How important is it for organizations to keep track of their data footprint? The Federal Trade Commission (FTC) thinks this is crucial. On Jan. 9, 2023, the FTC finalized a consent order following a breach. The order was pending since last October. While there were several components, the part involving data minimization is compelling.

Every organization subject to FTC jurisdiction should take note of how the requirements influence information governance and data security practices going forward. Compliance is an ever-growing space and more regulators are emphasizing appropriate security priorities in the digital ago, so failure to get on board can result in investigations and liabilities.

The Details

In 2020, the online alcohol marketplace Drizly underwent a large data breach that put the personal information of roughly 2.5 million consumers at risk. The cause was due to security failures that the organization was made aware of two years before the breach when a prior incident occurred. While Drizly declared to have sufficient security measures, investigation showed that this was untrue. Violations included absence of basic safeguards, use of unsecure platforms, and insufficient threat monitoring. A hacker was able to access an employee account and company database and steal corporate logins and personal customer data.

The FTC took action against Drizly and its CEO for this breach and entered a consent order. During the public comment period, there were no substantive changes proposed and the order passed with a unanimous vote. Many of the requirements focus on data minimization practices to limit the potential of a future breach resulting from improper data hygiene:

• Stop collecting or storing personal information unnecessary for business needs.
• Destroy any unnecessary data previously collected and send report documenting this to the FTC.
• Publish a retention schedule on their website that details why the company is collecting certain personal information, retention periods, and related business need for retention.

Other requirements under the order include having a comprehensive security program with numerous safeguards including multi-factor authentication and technology that helps accomplish data deletion; having third parties perform security assessments biennially for 20 years; and, the CEO personally having to implement a comprehensive security program at future companies if certain conditions are met relating to job title and consumer data collection.

The Significance

This enforcement action is significant because it spotlights the importance of implementing preventive security measures to limit breach potential. The interplay between strong information governance practices and safeguarding data is continuing to deepen. Organizations should make data governance a continuous effort to effectively protect sensitive data.

While data collection and storage are absolutely necessary for business purposes, it can be a slippery slope. Data continues to generate at an alarming rate and there is no slowdown in sight. The more data an organization keeps, the more data there is to fall victim to a potential compromise. The type of personal information out there also makes a breach even more serious, as it is no longer just someone’s name and birthday. Now, many businesses collect highly sensitive identifiers. Think facial scans, fingerprints, geolocations, user credentials, and more. Hackers are waiting in the wings to get this information and perpetrate fraud or other harmful activities. The FTC recognizes this and expects the trend of requiring data minimization in matters like this will not die down.

The Solution

Data minimization requires ongoing effort and should be a staple in information governance programs. The first step is to ensure that information security and data privacy obligations are intertwined with these efforts. To have appropriate security policies and procedures requires a well-crafted data governance framework to properly manage valuable information and minimize risk. When organizations have a deep understanding of their data footprint, it becomes easier to understand what needs to stay and what can go. Then, they can implement the correct policies and solutions to achieve goals such as minimization and retention management.

This can be a daunting task to take on alone due to time management and compliance concerns. Look for a provider partner that offers a range of technology-enabled and consulting services for planning, executing, and managing data minimization. The right partner will not only have the tech, but also the people who understand the regulatory and reputational aspects that feed into good data hygiene. Tapping into such expertise will help teams understand their internal and external risk exposures and what steps to take to maintain good data hygiene and actively monitor their data footprint.