What part of ‘get rid of my data’ don’t companies get?

 

By Rob Pegoraro

The letters I get from companies informing me of a data breach exposing my information vary in their apologetic language, with some groveling more than others for the carelessness. But I’ve yet to see one lead off with a commitment to keep less of my data.

That’s despite years of advice from privacy professionals about the importance of data-minimization practices—as in, minimizing the data you retain to limit  the potential damage from a data breach. 

“You collect this sensitive information; what do you do afterwards if you don’t need it for another purpose?” asks Jessica Rich, senior policy advisor for consumer protection at Kelley Drye & Warren and a former director of the Federal Trade Commission’s Bureau of Consumer Protection. “You delete it, because if it’s deleted it can’t be breached. 

And if you must keep sensitive data, store it encrypted until somebody actually needs to see it for a valid business purpose. Privacy professionals have been advocating that for years.

Such data practices are also a core part of the Biden administration’s cybersecurity guidelines and the Federal Trade Commission’s advice to businesses—which the FTC backed up in October with a new rule requiring financial institutions to disclose breaches that involve unencrypted data. 

Alas, businesses seem to keep missing all these memos.

For instance, when T-Mobile lost my data along with that of nearly 50 million other customers in 2021, some Social Security Numbers included, a subsequent apology from CEO Mike Sievert centered on the security consultants the carrier was hiring, not lessons learned about data minimization.

Sievert’s missive did not get into what the carrier thought it was doing holding on to full SSNs years after people had signed up for service—even after having seen this movie before, in the form of a 2015 data breach compromising some 15 million customer files.

Asked if T-Mobile had implemented any data-minimization practices since, company spokesperson Bennet Ladyman says its measures include “honoring consumers’ requests to review and delete their personal data, retaining data only for business, tax or legal reasons, and focusing on the deletion of data that is no longer needed,” pointing to a privacy policy that does not list any data-retention limits.

And when Corebridge Financial, parent firm of multiple financial-services companies, lost the data of my wife and I along with other customers because of its use—along with numerous other firms—of the vulnerable MOVEit file-transfer service—its apology did not mention data minimization either.

Corebridge declined to comment.

Rich, the Kelley Drye & Warren policy advisor, blames the lack of a federal data-security law that would clearly tell companies what to do.  

“More consistent uniform standards would absolutely increase compliance,” she says. “Consumers would understand what their rights are and what to expect.”

A federal law could also impose serious financial costs on firms that fall short, whereas today the FTC can’t fine companies until it finds they acted deceptively or unfairly and then catches them running afoul a second time.

“One of the things that new laws would do is provide for penalties and real consequences when data-minimization requirements aren’t adhered to,” Rich adds.

But while the California Consumer Privacy Act requires data-minimization measures, federal legislation to do the same—for instance, the American Data Privacy and Protection Act introduced last year—remains stalled in Congress.

 

It can be tempting to blame info hoarding on startups high on venture-capital funding and intent on building data-fueled business models, but experts say simple carelessness often explains things.

“You kept it in legacy databases, you forgot about it,” Rich says.

Shana Yates, deputy chief in the FCC Enforcement Bureau’s telecommunications consumers division, says that over her career she’s seen firms reporting breaches of data as old as 20 years, data squirreled away for no apparent reason. Her advice to companies mirrors Rich’s: Data “can’t be breached if you don’t hold on to it.”

Technical debt—that is, legacy systems that were built for historic needs, but fail to account for modern demands—can also factor into the data security problem.

“Deleting old, no-longer-needed data has a labor and time expense,” says Megan Gray, a tech-policy consultant and former chief counsel at DuckDuckGo. “Of course, there’s also the labor and time expense associated with the inevitable data breach.”

“Data minimization is really difficult right now, because whether we like it or not, in many companies we are still in the transition from paper to structured electronic data,” says Gerry Stegmaier, a lawyer and partner in Reed Smith’s tech and data group.

He puts some hope into digitization making data minimization easier: “Security by design and privacy by design might become industry standards instead of better practices.” 

Rich, meanwhile, pointed to an ongoing FTC rulemaking process that could lead to the agency extending its data-safeguards rule to nonfinancial firms: “It would very much increase the scope of data security requirements in this country.”

But at the same time, technology isn’t standing still, and a new survey from the International Association of Privacy Professionals suggested that the advent of a new shiny object is already leading companies to down-rank data minimization.

A privacy-governance report released in November found that even in banking and insurance, data minimization plummeted in priority from an already not-great eighth place in 2022, tumbling another 13 places.

Why? The report’s authors suggested that the problem here might be that AI is always hungry: “This may be due to the completion of data minimization projects, or it could reflect the tension between the data minimization principle and the significant data needs of AI-driven products and services.”

Justin Brookman, director of technology policy for Consumer Reports, says he’s seen this tension.

“While they’re being pressured to get rid of old data on the security side, a lot of companies are feeling pressured to retain data for the purpose of training AI,” he says. “Many of these companies probably don’t have a clear goal in mind, but they worry about being left behind by more sophisticated competitors.”

In other words: New hotness may once again be leaving old bugs back-burnered.

Fast Company

(18)