Email or username:

Password:

Forgot your password?
Em's posts Post Back to profile
Em :official_verified:

Gentle Privacy and Security Reminder
for Organizations ๐Ÿ”’๐Ÿ—‘:

One of the easiest way for your organization to not have data stolen in a data breach, is simply to not have this data.

One of the easiest way to save your organization future headaches and costs is to simply delete thoroughly the data you do not need anymore as soon as you do not need it anymore.

Whenever possible, it's even better to not collect it at all in the first place.

You might need to retain some data of course, but when an incident occurs, you will greatly reduce the harm, damage, and cost if you keep only the minimum data required.

You cannot be held accountable for the data you simply do not have.

Keep this in mind! โœ”๏ธโœจ

#TinyPrivacyTip #Privacy #DataMinimization #DataDeletion

30 April at 17:12 | Open on infosec.exchange
15 comments
loucovey

@Em0nM4stodon That kinda depends on the kind of business. The US Banking Secrecy Act requires all companies dealing with the transfer of money to keep PII for seven years. A similar law in the EU requires it be kept for 10 years, and Australia requires 99 years. In the US, PHI has to be kept for 6 years.

30 April at 17:17 | Open on newsie.social
Em :official_verified:

@Loucovey

Indeed. This means that this data is still needed for 7 years. But it also means it can (and should) be deleted once it is no longer required to be retained.

For example, if the data is no longer needed, it should then be thoroughly deleted as soon as the legal retention period is over. Whether it is 7 years + 1 day, or 10 years + 1 day, or 99 years + 1 day.

30 April at 17:38 | Open on infosec.exchange
Misuse Case

@Em0nM4stodon @Loucovey This is where security challenges and records management challenges overlap on the Venn diagram.

But data minimization is a good principle for addressing both.

30 April at 21:31 | Open on twit.social
gudenau

@Em0nM4stodon Yeah but if you collect all of the data breeches will be easier to detect from the larger transfers! /s

I wish people would get this through their heads, the less of anything you have the less issues you'll have from having it.

30 April at 17:30 | Open on fosstodon.org
BrianKrebs

@Em0nM4stodon Amen. Or as I like to say, you don't have to protect what you don't collect! :)

30 April at 17:42 | Open on infosec.exchange
Mad Alex

@Em0nM4stodon In German the principle is called Datensparsamkeit, literally data frugality.

30 April at 19:22 | Open on fosstodon.org
Em :official_verified:
Simon Mรผller :ablobcatcoffee:

@madalex @Em0nM4stodon

Just because it fits, we call the exact opposite of that "Datenkraken", or Data Krakens in English

Or well, we call the services that do the opposite Data Krakens, not the practice itself

1 May at 2:05 | Open on wetdry.world
JT the Artful :autism:

@Em0nM4stodon See also... customer credit card info. And names, birthdays, addresses, etc of people that AREN'T even buying services or goods from you!

Pisses me off that random websites want this info from people, and then proceed to have 'data breach accidents'. You deliberately collected this info that you didn't need from users. It WASN'T an accident.

(See also recipe websites, semi social websites, websites that force you to register just to see a free article...)

30 April at 20:31 | Open on mastodon.art
Go Up