5 hours ago
How much personally identifiable information (PII) do companies actually need to store?
Organizations are collecting massive amounts of data from customers, mobile devices, and more. Not all of it is stored securely: a roundup from cybersecurity company Huntress, for example, showed that billions of records containing PII are exposed from large-scale data breaches.
How does this happen? Ken Braatz, CTO for SupportNinja, told IT Brew that PII is harvested from users across browsers, search activity, cookies, and more. Companies tap that information to build and sell products.
But more data means more IT infrastructure such as storage, which means a larger attack surface. This is especially true when companies choose to hold onto particularly valuable information such as payment data, social security numbers, and more.
“I think a lot of companies out there view customer data as the Holy Grail, and in that they want all of the data and they turn that data into a massive asset,” Braatz said. “I don’t believe that having confidential PII is necessary to deliver value to the customers.”
Risky business. Braatz pointed to the storing of PII as creating an “enormous amount of risk” because of the risk of data breaches exposing sensitive information.
SentinelOne recently shared that threat actors can potentially access a company’s PII through third-party vendors. This allows for an extended attack surface because of the shared infrastructure with cloud providers, analytics platforms, consultants, and payment processors.
“PII is like a hand grenade,” Braatz said. “You really need to treat it as such, because it is a risk, if there’s a breach of any type. It’s a risk to your business, it’s a risk to your customers. Nobody wins when that happens…so removing yourself from being a target is the easiest way to reduce that risk.” SupportNinja uses an AI model to scrub any PII from the recorded interactions, he added.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Braatz suggested IT professionals seeking to cut down on PII should establish why they want that data in the first place. He recommended asking the following questions:
- Is it necessary to complete the transaction?
- Is it delivering value back to the customer?
“If you’re not clear on why that information needs to be harvested, it probably doesn’t need to be harvested,” Braatz said. “You should be able to determine everything, every bit of information that you collect should have a purpose.”
Data collection in the age of automation and AI. If a company keeps sensitive information, they need to have necessary security measures in place, Braatz said.
Srinivasan Swaminatha, managing director for data and AI divisions at TEKsystems Global Services, encourages professionals to think about data governance and security guardrails that allow an enterprise to “still operate at the efficiency that autonomous systems can provide.”
Companies can choose to approach the data risks through a secure data platform construct.
“You’ve got to put real guardrails all across so that the data doesn’t get linked through a [model context protocol] that just is open to the public,” Swaminatha said. “It’s all bringing back that important aspect of what data are you collecting to make decisions for your specific business.”
Swaminatha said that with agentic AI systems coming into play, organizations have to put “real guardrails” across the enterprise to continue protecting platform ecosystems that “both humans and machines can actually reliably make decisions out of that data set.”
