Failed unsubscribes could be a clue your data's out of control

Credit to Author: eschuman@thecontentfirm.com| Date: Mon, 15 Jan 2024 03:00:00 -0800

Anyone who’s eveer tried to unsubscribe to an email list knows that “unsubscribe” button never seems to work — except to verify your email account is working. But what if that failure arises from something more problematic than an unethical person ignoring the request?

What if it is the latest symptom of the overly distributed data problem?

That’s the same issue that undermines compliance and legal discovery rules such as GDPR’s Right To Be Forgotten rule. It’s also the same problem that makes it all-but-impossible for enterprises to have current and comprehensive datamaps. 

Richard Bird, the chief security officer at Traceable, recently did a noteworthy test where he tried unsubscribing to a variety of emails — and then tracked whether they were actually unsubscribed. 

“Many companies are simply lying about you being removed from their email list,” Bird said. “I expect this is because my email address has been shared across so many campaigns and departments within a company it has basically become embedded code.”

Bird is correct. Data today is replicated and distributed extensively. On the network, it can be copied and used by a massive number of people and business units. And that’s just the start. How many cloud accounts have copies of it? What about mobile devices? Home laptops? 

If we’re talking about a phone, that’s another cloud where the phone is backed up. Then beyond backups, what about disaster recovery systems? 

The ability to truly comply with email unsubscribe requests is just a relatively minor symptom of a much larger IT problem. If an enterprise is sued and the legal folks need  to comply with discovery requests and deliver all communications involving XYZ, IT can certainly deliver everything about XYZ it finds within its servers. But it simply can’t find every instance everywhere.

Murphy’s law is fully in effect, which means that the most damning reference that IT cannot track down will absolutely be discovered months later by a plaintiff’s attorney. Good luck explaining that to an angry judge.

What about your internal people? Let’s say that certain files are destroyed in accordance with GDPR, or perhaps because of a mandated retention rule (where certain files are supposed to be routinely deleted after a set number of months). Users might suddenly need that information. And while many copies still exist in various nooks and crannies of enterprise systems, no one in IT knows precisely where they exist or how to access them.

Welcome to knowledge management in 2024.

“Data duplication has gotten to a ridiculous level,” said Brian Levine, the managing director for cybersecurity and data privacy at Ernst & Young, which now prefers to be called EY. “Companies are having data breaches and what is being stolen are items that they didn’t need to have and that they didn’t even know they had.”

This is why enterprise IT today needs to be doing regular and routine datamapping. For some data, Levine said, “there are a thousand places it could potentially be. Lawyers are all scared that they will make a representation about some piece of data and then it doesn’t turn up.”

If in 2024, enterprise IT management doesn’t know what data they have and don’t have, a few unfulfilled unsubscribes will be the least of their worries. 

http://www.computerworld.com/category/security/index.rss