Yahoo limits hold on sensitive data
Posted on | December 18, 2008 | add a comment
Yahoo has taken a bold step by saying it will hold some Personally Identifiable Information (PII), which it gathers from folks using its search service, for no more than 90 days. Google reportedly keeps some PII for 9 months; Microsoft for 18 months.
“This is a good example of a company that’s being proactive in protecting sensitive customer data, rather than being reactive and in crisis mode, post-breach,” says Phil Neray VP at database security company Guardium. “Industry best practices recommend that you shouldn’t store any sensitive data — such as name, address and social security numbers, as Yahoo has chosen to strip out from its logs — if you don’t have to. This protects against both rogue insiders and criminal threats from outside attackers. “
Neray contends major online sites should not only scrub personal data in a timely manner, but also be very proactive about controlling access to sensitive data while in their possession.
Says Neray: “Another thing that consumers want to know –for all organizations, but especially for major online sites, beyond just routinely scrubbing personal data, is what types of internal monitoring controls have been put in place to protect their sensitive data from unauthorized access by insiders such as administrators.”
–Byron Acohido
