yes! yes! yes!

my vote is that if it is not being paid, it should not have to maintain the files; except, of course, unless it is an e-discovery issue. I admit that I am not read-up on all of this story, but nothing reported here or in the article linked, says that it is an e-discovery issue. If a governing body requires it (when it's not for e-discovery), that body should pay. If this was an e-discovery issue, the 3rd party could make a business-loss claim against its insurance company for payment, and that insurance company should have plans in place to mitigate against an extended period of time. . . . I admit that this is probably an issue for those whose data it is, and I think the network should now plan for such occurrences to happen again in the future (data-owners should have redundant systems for the same data, AND\OR The business owners [not the host] should have redundant systems and to auto-enable the data owners to remove their data; and to put clauses in their agreements to enable access-for-the-explicit-purpose-of-determining-contact-for-the-data-owners, in such a situation as this only, to enable a governing body to contact the data owners to notify that there is a small charge required to retrieve their data [for instance]. AND\OR The business owner [the host] should build-in an agreement with its customers for access only under supervision of a governing body [or something like that] to determine contact for the data owners.) For a business to be required by a law\court\rule to maintain the data in a situation that is not insurable, that is actually preventing the host from doing business. my .02

The issue is not going to go away, so, 'The role of IT' is not really the issue. The issue is really one about the culture of the business: IS business conducted in a manner with risks that could potentially cost, or is business conducted in a manner that deliberately minimizes those risks?

What I have seen is that either their lack of understanding of the need for security exists solely because they really have no idea (even that they have been operating under false assumptions that the 800 pound gorillas that they use in their daily work will some how 'save' them), or, it exists because they choose to ignore facts. -Some would say that ignoring facts could be thought of as a strategy for operations, but that's another conversation. When they have already chosen to ignore, logic is not going to convince them without a great big fight. So, in that scenario, as the first commenter here suggested: Walk away from the endeavor. But if it's that they really have no idea or are misinformed, in my experience, to be successful in getting buy-in for the need, I had to be ready to take the conversation through the entire scenario. --> Start by asking them how much they enjoy \ can afford risk. The answer is usually “not much.” This opens the path to a conversation about how much risk exists in \ for the organization, why and how\where it exists, and how risk can be mitigated by proper management of it, and the potential consequences of failure to do so. Of course, to have this conversation, you must be educated and convincing in your knowledge, and you must be able to point to relevant examples. --> identify a serious problem; demonstrate a 'fix'; and obtain buy-in to resolve it. --> THEN there are the initial costs to discuss concerning your proposals for the remedy \ mitigation efforts. Here, you must really be prepared AND understood by your audience, so your 'talk' has to be knowledgeable and practiced. You’ll most likely have to initialize a risk analysis for the organization, as well as a ROI analysis. You must also be able to convincingly convey the concept of 'increased risk with time', and speak to their desires for success and good reputation. If you want to be doing this; if you are passionate about the cause; if you are comfortable with 'the end justifies the means', then this is something you MAY be able to accomplish. But if you are not able to passionately talk about the issue and its causes and its costs and its fixes, you will be wasting your time, and, also, making it harder for the next person who attempts to get that buy-in.

Not everybody has the talent to be a good author (I don't fool myself). Some writings get muddled, and some responders simply interject confusions. The topic(s) of ‘data privacy rights’, why they are needed, and including who is subject to adhere to regulations concerning them, why they are subject, when they are subject, and the regulations themselves, all deserve to be logically discussed .. . .. .Because there ARE regulations. -Regulations concerning information that a person or other entity may hold [about] another person, or other entity, which, if obtained by an unauthorized 3rd party, could be used in an unauthorized manner. (If you legitimately [authorized] collect and save someone else's information, you have a responsibility to protect that information from unauthorized access, viewing, collection and\or use. And, generally, authorized for your use does not authorize you to authorize any other person or entity.) The Ops’ title is: - “Employee-Owned Devices Muddy Privacy Rights” - Business and Tech headlines lately are loaded with mentions about, and references to such things as, “Bring your own device to work(BYOD)”, “Commercialization of Corporate IT”, etc., etc., which talk about employees using their own devices to access work-related assets, for different reasons. As is pointed-out in various comments above, the persons or entities that are subject to the aforementioned regulations are required to take ‘reasonable steps' to comply with those regulations. It is NOT reasonable to ‘assume’ an employee’s personal device is and will remain to be ‘in compliance’ with the subject regulations, therefore, it is NOT a ‘reasonable step’ to openly allow employee-owned devices access to the internal information. The computer systems we saw on television, Star Trek and the like, will one day govern us; but not yet.

As it does become costlier to 'keep all data', regarding business data, when using a data or document 'classification' method which identifies data that poses greater risks for the organization, regulatory and\or legal, or in unnecessary costs, once the data can be moved from 'riskiest' to 'least risky', maybe then it becomes acceptable to introduce the 'unknown' of 'where' the data is located, (if you keep it, at all), but surely not while the data is classified as 'risky'.

Concerning stored data, one way or another, one or more of these requirements comes into play: "confidentiality, integrity, availability", or sometimes "authenticity" If you are seeking 'proof' of any one of these concepts regarding the data, at any of the varying stages of consideration, how can you, or your service provider, prove it if there is a question of "where" the data resides?

What about any differences in the students graduating from Trade Schools vs Traditional Colleges? Does focusing on a trade make any improvement here?

Where tiers are possible in service, service is tiered. This is not new. This is good business. For residential-class service they charge X and they block the port. For business-class service they charge X + and they unblock the port. there's nothing 'unfair' here, the contract defined the tiers. You do not 'own' the network, nor the access to it. You have a contract for access to use the network, and you agreed to fine print in the contract. The fine print states that if you want to run a web server, or email server, you must purchase business-class service. move along now. there is no story here. It has been this way

I am not necessarily pro-Dell, but I am for making money, so I learned 'contracts' -(IANAL) When you call a 'Hardware' company for tech support regarding 3rd party SOFTWARE that the hardware company did not install on the hardware you bought, and so therefore could not have had the opportunity to configure their hardware for that software, how would it be profitable for that company to support you? It could not be. MOSTLY because if they did that for you, they'd also have to do it for everyone else, but mainly because [you contracted with them to provide tech support based upon the hardware and software configuration that you purchased] YOU made the contract for their services. If they were expected to provide unlimited services to you, no matter what you did, then they would have been justified to charge you for that. It's common knowledge that Dell is a hardware company, not a software company. If they tried to charge you for support of software they did not 'build', you'd really get heated. -They would not be able to alter the software to your configurations, so what would you be paying for ? Also, 'increased service' above your warranty -just because its relatively soon after you made your purchase, is not kosher, either. There is no 'Service' without 'contract', and 'Contract' is two-way, never only one-way. On another note - I can say from experience that had you purchased your upgrade from Dell based upon the system as it was sold (you had that choice), they would have slip-streamed all necessary drivers into your installation CD and the entire upgrade process would have been pretty quick. Also, Dell does not abandon their hardware because you change the software. They would continue to provide hardware support as best they could based upon the contract. -Its just that when you change the operating system, sometimes the hardware then needs new drivers and setting configurations TO WORK. So if you expect them to work (provide service) on what you did not pay for, who would it be getting the short end of the interaction? any company's shareholders would have lots to say about that business model.