Corporations are not only amassing huge amounts of personal data on their customers as never before but also trading that data, frequently without the customer’s knowledge. As yet, the general public is largely unaware of the uses to which their personal information is being put or whose hands it ends up in. At the same time, companies holding the data must tread an increasingly complex regulatory minefield.
According to Chris Diebler, Security VP at cybersecurity company DataGrail: “Companies are all terrified of not having enough data as data is the new currency. However, companies need to think seriously about reducing these vast mountains of data. The value of data must be balanced against the cost and security risk of maintaining it.”
Companies that fail to secure personal data effectively or trade customer data with third parties face considerable potential brand damage when the details are obtained by bad actors and they suffer identity theft or financial fraud as a consequence.
In early 2024, for example, National Public Data, an online background check and fraud prevention service, experienced a massive data breach that allegedly exposed up to 2.9 billion records with highly sensitive personal data of up to 170M people in the US, UK, and Canada.
M. Nash, CEO and co-founder of software developer Integry says: “Our policy is to treat data as a “toxic asset.” This is a helpful concept to keep in mind when dealing with data. Just as we would with a toxic substance, we aim to minimize the handling of data, limit the number of people who come into contact with it, decrease the amount of time we retain it, and reduce exposure.”
SMEs are particularly vulnerable
Small-to-medium-sized enterprises (SMEs) are particularly vulnerable to data theft as they frequently do not fully grasp the pitfalls of becoming the custodians of ever-increasing volumes of data.
“Smaller organizations may not be aware of the potential vulnerability of the data they possess. They tend to put the decision of how to secure data on the back burner, rather than assess the full security risk and the full cost of doing the right thing…You can do the right thing, but bad actors will still have their say,” warns Diebler.
The first step organizations facing a data deluge should take is to carry out a full assessment of the value of the data they hold. They should not hang onto large caches of data for their own sake but should differentiate it according to the value it represents.
Kathleen Hurley, the founder of Sage Inc., which offers SME infrastructure solutions, says: “To minimize the amount of data you hold, identify where critical and sensitive information is stored. A data map showing storage locations and security patterns helps determine what to retain and manage on a retention plan.”
Smaller organizations must also now navigate an increasingly complex maze of regulations coming from the US and elsewhere.
“Complying with a growing body of international regulations regarding data privacy such as the EU’s GDPR is also a daunting task for many organizations, and the GDPR is just one set – there could be no less than 50 sets of US State regulations that apply directly to data privacy if we don’t take a similarly national route,” says Diebler.
