- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
Think Carefully Before Collecting Data
In this age of ever plummeting storage costs, some businesses are electing to "store it all" when it comes to consumer data. That is, businesses are storing data regardless of whether there is an actual need with the assumption that it might be of value in the future. This approach, however, can lead to liability from several sources. First, cardholder information arising from credit card transactions is strictly controlled by the PCI Data Security Standards, as well as the card association rules. Storing and retaining more data than absolutely required by the transaction may run afoul of these requirements. Second, with the growing number of complex and conflicting state and federal (as well as international) laws and regulations governing personally identifiable data, businesses should be inclined to limit the data they collect to that which is required for the transaction, as opposed to retaining excess data that is not required. Possession of that data may, in and of itself, violate applicable law or simply increase the potential for liability because of the increased volume of data that must be secured.
An example, a business decided to collect GPS data from its customers' use of their mobile app. In the context of this engagement, the data was not necessary to consummate the relevant transactions, nor was it even useful for demographic purposes. Yet, the business insisted on collecting the data because it might have relevance in the future. The problem is that collection of consumer location data is starting to be scrutinized by law makers for possible legislation. In the future, a law could be passed that would impact this business' retention of location data. The question is "why run the risk?" If the data isn't needed (i.e., there is no business reason to retain it), why do so? Why create potential liability?
Just because it is possible and relatively inexpensive to collect and retain data does not mean a business should do so. The risk - reward needs to be balanced. In general, however, given the sensitivity of consumer data, businesses should think long and hard about collecting data in the absence of a compelling business reason.
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.
- Redefine Business Portability
- Prevent Mobile Devices from Loading Dangerous Code
- Expanding Your Security Perimeter: Common Sense for Navigating Today's Threat Landscape
- Fighting Fraud Videos: IBM Intelligent Investigation Manager
- IBM Intelligent Investigation Manager: Online Product Demo
- Webinar: IBM IIM for Fraud, Abuse and Waste in Government