This article makes two compelling points. First, the “punishment” for losing personal data isn’t much of an incentive for any business to radically re-think their business practices. Invest in better security, hire experts, and such? Sure, but radically re-think what they do with data? Not worth it.
The other is best described with this example:
“To offer an example, let’s say I order a pizza from Domino’s. I’m going to hand over my address because I want the pizza delivered, and my credit card number if I don’t want to pay in cash. I’m also going to tell Domino’s what kind of pizza I want. All of this makes sense for Domino’s to have — in the moment. They don’t need a permanent record of where I live or what my credit card number is or whether I want pepperoni or sausage on my pizza. They also don’t really need me to create an account to order the pizza, which their website nudges me to do.
In a better and perhaps less risky world, companies like Domino’s would undertake an effort at data minimization, Schwartz said, meaning the business only collects from the consumer the specific information they need for the task at hand. Might it make ordering a pizza from Domino’s slightly less frictionless next time around when I have to input my information again? Sure. But maybe it’s worth it — just ask the hundreds of thousands of Domino’s customers in India whose credit card and order information was exposed in 2021.”
This is the crux of the problem. Personal information is going to be breached, eventually. There is no 100% secure data. None. No business, government entity, non-profit, or any other place that collects and stores data is completely secure. The only true security for personal information is to not have it. To have not collected it or delete it once it’s no longer needed.
That is the radical re-think that is necessary. It’s also the complete opposite of everything these organizations have been taught and incentivized to do. If we are going to pass federal privacy laws, this should be the central theme.