews, student transcripts, student resumes.
- Old emails, backups, Zoom recordings. Again, not everything needs to be stored forever!
How More Data = More Risk
In the unlikely and unfortunate event of a data breach, if you have files that are inadequately stored or if you have dozens of old files lingering around that contain personal information, you become a hacker’s paradise! The more information that a hacker has access to, the more information they have to leverage against you. With the right combination of personally identifiable information, hackers can increase the damage they can do. For example, if hackers find enough little crumbs of personal information, they can use it to curate more realistic phishing attacks.
Why Can’t I Keep Everything Forever?
We suggest that you do not retain everything forever for personal security purposes, but there are also instances where you can’t retain everything forever for contractual purposes. UMD has a records retention schedule that you can refer to if you are wondering about how long you should hold onto certain files. At UMD, the most common and important place to pay close attention to retention is within the research space. If you are collecting data from another organization, you likely have to complete a data use agreement which will specifically outline how long you are permitted to store that data upon project completion. These agreements aren’t just something to sign and forget about, they hold us accountable and are in place to ensure we are appropriately handling the data.
It is also important to note that there are instances where we must retain records for a certain period of time, or there are consequences involved. With financial records, if you don’t have these records retained and ready to provide in the case of an audit, you are subjecting UMD to additional financial costs as a result of an extended audit scope that requires unanticipated time and effort. Similarly, in the privacy/security space, we must maintain a record of activities completed within NIST 800-171 designated timeframes if we want to maintain compliance with that standard.
UMD Resources/Tips
Visit the UMD Records Retention Schedule to view retention requirements over various subject areas, from Administrative Records to Facilities Management Records. If you have specific records-retention-related questions, send an email to Kim Watson (watsonk@umd.edu).
If you want to avoid having to participate in a large cleanup effort of files on your university device, then consider following some of these tips:
- Label, label, label! Gmail allows you to create labels, which act as folders to store emails in. If you have repetitive tasks, or certain subject areas that you receive frequent emails for, make a label and store them there once you no longer need them in your primary inbox. Google Drive, Box, and OneDrive also allow you to create folders where you can (and should) organize your documents. This allows cleanup efforts to be easier to conduct, as your data storage systems will have organization!
- Be aware of any work you do that has retention requirements attached, if something needs to be deleted once you are done with it OR if something needs to be held onto until a designated time, then store them appropriately.
- Set aside time on a regular basis to review your files and clean them up as necessary. Even if this is only done on an annual basis, it will take you far!
- Pay attention to where you are downloading files–sometimes things automatically download to your device after opening them. Check your download settings and consider updating them to only download files if you request to download them.
- Know where your data lives. What systems do you use to store information? Are there any you may have used and forgotten about?
- Limit who you share files with, update sharing permissions as needed.
Records retention can be an intimidating thing to face, but with regular reviews and implementing some organizational practices it will become easier to manage going forward. It is important to not keep everything forever, both for personal protection and for legal protection of UMD. With summer creeping up on us, consider using some of the additional free time to clean up your file storage systems!