Extract from Epiq’s article “Minimizing Data to Minimize Exposure: Information Governance and Data Security Overlap”
How important is it for organizations to keep track of their data footprint? The Federal Trade Commission (FTC) thinks this is crucial. On Jan. 9, 2023, the FTC finalized a consent order following a breach. The order was pending since last October. While there were several components, the part involving data minimization is compelling.
Every organization subject to FTC jurisdiction should take note of how the requirements influence information governance and data security practices going forward. Compliance is an ever-growing space and more regulators are emphasizing appropriate security priorities in the digital ago, so failure to get on board can result in investigations and liabilities.
In 2020, the online alcohol marketplace Drizly underwent a large data breach that put the personal information of roughly 2.5 million consumers at risk. The cause was due to security failures that the organization was made aware of two years before the breach when a prior incident occurred. While Drizly declared to have sufficient security measures, investigation showed that this was untrue. Violations included absence of basic safeguards, use of unsecure platforms, and insufficient threat monitoring. A hacker was able to access an employee account and company database and steal corporate logins and personal customer data.
The FTC took action against Drizly and its CEO for this breach and entered a consent order.