Data Breaches, Part 3 – Hackers Can’t Steal What You Don’t Have

Does your company collect and keep only the information that is essential for your business? If not, your company is exposing itself to unnecessary risk in the event of a data breach. Data breaches often cause unnecessary liability because companies did not carefully consider what information they actually needed.

Many past data breaches had two consistent themes: 1) companies collected data that was unnecessary for their business; and 2) companies kept sensitive data longer than necessary.

Over-Collecting Data

In the early days of e-commerce (and perhaps even more recently), many companies collected as much customer information as possible. Why not? The marketing department was thrilled at the prospect of collecting that much demographic information about your customers. All of this data created unprecedented targeted-marketing opportunities. And, in the event you had to chase a delinquent customer, your collections department knew everything about them since they were in first grade.

Unfortunately, criminals quickly recognized this treasure trove of data. Today, nearly every business connected to the internet is the target of hackers trying to steal information.

Regulators also took note of this over-collection of data. For example, in 2012, the FTC filed a complaint against Rockyou, Inc., alleging that the company violated numerous statutes by collecting users’ email addresses and passwords and storing them in clear text. According to the FTC, Rockyou had no legitimate business need for that information. Rockyou settled the case with a lengthy consent decree, instituting a detailed compliance and monitoring program. Rockyou also agreed to pay a $250,000 fine. All of this was in addition to the legal and investigative costs to respond to the breach.

Unnecessarily Keeping Data

Liability doesn’t just arise from collecting unnecessary data. Your company also faces liability if it keeps customer data longer than necessary. In 2005, the FTC filed a complaint against BJ’s Wholesale Club, alleging that BJ’s created an unnecessary risk by storing customers’ credit card information for up to thirty days when it no longer had a business need to do so. BJ’s resolved the case with a consent order with the FTC.

Lessons Learned from Past Data Breaches

There are a number of lessons learned from data breach cases brought by the FTC:

  1. Only collect customer information that is essential for the transaction.
  2. Keep customer information for no longer than necessary for the transaction.
  3. Do not collect sensitive information, such as social security numbers, unless you have a legitimate business need for the information. If collected, encrypt this sensitive data and purge it as soon as possible after the transaction concludes.
  4. If your company uses a mobile app, ensure that the app only accesses the data and functionality that it needs.
  5. Do not keep customers’ credit card numbers or expiration dates longer than necessary. Also, encrypt this data so that only employees with a critical need can access it.
  6. Limit access to data. Employees should have access to the least amount of data necessary to do their jobs.
  7. Don’t use real customer information in training sessions or for development of new applications. Instead, use fictitious information.

Prevention is far cheaper than a regulatory complaint or a class action lawsuit. As such, your business units should seek legal department approval for the types of information that they want to collect from customers. Legal should also review and approve policies for storing and purging customer data. These two changes will go a long way toward reducing your liability in the event of a breach.

Photo courtesy of Blue Coat Photos on Flickr.