HIPAA Blog

[ Thursday, October 27, 2022 ]

 

 Data minimization and the Drizly case.  News hit earlier this week when a proposed settlement between the Federal Trade Commission (FTC) and the Uber alcohol-delivery subsidiary Drizly was disclosed.  The consent order is remarkable on its face because it applies to the CEO of the company both while at Drizly and at any other company where he takes a management role.  While that is very unusual, of greater importance is probably the focus of the FTC on data minimization.

Drizly suffered a data breach when a hacker got the credentials of an employee and was able to log on and access a lot of information about Drizly's customers.  And Drizly collected a lot of customer and employee information -- much more information than Drizly needed to deliver drinks to thirsty customers.  The proposed consent order will require Drizly to limit the data it collects and keeps and requires James Cory Rellas to implement similar restrictions at any future employer.

The FTC's goal is data minimization.  Often companies will collect more information than they need to do the job at hand, because it might otherwise be valuable at some point in the future for basic or new purposes.  This is particularly true at initial customer sign-in, or with start-up companies, since they don't know what data them might find useful in the future, and they might not be able to collect it later. 

However, while that data may or may not be valuable to the company, there's a truism in data privacy that pushes in the opposite direction: you cannot lose what you don't have.  A data breach can only get the data that is in the database, so the less data you retain, the less you have to protect.

Expect to see not only the FTC, but other privacy enforcement agencies focus more often on data minimization as a breach mitigation strategy.


Jeff [2:01 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template