Collecting Data? Start with 'Why?'
If your company software stores any customer data, the last few weeks of business news should give you pause. Among compounding woes, ride-sharing app Uber faced removal from the iTunes store after having violated the privacy of iPhone users. Likewise, Slice Analytics owned Unroll.me is experiencing a very public backlash after revelations of the sale of personal data from user inboxes. Not to forget last year’s Pokemon Go, who faced deep criticisms for far-reaching access to user devices. Adding to these examples, the costly data breaches of companies such as Yahoo and Target who failed to protect sensitive customer information. The list gets even longer, establishing the idea that if it is not a matter of if but when a company’s data will be compromised.
If software is core to your business, can you answer the following about what you are storing?
- What data is collected?
- What is done with the data once it is collected?
- How is the data being transported?
- Who owns the data?
- Do customers understand how the data is collected and used?
- What are the consequences if the data was lost or stolen?
Thinking through these basic questions, it becomes clear that a protecting data at rest, in motion, and in use is no simple task. One approach for mitigating that risk is embodied in the German word Datensparsamkeit, or ‘data economy’, which is defined by Martin Fowler.
Datensparsamkeit is a German word that's difficult to translate properly into English. It's an attitude to how we capture and store data, saying that we should only handle data that we really need.
— Fowler, Martin. "Datensparsamkeit" MartinFowler.com, https://martinfowler.com/bliki/Datensparsamkeit.html. Accessed 27 April 2017.
This idea of data economy adds a powerful concept to our software toolbox. Framing the problem in this way can begin with why we need the data. Successfully defining the objectives from the why will guide the how and what of the data collection efforts. Take a few example questions for consideration.
- Is the data required to deliver your product?
- Does use of the data require that you comply with stringent compliance and regulation (e.g. HIPAA, PCI, SOX)?
- How will the data be transported from customer to your server, and how will it be stored?
- How will customers perceive the collection of the data?
Questions such as these may reveal that the collection of a few extra data elements is not worth the risk. The collection of additional customer data can be delayed as a future enhancement as business objectives expand or change. Before your next software project, start with why you are collecting the data, and make sure you do not take on more risk than you are willing to accept.
A big shout-out to our awesome clients, who continually provoke thoughtful conversations regarding their mobile and web applications! Also, to our friends over at the CyberDef Dojo who meet regularly in San Antonio and help make sense of the Information Security landscape.