The letters I get from companies informing me of a data breach exposing my information vary in their apologetic language, with some groveling more than others for the carelessness. But I’ve yet to see one lead off with a commitment to keep less of my data.
That’s despite years of advice from privacy professionals about the importance of data-minimization practices—as in, minimizing the data you retain to limit the potential damage from a data breach.
“You collect this sensitive information; what do you do afterwards if you don’t need it for another purpose?” asks Jessica Rich, senior policy advisor for consumer protection at Kelley Drye & Warren and a former director of the Federal Trade Commission’s Bureau of Consumer Protection. “You delete it, because if it’s deleted it can’t be breached.
And if you must keep sensitive data, store it encrypted until somebody actually needs to see it for a valid business purpose. Privacy professionals have been advocating that for years.
And when Corebridge Financial, parent firm of multiple financial-services companies, lost the data of my wife and I along with other customers because of its use—along with numerous other firms—of the vulnerable MOVEit file-transfer service—its apology did not mention data minimization either.
Corebridge declined to comment.
Rich, the Kelley Drye & Warren policy advisor, blames the lack of a federal data-security law that would clearly tell companies what to do.
“More consistent uniform standards would absolutely increase compliance,” she says. “Consumers would understand what their rights are and what to expect.”
A federal law could also impose serious financial costs on firms that fall short, whereas today the FTC can’t fine companies until it finds they acted deceptively or unfairly and then catches them running afoul a second time.
“One of the things that new laws would do is provide for penalties and real consequences when data-minimization requirements aren’t adhered to,” Rich adds.
“You kept it in legacy databases, you forgot about it,” Rich says.
Shana Yates, deputy chief in the FCC Enforcement Bureau’s telecommunications consumers division, says that over her career she’s seen firms reporting breaches of data as old as 20 years, data squirreled away for no apparent reason. Her advice to companies mirrors Rich’s: Data “can’t be breached if you don’t hold on to it.”
Technical debt—that is, legacy systems that were built for historic needs, but fail to account for modern demands—can also factor into the data security problem.
“Deleting old, no-longer-needed data has a labor and time expense,” says Megan Gray, a tech-policy consultant and former chief counsel at DuckDuckGo. “Of course, there’s also the labor and time expense associated with the inevitable data breach.”
“Data minimization is really difficult right now, because whether we like it or not, in many companies we are still in the transition from paper to structured electronic data,” says Gerry Stegmaier, a lawyer and partner in Reed Smith’s tech and data group.
He puts some hope into digitization making data minimization easier: “Security by design and privacy by design might become industry standards instead of better practices.”
Rich, meanwhile, pointed to an ongoing FTC rulemaking process that could lead to the agency extending its data-safeguards rule to nonfinancial firms: “It would very much increase the scope of data security requirements in this country.”
But at the same time, technology isn’t standing still, and a new survey from the International Association of Privacy Professionals suggested that the advent of a new shiny object is already leading companies to down-rank data minimization.
A privacy-governance report released in November found that even in banking and insurance, data minimization plummeted in priority from an already not-great eighth place in 2022, tumbling another 13 places.
Why? The report’s authors suggested that the problem here might be that AI is always hungry: “This may be due to the completion of data minimization projects, or it could reflect the tension between the data minimization principle and the significant data needs of AI-driven products and services.”
Justin Brookman, director of technology policy for Consumer Reports, says he’s seen this tension.
“While they’re being pressured to get rid of old data on the security side, a lot of companies are feeling pressured to retain data for the purpose of training AI,” he says. “Many of these companies probably don’t have a clear goal in mind, but they worry about being left behind by more sophisticated competitors.”
In other words: New hotness may once again be leaving old bugs back-burnered.