Think Carefully Before Collecting Data

In this age of ever plummeting storage costs, some businesses are electing to "store it all" when it comes to consumer data.  That is,  businesses are storing data regardless of whether there is an actual need with the assumption that it might be of value in the future.  This approach, however, can lead to liability from several sources.  First, cardholder information arising from credit card transactions is strictly controlled by the PCI Data Security Standards, as well as the card association rules. Storing and retaining more data than absolutely required by the transaction may run afoul of these requirements.  Second, with the growing number of complex and conflicting state and federal (as well as international) laws and regulations governing personally identifiable data, businesses should be inclined to limit the data they collect to that which is required for the transaction, as opposed to retaining excess data that is not required.  Possession of that data may, in and of itself,  violate applicable law or simply increase the potential for liability because of the increased volume of data that must be secured.  

An example, a business decided to collect GPS data from its customers' use of their mobile app.  In the context of this engagement, the data was not necessary to consummate  the relevant transactions, nor was it even useful for demographic purposes.  Yet, the business insisted on collecting the data because it might have relevance in the future.  The problem is that collection of consumer location data is starting to be scrutinized by law makers for possible legislation.  In the future, a law could be passed that would impact this business' retention of location data.  The question is "why run the risk?"  If the data isn't needed (i.e., there is no business reason to retain it), why do so?  Why create potential liability?

Just because it is possible and relatively inexpensive to collect and retain data does not mean a business should do so.  The risk - reward needs to be balanced.  In general, however, given the sensitivity of consumer data, businesses should think long and hard about collecting data in the absence of a compelling business reason.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies