Customer Centre
Select a region and language
International International
EN
Bahrain Bahrain
EN
Cambodia Cambodia
EN
China China
CN
Hong Kong Hong Kong
CN EN
India India
EN
Indonesia Indonesia
ID EN
Ireland Ireland
EN
Italy Italy
IT
Japan Japan
JP
Malaysia Malaysia
EN
New Zealand New Zealand
EN
Philippines Philippines
EN
Singapore Singapore
EN
South Africa South Africa
EN
Taiwan Taiwan
CN
Thailand Thailand
TH
United Arab Emirates United Arab Emirates
EN
United Kingdom United Kingdom
EN
United States United States
EN
Vietnam Vietnam
VN EN
Contact Us

ROT and compliance breaches that didn’t have to happen

Published

14 October, 2025

Categories

This is the second of two articles on ROT. In part one, we showed how ROT quietly sabotages sustainability targets.

In Part Two we focus on the compliance costs. Both articles are stepping stones toward our guide, From ROT to ROI, which reframes ROT not just as a liability, but as an opportunity for measurable business value.

In 2020, Morgan Stanley made headlines for all the wrong reasons. The bank had failed to properly wipe decades‑old customer data from decommissioned servers and storage devices.

After a data breach, regulators fined the company tens of millions of dollars, not counting the damage to the bank’s reputation. It wasn’t just the breach itself, it was the fact that much of the exposed data was obsolete, data that should have been deleted years earlier.

Redundant, obsolete, and trivial data lingers in forgotten corners of systems until it becomes a liability. In the first article of this series, we explored how ROT undermines sustainability goals, driving up storage costs, energy use, and carbon footprints. But sustainability is only part of the story. This second piece looks at the compliance dimension, how ROT can put you at what is now very serious risk: fines, lawsuits, and lasting harm to the reputation of your brand.

We’ve written a comprehensive guide: From ROT to ROI, to help with this: a practical roadmap for transforming data clutter into measurable savings.

What sort of ROT is especially dangerous?

From the above example, it might seem like every piece of data is a potential risk factor. Luckily, not all of this is equally dangerous. The most dangerous categories are:

  1. Personal identifiable information (PII)

    Probably the best known (and most dangerous). Old customer records in CRMs or elsewhere, addresses, phone numbers, and ID details. These often stick around long after they should have been deleted. It’s worth noting that PII data is where regulations like GDPR carry the most severe penalties for breaches.

  2. Financial records

    This refers to things like outdated payment card details, bank account numbers, or transaction histories. These are easy to forget about or store past reasonable use. If exposed, they can lead to both regulatory breach cases (and fraud).

  3. Health data

    Some of the most personal data, and most likely to trigger popular anger/reputational damage. Patient files, diagnostic results, and insurance information are tightly regulated under laws like HIPAA. Retaining them beyond mandated retention periods is a direct compliance breach.

  4. Employment and HR files

    Old payroll records, disciplinary notes, or background checks often sit in forgotten folders. These contain sensitive personal data that must be destroyed once legal retention windows close.

  5. Email and messaging archives

    Large volumes of email are kept “just in case,” but they often include sensitive attachments, contracts, or personal data. Regulators increasingly view uncontrolled email archives as a risk.

  6. Legacy system backups

    Think physical media in this case: Old server images, tape backups, or cloud snapshots frequently contain entire datasets that should no longer exist. They are easy to overlook but can be devastating if compromised.

Summarizing the takeaways

  • Redundant, obsolete, and trivial data actively  raise compliance risks in an increasingly severe regulatory environment.
  • The most dangerous ROT is personal, financial, health, and employment data.
  • ROT complicates audits, inflates the scale of breaches, and erodes trust. Sometimes the reputational damage is worse than the fine.
  • Managing ROT is not just about being more efficient and saving money,  but also about risk.

Even if your organisation hasn’t faced a breach, how much forgotten data is sitting in your systems right now, and what would it cost you if it were exposed tomorrow?

From ROT to ROI

Our full guide, From ROT to ROI, shows how to move beyond firefighting and turn data clutter into measurable savings. A roadmap for reducing risk, cutting costs, and strengthening compliance. Download it today.

Share this article

Related news and insights

All news >
Information Management What is “Shadow IT”, and how is it draining your budget? Read more
Information Management The Next Big Thing in Information Management Read more
Information Management Information Governance Framework Read more
Information Management Data Indexing Strategies for Faster & Efficient Retrieval Read more