The stories have been coming fast and furious over the past several weeks: Apparently many big Internet companies have been collecting more and more data to get to know customers or would-be customers better. All the usual suspects are involved, including Apple, Facebook, Google and Twitter.
Just in case that wasn't scary enough to contemplate, imagine what will happen if one of these companies suffers the sort of headline-making security breach suffered by Sony last year.
The tendency of more businesses to collect more and more data about the markets and people they are targeting is at odds with the need for companies to build trust with consumers and, in the case of those who sell business-to-business, with other companies. The temptation for hackers and other malcontents to steal and mess with that data is overwhelming. Which is why it will continue to happen.
That's why the Online Trust Alliance uses its 2012 Data Protection & Breach Readiness Guide to make the case for what it calls "data minimization." The simple fact is that the more data your company is storing, the more damaging the consequences of a data breach, said Craig Spiezle, executive director and president of the Online Trust Alliance (OTA).
Consider this statistic: In 2011 alone, more than 588 incidents were reported. The cost to U.S. businesses was about $6.5 billion; the average cost per user record compromised is $318. That is more than $100 more than what the average per-user breach cost in 2009, according to OTA.
In the guide, OTA suggests that businesses can protect themselves by adopting three simple best practices, all with the aim of minimizing the amount of data organizations are collecting and keeping.
- Periodically revalidate what data your teams are collecting and way. Do you really need all the information that you are collecting about customers or business partners? Sure, the promise of data analytics applications makes it tempting to ask more rather than less, but if you aren't using certain information, it is probably safer not to collect it or keep it.
- Purge the data you isn't useful. Have you sent a prospect five emails that have gone unanswered over the course of a year? I still receive paper mail solicitations from certain non-profit groups that I haven't donated to in more than 8 years. I know because they are using my pen name (aka my maiden name). Although your marketing team might freak out at the prospect, every business should spend time cleaning up its email databases regularly. Again, the data you don't even realize you have anymore could be the most dangerous data during a breach. Why are you keeping what isn't useful?
- Review your data archiving strategy. Spiezle suggests that some businesses are so afraid of the compliance police that they are keeping some data way past the expiration date, if you will. Your data management team should regular determine when it is time to get rid of files. "Validate why you have it and validate why you keep it," Spiezle said.
One final suggestion from OTA: Write the email you would send to customers in the event of a data breach BEFORE one happens, make sure it carries the tone your company wants to convey and document every step that you company would be taking to make amends. Your organization won't be clearheaded amid an actual data breach crisis and miscommunications will make the situation far, far worse, Spiezle said.