These megabreaches are just emphasizing security isn’t enough you need to be de-risking by driving data purges and asking critical questions of product teams. You need customer location maybe but you don’t need to store a history of it.
@SwiftOnSecurity most times the data you need is not the data you store. "Is this person over 18?" Requires a boolean, not a birthday, at least once suitable proof is sighted. Similarly "does this person have a driver's licence?" requires a boolean (and maybe an expiry date), not a copy of the licence. There is SO MUCH stuff stored for the wrong reasons or "just in case".
@SwiftOnSecurity
> These megabreaches are just emphasizing security isn’t enough you need to be de-risking by driving data purges and asking critical questions of product teams. You need customer location maybe but you don’t need to store a history of it
This reminds me of a rideshare service owned by a major car company, which I refused to sign up for because they wanted to permanently store a photo of my driver's license and they wouldn't answer even basic questions about their data security.
@SwiftOnSecurity Agree! A long time ago I heard that customer data should be thought of as radioactive. A small amount is necessary but a data lake is just a superfund site.
@SwiftOnSecurity I feel the core issue is that corporations get to record PII/"data" they've accumulated as an asset rather than a liability in their financial reports. It's like "I've stored all this radioactive waste in barrels, those materials are technically valuable so I'm reporting the barrels of waste as an asset"
if companies started thinking of PII as toxic/nuclear waste, rather than a potential revenue source (and ignoring all the risks), we'd be much better off.
@SwiftOnSecurity and yet, somehow, the only way this ever happens is if someone in the room says "but what about GDPR?" and there's nobody to say "lol yurup."