Over the course of the last 9 months my wife and I have been keeping some information to ourselves. We have only told close friends and family. If you haven’t guessed it yet, we are having a baby. Now, this seems like something you would share with everyone and not really be too concerned. It is great news and everyone should be incredibly excited to talk about it. Given who I work for I had to look at this from a more privacy laden way.
It has been said many ways and by many people that sometimes being silent is more important than speaking. My wife and I have seen our friends and family have children, some of which have added posts to Facebook announcing the child’s name and date of birth. If you are a privacy professional you probably just had a mental flash like, “Name and date of birth? PII alert.” That is what I thought as well. My wife and I decided that if anyone hears about our child, it will be a phone call or text, not through social media. I do not need a malicious actor stealing my child’s identity before they speak their first words.
Now how does this apply to a business? It applies through the idea that, if information does not need to be shared, don’t share it. If there is no need to share it, do not keep it on a system connected to the internet. If you do not need to collect a piece of information to facilitate business, do not collect it in the first place.
Helping one of our clients complete a few PCI SAQ form highlighted this for me. Essentially, if you do not store credit card information, you are virtually compliant because there is no PCI-related information for you to protect. You cannot lose information if you do not have it.
This also applies to older information that is no longer relevant. Make sure information you retain has value to your business. Once the benefit from retaining the information is exceeded by the cost of retention and/or the risk of loss, it is time to destroy the data.