Treat ALL data — not just PII — as if it’s regulated

Poor, poor Boston Globe. 

As if news outlets aren’t already sucking wind, my hometown newspaper has settled a class action lawsuit claiming that it disclosed subscribers’ personally identifiable information (PII) without consent to Facebook via the Facebook Tracking Pixel. (A tracking pixel that the Austrian Data Protection Authority [DSB] recently decided directly violates the EU’s General Data Protection Regulation [GDPR], mind you.)

As a subscriber, I may be entitled to a payment, says the teensy type on a notification from the settlement administration. Geez, I don’t know, though. Do I really want to jump on a money-grubbing, journalistic profit-sapping pigpile? 

Sure, go for it, grab your $3.18, Contrast Security Chief Information Security Officer David Lindner tells me. Insurance will pay the $4 million settlement, and the Globe’s bottom line won’t be affected. 

I’m not surprised at the CISO’s advice. After all, one of Lindner’s recent CISO Insights is to start treating all data — not just PII — as if it’s regulated: 

“Collect only the data required to provide the service or software features to your customers. Do not collect data ‘just in case,’ or blindly in some cases. Know what you are collecting, the criticality/classification of that data, how that data is stored, and how long you are storing that data. Treat all data as if it is regulated, not just ‘PII.’”
—David Lindner, Contrast Security CISO

Did the Globe treat my data as if it's regulated? The Globe denies violating any laws, saying that it’s agreed to the settlement only because litigation is uncertain and pricey, but my gut says it’s doubtful that my data (about specific video materials or services I may have requested or received) was treated as carefully as, say, my Social Security taxpayer number (SSN) or my healthcare data. 

Your doctor doesn’t need your SSN

Not that everybody treats our precious taxpayer IDs with the regulated-up-the-wazoo respect that they deserve, mind you. Have you ever been asked for your SSN at the doctor’s office? Lindner has, much to his bewilderment. 

“I pay attention to these things when I'm out in the world,” he says. “I'll go to the doctor, and they're like, ‘Hey, fill out these forms,’ and I'm like, ‘Why the hell do you need my Social Security number?’

“They never answer that. And I don't fill it in. There's no point in that. A Social Security number is not used for your medical records and never should be.” 

He’s seen it time and time again: There will be a discussion about a new rule and all the types of data that the company needs to collect. There’s a splatter of ideas: “Hey, we should do this!” or “We could do that!” 

Lindner: “I'm like, ‘No.’”

If you don’t collect it, you can’t lose it in a breach

What companies really need to think about is determining the minimum amount of data to achieve whatever is being determined, he says. Any extra data is just more stuff you can lose in a breach. 

“I don't want the other stuff,” Lindner says. “I don't want the possibility of collecting all this other data, having it, and then the breach turns out to be so much more terrible if and when it happens.”

Take that doctor’s office that expected you to fill in your SSN on its form, for example: Many such places simply don’t have an answer as to why they need such data in the first place. “If you don't have an answer, then don't collect it,” Lindner stresses. 

This is hard, he admits. Some departments, such as marketing or public relations, want all the data for all the analytics to do all the things. But you’ve got to stop and ask: Do they really need all the information to do what they want to do?

And while you’re at it, are you making your customers aware of every little thing that you’re collecting? 

Companies like Contrast have no choice, Lindner points out: “When we're going through contracts and agreements with prospects and customers, It's amazing how detailed customers are: They want to know about the data that we collect, how it's handled, where it's stored, how long it's there, etc.,” he says. “And it's not just focused on PII. It's anything that would be considered confidential to them, which, for the most part, anything we collect on a customer is highly confidential.”

You really don’t want to be a data controller

Many current data privacy laws focus on confidential data that pertain to a given person, but confidential data goes beyond that when it comes to the type of work that Contrast or other software-as-a-service providers carry out, Lindner points out. Contrast technology involves agents, for example, that have access to customers’ code and their entire environment. Such agents could, in theory, pull a motherlode of information about where they’re running, such as internal IP addresses. 

That information isn’t PII, per se, but it’s system information that could harm the business were it to be leaked. 

That’s why Contrast doesn’t collect such things, the CISO says. “We don't collect those things because we don't need them,” Lindner emphasizes. “We don't need such data to provide our services to those customers. That would be terrible, because then we’d have to protect it. Collecting data turns you into a data controller. And I don't want to be the data controller for things that I don't even need to collect.”

He heard the admonishment to treat all data as if it’s regulated at a recent data privacy confab, and it stuck with him. It sounds like a good idea because at some point, all data probably will be regulated, he predicts. “I mean, there's what, 30 or so state privacy laws that are working their way through the legislative process right now? And, frankly, they're all moving toward the GDPR standard — if not more stringent.” 

How and why to say no

You can check out a U.S. state privacy legislation tracker here. 

You can click here to check out the 47 or so proposed class actions against Meta Platforms’ Pixel tracking tool claiming privacy violations that were filed from February to October 2022. 

And when somebody hands you a form that asks for your SSN and can’t tell you why it’s needed, you can click here for 10 ways to politely say “No.” 

Read more:

• CISO Thoughts with David Lindner
• Devs, are you ready to put privacy nutrition labels on your code?
• Data Privacy and the Future of Business: How Businesses Can Put Privacy First
• Contrast Security Champions Data Privacy Week 2023