“If you can’t protect it, don’t collect it”

The  theft of the personal data of 4.5 million patients of a US hospital chain prompted Bloomberg to look at the Top 10 Data Breaches of all time. In their story, they wrote:

The recent attack has gained notoriety for its methods, rather than its size — the hacking group has been prolific in attacking U.S. medical-device companies and drug makers. The chart below shows how the Chinese breach compares with others.

The ranking provides little solace if you’re one of the people whose personal information was stolen and used for identity theft. Yet, with security-software maker Symantec calling this the era of the “mega-breach” and some attacks hitting the nine digits, it’s worth remembering that hackers have many, many other ways to obtain personal information.

Bloomberg included an interactive graphic showing the top 10 data breaches and who did the breaching, which is worth a look. The top three offenders are Malicious Outsider, Accidental Data Loss, and Physical Loss.

Daniel Solove, Professor of Law at George Washington University Law School and founder of TeachPrivacy, pulled together a few takeaways from the story including:

  • The leading causes of data breaches often involve the workforce mistakes Malicious outsiders often get in because they trick people through phishing and social engineering
  • Organizations are collecting and using data faster than they are able to keep it secure
  • Educate the workforce! Train them once, train them twice, train them thrice. Repeat, repeat, repeat

You can read the rest of Daniel Solove’s comments here. The point that most struck home for me was this one:

If you can’t protect it, don’t collect it.

Here in New Zealand, the Office of the Privacy Commissioner has released a guide for app developers designed to help developers think about what personal details they really need to capture from their users.

The office says:

When apps don’t convey basic information about what the business is collecting personal information for, it’s hard for people to feel confident that their information is being looked after. But when an app developer finds a way to be clear about what is happening, people notice. It’s a way to convey to users that you’re trustworthy, that you know the value of their information and you’ll treat it with respect.

There’s a downloadable pdf of the NEED TO KNOW OR NICE TO HAVE guide, or you can get the gist from the topic page on privacy.org.nz.