Data minimization as a cybersecurity strategy
Is collecting, storing and securing vast troves of data still the prudent move as cyberthreats abound, or is ‘overcollecting’ resulting in overexposure?
You don’t have to protect what you don’t have.
It’s a fairly obvious idea, though it’s a somewhat opposite perspective to most of the cybersecurity recommendations espoused here in the U.S. But as it becomes more and more challenging for IT teams to ensure that their organizations’ data remains safe from cybercriminals, perhaps it’s time for U.S. companies to give the European practice of data minimization another look.
What exactly is data minimization?
Data minimization is a common principle of European privacy that has not until now been an American approach. It is a practice that puts the focus on data governance — being intentional about what data you want to collect so that your organization is not “overcollecting.” Determine what data you must have to run your business, data minimization experts advise, and simply don’t collect or keep anything else.
In contrast, the American mindset has always been that data is valuable and organizations should collect all the data that they can get. But as anyone that has been the victim of double or triple extortion is sure to tell you, having all that data (particularly when it’s stored in the cloud) doesn’t always serve organizations well. Rather than only focusing on retention and protection policies to determine how long to keep data and how to store it safely, it’s time for companies to consider whether they really need to be collecting that data in the first place.
Here’s the good news: This is not a control that you need to pay to put in place. Data minimization is just a matter of self-discipline on the organization’s part when it comes to collecting only what is needed. It can be reflected in your internal policies and project design principles, and will by definition minimize the amount of data that a hacker might be able to seize from your company and use against you.
What policies govern data minimization?
Though the U.S. has historically never embraced the concept of data minimization, it is now a timely topic due to the enactment of U.S. data privacy legislation at the state level, including the California Consumer Privacy Act (CCPA), the CCPA’s enhancement via the California Privacy Rights Act (CPRA) and numerous other state level privacy statutes, which are all designed to improve the data privacy of the residents of those respective states. The CPRA specifically gives California residents the right to know when and how their information is being collected and sold, as well as the ability to opt out. The CPRA also endorses the concept of data minimization by requiring business to “not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose” as well as mandating that “a business shall not retain a consumer’s personal information … longer than is reasonably necessary.”
In Europe, the data minimization principle is expressed in Article 5(1)(c) of the GDPR and Article 4(1)(c) of Regulation (EU) 2018/1725. According to these guidelines, organizations must ensure the personal data that they are processing is adequate to properly fulfil the stated purpose; relevant, with a rational link to that purpose; and limited to what is necessary, with no organization holding more than they need for that purpose.
How to determine what is adequate, relevant and necessary?
EU data protection authorities (DPAs) do not formally define terms like adequate, relevant and necessary, but they do provide guidance and checklists to enable organizations to consider these principles. The common theme in all related guidance is that regulators do not approve of organizations collecting data on the off chance that it might be needed at a later date.
Companies operating in the EU and/or holding data belonging to EU data subjects are also well advised to remember that data subjects have the right to have their data erased in the EU, and failure to do this when asked could result in an investigation leading to a fine or an enforcement notice. These requirements are in place to protect EU citizens, and as such, do not apply only to EU organizations; regardless of location, any organization that hosts personal data that is related to EU citizens must abide by these requirements because GDPR has extra-territorial effect.
The CPRA takes a slightly firmer approach to data minimization. The regulations specify that a business can only collect the minimum personal information necessary to achieve the identified purpose and that possible negative effects of collecting too much data need to be factored in. As with the GDPR, key terms such as “minimum personal information necessary” and “longer then reasonably necessary” are left undefined.
Is data minimization a practice your company should employ?
Companies looking to adopt data minimization best practices should begin by asking themselves why they need the data they have collected. As appropriate, policies should be redesigned to ensure the collection and retention of only the minimum amount of information. A periodic review of organizational processes should then be conducted to ensure that the personal data they hold is still relevant and adequate for their purposes — and anything that is no longer needed should promptly be deleted.
In and of itself, data minimization is not a comprehensive cybersecurity strategy. It can, however, be an effective piece of a layered security strategy for companies who don’t want to bear the responsibility for storing and securing more data than is strictly necessary.
Opinions expressed here are the author’s own.
Bala Larson is head of client experience at Beazley, which she joined in 2007 as a middle-market specialty lines underwriter. She currently manages the company’s Northwest region while also underwriting strategic large accounts for the region’s top broker partners. Bala is based in San Francisco.
Related: