Tell the Cloud to Remember to Forget
This week's brouhaha concerning iPhones' stored location data appears to be an artifact of forgetting to forget. This won't be the last time that someone suffers from a relatively novel problem: storage has gotten so cheap that it's getting hard to justify the effort involved in throwing things away. Beware, however, the rising cost of keeping too much in a form that's too easy to find.
Where once we worried about reducing our cost per bit—go ahead, laugh at my forecast of storage technologies and costs made in eWEEK back in 2004—it now seems that remembering to forget has become the greater challenge. Don't minimize the problem: when people discover, as they always eventually do, that something has been captured without their knowledge or permission, and that it's been retained for no admitted reason, it's always bad for brand equity – and can be fiscally painful as well.
The cloud can play a powerful role in getting storage policies under control. This isn't about where things are kept, but what is being kept at all, and old IT models expect (indeed, demand) that data be copied to the edge of the network – where it becomes essentially impossible to know where copies persist or how they're being handled. Cloud-based applications make fewer copies of data and enable far more certain knowledge of who has seen what, when: further, the powerful platform services of Force.com (including, ahem, content management) make it far more likely that disciplined, auditable policies of selective data retention will be implemented and consistently followed.
Data retention used to be a question of labeling boxes of paper with a date for their allowable destruction, subject to a bewildering and ever-lengthening list of requirements to retain various kinds of information for varying periods of time. Employment records: 1 to 4 years. Tax-related records: 7 years. Hazardous material exposure records: 30 years.* Everyone was eager to find ways of getting stuff out of the records room as soon as lawfully permitted. Storage was conspicuous and costly.
As storage gets cheaper, retention rules proliferate, and people with skills in data protection and management become more scarce and expensive, the path of least resistance trends more toward "store everything securely" than toward "don't store it unless you need it." Again, beware: secure storage may look like a less expensive option than disciplined destruction, but the real costs may lie down the road. If you have it, you may someday be required to disclose it.
This is not a brand new problem: 41 years ago, the late Robert Townsend warned us that even in the era of paper file drawers and file cabinets, "the thing that will hang you (even if you're innocent) is your files." More lately, though, as I've previously noted, judicial mandates for prompt and comprehensive e-discovery are going to be ever more aggressive in their demands – and may multiply their costs enormously when something you didn't need to keep turns out to look, to a judge or a jury, like a smoking gun.
I'm not suggesting willful destruction of evidence. I'm talking about a consistently followed policy of retaining things selectively, either because they're useful or because you're required to do so, and letting algorithms—not people—get rid of everything else.
Navigating the maze of data retention rules is just one more of those tasks that add no value when done correctly, but have a major downside if done wrong – or if they seem to have been done without precision and prudent care. Increasingly, these and other aspects of IT will not only be less expensive, but will carry more credibility as to your due diligence in doing them right, if you have them done by an outside party with particular competence in that task.
Stop hiring expensive compliance experts to feed the Minotaur – and stop thinking that the purpose of the cloud is to do things the way you do them now, but for less money. The cloud is a service delivery model, not a technology model, and better data management is a service that most companies need more than they'd like to admit.
*You might want to take a look at your toxic substance exposure data management: as the Registry of Toxic Effects of Chemical Substances takes pains to point out, "The list of substances includes drugs, food additives, preservatives, ores, pesticides, dyes, detergents, lubricants, soaps, plastics, extracts from plant and animal sources, plants and animals which are toxic by contact or consumption, and industrial intermediates and waste products from production processes." We're not just talking about firefighters and crime scene investigators. Caveat præfector (let the boss beware): if you've read this far, ignorance is no longer an excuse.
Licensed under Creative Commons Attribution-No Derivative Works 3.0.