Industry insights

Privacy compliance and security: Are you collecting too much data?

Drew Robb
November 22, 2022 by
Drew Robb

Enterprises today must cope with a jumbled mess of data collection and privacy legislation. Data security policies are created in response to the problems organizations encounter with collecting personal identification information (PII) and the security surrounding online payments.

But as online fraud has escalated, hackers and social engineers have been increasingly able to access consumer data, which has led to understandable consumer skepticism in e-commerce.

Something had to change. Payment Card Industry (PCI) and other standards emerged to provide identity verification, data access controls, encryption and other safeguards. This paved the way for setting standards and rules around data privacy. However, these regulations are being enforced against a longstanding enterprise mindset geared toward storing all data collected.

Once organizations realized that storage was very affordable, they decided to keep everything they possibly could, hoping that, in the future, they would have the AI or analytics capabilities to mine it for valuable insights to better serve their consumers.

“There’s been no real mandate for IT to do anything other than keep data for a rainy day,” said Steven Cavey, Co-Founder and Chief Evangelist of Ground Labs, on a recent Cyber Work Podcast.


Watch Cyber Work Podcast


Wait, what data are we storing?


The people who had begun managing and storing data over the years have since moved on or retired. That’s one of the reasons why companies often don’t realize how much data they have stored or the breadth of personal or sensitive data.

Based on surveys and interviews done by Ground Labs, it became clear that many were unaware that such data privacy compliance existed. Organizations were surprised to realize that they hadn’t been tracking the location or extent of data retained by the company. In addition, IT security teams didn’t have an accurate concept of the many data processes in the enterprise.

“It often takes an event like a data breach for organizations to learn what they were really storing,” said Cavey. “Such events force them to reassess the situation and look at every bit of data across the entire organization. Only by doing so is it possible to put the right security controls in place.”


Minimizing data breach damage with privacy compliance


Cybercriminals have gotten so adept at penetrating security defenses or phishing users that data breaches are inevitable. So, how do you minimize the damage that could come from an event like that?

Get in front of the problem by enacting a company data collection and retention policy. And then, get to work hunting down any PII, credit card numbers or other sensitive information that may be stored within the enterprise, and take care of it based on data privacy laws before hackers can expose it.

That will help reduce the risk of hefty fines, penalties and PR nightmares if a breach should occur.

Should you pay the ransom?

Should you pay the ransom?

Download The Ransomware Paper for real-world ransomware examples, mistakes and lessons learned.


PCI standards and privacy rules


Cavey believes the PCI standards were written so that financial institutions and commercial businesses clearly understand what they need to do with payment information to achieve compliance. Banks and credit card companies police these rules.

Any e-commerce website processing credit cards must show evidence of the implementation of good security practices and the ability to safeguard payment details from exposure.

But now that government policymakers are getting involved, the situation is becoming less well-defined. The EU, as well as national and state bodies, are passing sweeping data privacy regulations.

They are good at laying out many rules but need to improve when educating companies regarding the steps required to achieve compliance. And because there is such a patchwork of regulations, it can be difficult for businesses to appreciate the precise privacy rules that must be followed.

For example, a California business might focus on compliance with the California Consumer Protection Act (CCPA) but unintentionally miss out-of-state or international privacy standards that must be considered, such as the EU’s General Data Protection Regulation (GDPR).

“If you are selling to customers in Europe and have an e-commerce website or are collecting data from customers in Europe, you need to also be concerned about Europe’s data security laws, which are far harsher [than those in the U.S.],” said Cavey. “The GDPR is one of the toughest data security laws in the world.”


Key privacy questions your organization should consider


Cavey advised organizations to search and find the answers to these data privacy questions:

  • Are you collecting data with people’s permission?
  • Do you have a data protection officer in place?
  • Are you putting the proper security controls around your collected data?
  • Are you getting rid of data when it’s no longer needed, or do you no longer have a legitimate purpose?
  • Do you have the internal resources to adequately cover the locating and securing of sensitive information?

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Cavey also called for a change of mindset around collecting data.

“Everyone’s been talking about data is the new oil. That’s how chief marketing officers and CEOs have considered the data they gather,” he said. “But when you consider the many data privacy laws, all that sensitive data might be better regarded as uranium. It is more like a toxic substance that needs to be treated and handled with the utmost care.”

Drew Robb
Drew Robb

Drew Robb has been writing about IT, engineering and cybersecurity for more than 25 years. He's been published in numerous outlets and resides in Florida.