Friday, June 13, 2014
A newspaper comment that makes sense: Why do companies retain sensitive data in the first place?
by Larry Geller
A Suggestion for Hawaii Lawmakers
As long as I’m still obsessed with why a company can get off scott-free while its customers, whose personal data has been stolen, are left to take precautions and worry that their lives may be impacted by ID theft—I found a strangely relevant comment attached to this USA Today story that suggests exploring possible new law to regulate the retention of this data.
I seldom read comments on newspaper websites, but the gods of credit protection directed me to this one.
Here’s a snip from the story:
P.F. Chang's confirms breach in credit card data: Customers should be vigilant about checking their credit card and bank statements.
P.F. Chang's China Bistro said Friday morning that there has been a breach involving data from customers' credit and debit cards used at its restaurants, confirming a report out earlier this week.
[USA Today, P.F. Chang's confirms breach in credit card data, 6/13/2014]
Notice how, as usual in these situations, it falls on innocent customers to take action (which ultimately protects not only themselves but the issuer of their credit cards, often large banks).
Here’s the comment:
The commenter questions why P.F. Chang had to store their customer’s personal information in the first place:
Jäsøn Chåpmän · Top Commenter
my questions is why is a company like this storing their customers' personal information? for a business like a restaurant, they should not retain credit card information any longer than they have to (until the transaction has cleared payment). there is no reason for them to be storing this information and this is a perfect example of the risk in doing so.
So let’s segue back to the Star-Advertiser’s reported retention of a bankers box or boxes, of data that led ultimately to the arrest of two people allegedly caught using some of it.
To paraphrase Mr. Chåpmän: Why is a company like the Star-Advertiser storing their customers' personal information? for a business like a newspaper, they should not retain credit card information any longer than they have to (until the transaction has cleared payment). there is no reason for them to be storing this information and this is a perfect example of the risk in doing so.
For some types of business it might be necessary, and I can see it would interfere with (for example) Amazon.com’s modus operandi—they want you to be able to order on one click from a credit card on file.
There need be no contradiction, however—if you’ve given a company explicit permission to store your data, you are also explicitly sharing at least some risk that it might be stolen, if there is a flaw in their security. If you just buy something, or pay for a meal (or a newspaper subscription), your data can, and arguably should, be deleted when the transaction is complete.
There oughta be a law. Maybe it’s possible.