COLUMBUS, Ohio (WCMH) -- City documents obtained by NBC4 Investigates show the ransomware attack against Columbus could have impacted fewer people if the city had more rules about how long to hold on to records. NBC4 Investigates first broke the extent of this hack, when the team saw our own employees' driver's licenses, including Colleen Marshall's, were part of the breach. The data was collected when people visited city hall; some of those visits were more than 20 years ago. NBC4 Investigates has spent weeks working to get information showing just how long the city should be keeping data. How long a record is kept differs by each department in the city. Each one has a separate form that outlines what data is kept by that department and for how long. We looked into how this works and if the data we saw on the dark web should have been kept at all, according to these forms. The forms are called RC-2 forms: they are a records retention schedule. “It dictates how long a specific record can be kept so, for example, something like maybe something related to your driver's license or your driving history, maybe that can be kept for six years, ten years,” Office of the CTO and Security Architect Manager at Check Point Software Technologies Aaron Rose said. Columbus has a different form for each city department. For example, the form for the mayor’s office, last updated in February, shows personnel files are to be kept for five years after an employee is terminated. “It is going to vary, often that's going to vary because of the type of data a specific department's going to be holding so, you know, maybe a department of transportation, they have very specific types of records that are going to have very specific retention schedules," Rose said. "Anything to do with health or human services, that's going to be obviously very highly guarded data." Data NBC4 Investigates saw on the dark web included 20 years of city hall visitor logs, including photocopies of driver’s licenses. In the hands of a threat actor, this can do some damage. We wondered why they were kept for so long. Is that city policy? “There can be legal consequences. You know, it depends on a specific locality and the state government, etc., so some might actually carry a fine. Some of them could have some other type of penalty. So it depends on the regulatory body,” Rose said. According to the mayor’s office, visitor data from the city hall security desk is held by the Department of Finance and Management. This form was last updated in May of this year, just over two months before the city knew about the attack. However, it has no mention of visitor data. Other forms, such as for the Department of Technology, and Columbus Public Health, both updated in 2022, do list policies for visitor data. Both are supposed to keep these logs for three years. NBC4 Investigates has asked repeatedly but still has not been given an answer as to why city hall visitor data was kept going back at least 20 years. “When you're keeping data longer than you need it, you're essentially expanding or creating a bigger, you know, kind of threat landscape or threat vector that can be, you know, lead to additional exposure for the organization,” Rose said. The mayor’s office sent a statement saying: “Mayor Ginther is committed to continuous improvement. The city’s incident response to the cybersecurity attack will certainly identify opportunities to revise existing protocols to further protect the city’s data and IT infrastructure.” For months we have been trying to get an interview with the city's Department of Technology, but each time we are told the director does not have time. No one from the city would agree to an interview on this topic: the city attorney’s office told us this matter may touch on or overlap with litigation questions in the pending class action lawsuits. We were able to catch up with Mayor Andrew Ginther on Wednesday. We asked about the breach report and when we could expect to see it. This is the report that will outline what was accessed, along with other aspects of how this breach happened. Here is his full answer: “Well, you know, this investigation takes a great deal of time. And we've got cyber experts that are helping to investigate what happened and what took place. And I think most importantly, what we can be doing in the future to try to minimize the risk and protect the people of Columbus, our employees, our residents. So we've always been wanting to get as much information as quickly as possible, but want to try to make sure that it is as accurate and complete as possible. So we're going to make sure that we're taking our time to get it right. And as we restore more and more systems, we're back at, you know, 74% of the systems being restored. As you know, we've talked several months ago about the most critical ones police, fire, public utilities and so forth have been back up and running for some time. So we're still working on the additional systems and getting those restored. We want to get that done as quickly, but as safely as possible because we don't want to restore those systems unless we know that they're safe. Because the last thing we want to do is, you know, have any issues with data or information getting out there. So we're continuing to work on this, this is a top priority. As you know, when you look at other cities and both public and private entities, this takes a significant amount of time and we're going to continue on with this work."