Data center management staff, privacy staff and security staff are responsible for protecting data in an organization. It is surprising to realize that many, if not most, organizations do not know where their sensitive data is located and saved, much less have a protection plan for their old sensitive data.

Legacy and migrated data represent the core types of sensitive data in any organization. Organizations that use mainframe systems, in particular, will have an extensive database of legacy data that includes sensitive information. This may include production data, non-production data, old development test data sets, and other accumulated data.

While security staff members are most concerned about cyber-criminals accessing the data, other potential sources of breach include application vulnerabilities or accidental disclosures, public interest groups, service providers, and even auditors and authorized users. Studies have found that insiders are actually a key cause of data breaches.

The starting point for data protection1 is to have data security staff know all the data sets that need to be protected. This means looking back at accumulated data, so the security staff can set out new procedures and protection tools for new and accumulated data.