If You Don’t Need Data, Don’t Keep It
I was one of millions of people recently informed that my personal information was stolen from telecom giant T-Mobile. While many articles have focused on what consumers should do if they were a victim of the breach (e.g., enroll in credit monitoring, credit freeze, use 2FA, change passwords), infosec people typically have different questions. How did it happen? When did it happen? What kind of security did the telecom have on their data and networks? How will hackers use the data?
But there’s a more basic question. Why in God’s name did a phone company have my Social Security number? I wasn’t applying for disability benefits with Sprint! I wasn’t establishing a banking relationship with the phone company! Sure, there was the possibility that I might default on my obligation to pay my monthly bill—but that’s true of any contractual relationship. They weren’t extending me credit. While they might be interested in knowing if I have good credit, that doesn’t explain why in God’s name the phone company knew my Social Security number. And it certainly does not explain why they kept my Social Security number. And why they kept it in a database that was accessible. And why they kept it in a database that was not encrypted. And why they kept it in a database that was not secure/secured. Was my SSN something that Sprint/T-Mobile was looking up all the time? Were they providing it to others? Were they selling it?
Why in God’s name did T-Mobile have my freakin’ Social Security number?
We collect more information than we need, use it for longer than we need and keep it longer than we need. There are many reasons for this phenomenon. Lawyers and business people are afraid of deleting data that they might later need. Data storage is cheaper than the time, money and energy it will take to meaningfully go through data and decide what to keep and what to retain (my mailbox has over 18,000 messages—much of it spam). There are no good automated processes for aging out data based on its content. Data is located in multiple places—on hard drives, portable devices, in email, on cloud devices, in backups, archives and with whomever we have shared the data. It is difficult to define data deletion policies within an organization since, for example, an email referencing a sale that has tax consequences might be considered an email (retain for 90 days), a transactional record (retain for three years), or a tax record (retain for seven years). So it’s easier to just decide to keep it forever. Finally, organizationally, it’s not clear who owns data retention/deletion. Often, this task is assigned to the CIO, or possibly the CISO. But the CIO’s job traditionally has been to ensure data accuracy, integrity and confidentiality, not its deletion. Data deletion is more a business function (I know many will disagree) while the CISO is responsible for determining the best technology to accomplish this business task.
But why did T-Mobile have my Social Security number?
A 2013 Forbes article explained why the company demanded SSNs from its customers, noting that “For any service that requires T-Mobile to extend credit, we require some personal information so we can confirm your identity, run credit reports and ensure we send bills to the right address,” said Glenn Zaccara, a T-Mobile spokesman, in the article. “This includes name and address, as well as your Social Security number, which are required by credit agencies to run a credit report. For prepaid accounts, neither name/address nor SSN is required.”
OK, so, after they ran a credit report, which they presumably did years ago when I signed up, why did T-Mobile need to keep my Social Security number?
Not only is this inconsistent with basic privacy law regarding data collection and use, but privacy laws also require entities to retain data only for the minimum period necessary to accomplish the task for which the data has been collected. If T-Mobile needed my SSN to verify my name and address, then once this was done, the data should have been deleted.
Many companies treat data as an asset—and in many cases, it’s the company’s most important and valuable asset. But unneeded data—particularly personal data—is a liability and a disaster waiting to happen. As Marie Kondo reminds us, keep only that which “sparks joy.” And which you are legally allowed to keep.
