Decide What Data to Keep


In this section, we will discuss emails. Despite the imagery portrayed of emails being like a sealed envelope, unencrypted emails are often sent through multiple servers in plain text on their way to their destination. Once they get there, a pile of 10s of 1000s of emails can be a treasure trove of personal information to hackers.

In this section, we explore some of the security practices around securing the data we keep in email and the cloud. Most of the security practices mentioned in the above sections are focused on preventing security breaches of your data. When it comes to email and cloud, these practices are especially important. If you haven't already, make sure that you've hardened the logins for all your email and cloud file storage systems using the steps in the Password Section above.

It's not enough to assume that we'll be perfect when it comes to preventing security breaches. The next level of security considers how to minimize the amount of data that would be compromised if your data were to be breached. This is where a "Data Retention Policy" comes in. The main idea in a data retention policy is to switch from a mindset of "do I need to keep this?" to a mindset of "why am I not destroying this?"

The risk: Nearly any piece of personal data accessed by an attacker in a breach can be used to access other areas of your personal life, be used to gain access to other accounts, or be used in a social engineering attack. It can contribute to identity theft, be used to damage your reputation, be used as blackmail material, be released to the public directly, or be sold to third parties.

This way, if your data is ever breached, the amount of data that is compromised will be much less than if you had emails going back several years.

Overview of Data Retention Policy Example

  • Only keep emails in your main email accounts for a period of 1 year.
  • Emails older than this will be deleted.
  • Emails in any accounts that you no longer actively use will be deleted entirely.
  • Any email you deem important for more than 1 year will get stored outside email for a particular reason. This includes Legal contracts, documents, regulatory things (taxes, employee filings, etc), Software License Keys, and a few others.
  • Actively delete any sensitive information you send or receive (SSN, credit card numbers, passwords, etc).

Important: People working in certain industries may be prohibited from doing this for legal compliance reasons. You may want to check with an attorney if you're doing this for other than personal email.

How to Do This in GSuite (Google's Paid Email Solution)

How to Do This in Gmail

Apply the Same Concept to Other Cloud Data

Once implementing a data retention policy for the data kept in email, apply the same idea to all the places your data is stored in the cloud.

  • Consider other Google Services, like Google Drive, Calendar, Contacts.
  • Consider cloud files storage platforms like Dropbox, Box, OneDrive, and others.

Backup & On-Disk Data Retention

It's a good practice to make sure that you would easily survive any of your devices being stolen or lost - not just things in the cloud. This entails two major areas:

  • Make sure your devices are backed up, such that they could be stolen at any time and you wouldn't lose any data.
  • Assume that, once stolen, attackers would be able to access any data on your device. Is all the data you keep necessary?

Browsing History

The browsing history and cookies in your browser can sometimes be a security risk. It's a good practice to clean these regularly. To do this:

  • In Chrome: History,  Clear Browsing Data
  • In Safari Mobile: Settings, Safari, Clear History and Website Data

Old Accounts

  • Go into any old accounts you used to have and do your best to remove your data from their servers.
  • Watch out for trash: Deleted items can end up here and are still stored until permanently removed from the trash bin.