In today’s information age, data is the lifeblood of many businesses. From customer demographics to supplier pricing, from health records to financial account transaction logs, few businesses of any substantial size are not highly dependent on information. In fact, the ability to better leverage data is often what separates successful businesses and political endeavors from those that fail. Yet, the collection of data creates a conundrum — while data is needed to flourish, it also creates tremendous risks. It is difficult to protect large amounts of information, and, an organization that loses its information to criminals can be sued, fined by regulators, or even collapse as a result of bad press.
Sadly, most businesses are far better at collecting information than they are at adequately protecting it. We have all read and seen numerous media reports of breaches at major corporations and governmental organizations — even, potentially, at the NSA; tales of hacking and its effects seem to be never-ending. Exacerbating matters is the fact that smaller businesses — which are now often the primary targets of criminals — are typically in far worse shape than their larger counterparts; many lack information-security staff, and do not budget sufficient funds in order to adequately outsource security operations. Many smaller online retailers, for example, have done little or nothing to prepare for the imminent arrival of the General Data Protection Regulation (GDPR) compliance date two months from now; once this new European privacy standard (that impacts business all over the world) goes into effect, such firms could potentially face devastating fines for not properly protecting their customers’ private information.
Complicating the matter — and increasing the odds of a firm facing adverse consequences — is the fact that many online businesses offer no simple way for their customers to remove private information from supplier databases. Even deleting an account does not ensure that the associated records are truly eliminated from backend databases; we have seen multiple examples in recent years in which information in “deleted accounts” leaked from enterprises as the result of hacker breaches that occurred well after the data was supposed to have been eliminated from the hacked parties systems. Additionally, it is often complicated for customers to remove specific data elements; some online retailers, for example, do not let someone save an address record that lacks a phone number — what can someone do if he or she decides that he or she wants to prevent the vendor from having future access to that specific element of data?
In short, while data is extremely valuable to businesses, and data collection a necessary ingredient of most firms’ operations, caution must be exercised in terms of what data is collected, and how it is stored. Information security is not a simple matter. Also, in most cases, the parties to whom the data truly belongs should also be offered the ability to remove all or some of the data if they so desire.