If I order online, my data only needs to be retained until I get my item. A electronic receipt can be sent via email.
Social networks should have human moderation, and not insist on retaining real-world data about users.
These things could be accomplished through regulation, and if enough countries (or US states) put those regulations in place it will eventually be more cost-effective for companies to implement the changes globally.
Tax records are required to be kept for 7 years in North America (generally, as far as I know - def in Canada). So you order something online from a business, they have a business need to keep your data on hand for 7 years in case an auditor / tax person comes asking about it. Be that someone auditing the business, or someone auditing a customer. That’s a requirement from the government.
I’ve seen customers ask for tax stuff going back up to 20 years from a business. In those cases, if there’s demand for data going back that far for whatever reason, the business can internally say “We have a business reason to retain data longer” because people ask for it – there’s demand. So they can justify to auditors/legal sorts retaining that information indefinitely, based on user demands/requests.
In some cases when I’ve seen those ancient requests, it’s also tied to legal disputes from customers – eg. Trying to prove in a divorce that such and such was bought by party A in 2005 for X amount. In some cases, there’re class actions that go outside the 7 year window, and require data from further back to sort out – for example there’s a case in Canada currently where a financial lender is paying back ~$2000 per person that took a loan from them from 2016-2021 (so ~10 years of personal data needs to’ve been kept, to verify early claimants). Part of needing to keep data so long, is that the court cases are often so drawn out that the 7 year window would make some crime/wrong-doing much more difficult to prosecute due to a lack of evidence. I know of one class action lawsuit in the Financial Industry that’s been ongoing since the 90s, and still isn’t fully resolved – most of the potential class action recipients are deceased at this point, and the only people profiting are lawyers, but still. Lawyers are a part of the problem, and a reason why data is often being held longer and longer. Honestly, Lawyers are also terrible at securing their data --they tend to rely on paper-controls to prevent their unsecured data from getting used, rather than actual hardening. Like there was a guy who spent a few years in Colombia or something, his personal laptop being used for all sorts of nefarious stuff, and when he came back to Canada and the border people took his laptop, it was totally unencrypted/unsecured. They guy just argued it was his “legal work” laptop and everything on it is confidential and can’t be used in court.
Idk. I think your approach is overly simplistic for the issue. There’s a lot of “stuff” related to corporate data retention policies and methods, and I don’t really see much nuance in what you’re proposing. Hell, if they only kept your data till you got your item, youd NEVER be allowed to get a refund, cause they’d have no record of you purchasing the item.
Tax records don’t have to include the customer if it’s retail. If that was a requirement cash businesses would have massive problems, and the rule of keeping those records for seven years significantly predates our current model of credit for everything.
Beyond that, if I go to a restaurant they don’t have my name and address or any other information. Businesses need to keep records like “we bought x from y for $z,” and “we sold x to a for $b.”
And even further, the government could clarify that (if in some countries customer data was part of tax data) that the law was now to protect customer privacy and data.
KYC is typically a due diligence process tied to regulated financial industry participants – the restaurant example has a much different function. Banks and FIs have much broader retention (and disclosure) obligations.
Here, let’s put it slightly differently. I’ll reference Canadian regulations/processes more, as those are the ones I’m most familiar with. If you’re a bank, you’re required to flag suspicious transactions related to the customer – and in order to know when those transactions are suspicious, you need some way of reviewing it within the context of the customer. You may even have an obligation to second guess / question / try and advise the customer ‘not’ to make a transaction, based on knowing your customer.
The most basic example of that, is where Credit Cards will decline payments / request a call if you try and make a purchase in a totally abnormal location – like you “know your customer” lives in Toronto, but suddenly see them spending money in Mexico? Or if they called you before they took a trip to mexico, that’d also go into a KYC type file to let people know to expect those sorts of charges and let em get processed. That’s tied to KYC.
The media will often run stories about seniors getting scammed, with the general message being “WHY DIDNT BANKS DO MORE TO PROTECT?”. Well, that’s KYC too. You gotta ‘know’ your senior members, and their spending habits to some extent, to find those outliers. You also need to be familiar with them enough to know whether its “normal” for them to come by and take out cash, and in what quantities and for what purpose, cause seniors will sometimes ‘show up’ with a person pressuring them to take out cash to ‘pay a bill’ (scammms galore!). All part of KYC due diligence.
Or the somewhat obvious elephant in the room – if you have a “personal” account member, who keeps receiving etransfers to his “jeevacation@gmail.com” account for some reason, you gotta look into it a bit and sort out what all those payments are related to, cause it isn’t a business account. And if you see anything suspicious, it gets reported to the authorities, where, most likely, Trump shits himself and Americans ignore the crimes.
Notably there have been almost zero data breaches of large banks, because their requirements for security are significantly higher than most other companies. My original comment was not about banks, they obviously need to retain a lot of customer data, and most of that is not exposed to the internet at all. I was talking about things like a pizza shop or an online retailer. There’s no need for Burger King or a webcomic artist I’m buying a print from to have a login or my email address for longer than it takes me to get my items.
Yeah, but this breach is specifically about KYC, about financial industry stuff. The company that got porked, was the company the banks used for their KYC stuff.
The EU GDPR doesn’t go nearly far enough.
If I order online, my data only needs to be retained until I get my item. A electronic receipt can be sent via email.
Social networks should have human moderation, and not insist on retaining real-world data about users.
These things could be accomplished through regulation, and if enough countries (or US states) put those regulations in place it will eventually be more cost-effective for companies to implement the changes globally.
Tax records are required to be kept for 7 years in North America (generally, as far as I know - def in Canada). So you order something online from a business, they have a business need to keep your data on hand for 7 years in case an auditor / tax person comes asking about it. Be that someone auditing the business, or someone auditing a customer. That’s a requirement from the government.
I’ve seen customers ask for tax stuff going back up to 20 years from a business. In those cases, if there’s demand for data going back that far for whatever reason, the business can internally say “We have a business reason to retain data longer” because people ask for it – there’s demand. So they can justify to auditors/legal sorts retaining that information indefinitely, based on user demands/requests.
In some cases when I’ve seen those ancient requests, it’s also tied to legal disputes from customers – eg. Trying to prove in a divorce that such and such was bought by party A in 2005 for X amount. In some cases, there’re class actions that go outside the 7 year window, and require data from further back to sort out – for example there’s a case in Canada currently where a financial lender is paying back ~$2000 per person that took a loan from them from 2016-2021 (so ~10 years of personal data needs to’ve been kept, to verify early claimants). Part of needing to keep data so long, is that the court cases are often so drawn out that the 7 year window would make some crime/wrong-doing much more difficult to prosecute due to a lack of evidence. I know of one class action lawsuit in the Financial Industry that’s been ongoing since the 90s, and still isn’t fully resolved – most of the potential class action recipients are deceased at this point, and the only people profiting are lawyers, but still. Lawyers are a part of the problem, and a reason why data is often being held longer and longer. Honestly, Lawyers are also terrible at securing their data --they tend to rely on paper-controls to prevent their unsecured data from getting used, rather than actual hardening. Like there was a guy who spent a few years in Colombia or something, his personal laptop being used for all sorts of nefarious stuff, and when he came back to Canada and the border people took his laptop, it was totally unencrypted/unsecured. They guy just argued it was his “legal work” laptop and everything on it is confidential and can’t be used in court.
Idk. I think your approach is overly simplistic for the issue. There’s a lot of “stuff” related to corporate data retention policies and methods, and I don’t really see much nuance in what you’re proposing. Hell, if they only kept your data till you got your item, youd NEVER be allowed to get a refund, cause they’d have no record of you purchasing the item.
Tax records don’t have to include the customer if it’s retail. If that was a requirement cash businesses would have massive problems, and the rule of keeping those records for seven years significantly predates our current model of credit for everything.
Beyond that, if I go to a restaurant they don’t have my name and address or any other information. Businesses need to keep records like “we bought x from y for $z,” and “we sold x to a for $b.”
And even further, the government could clarify that (if in some countries customer data was part of tax data) that the law was now to protect customer privacy and data.
KYC is typically a due diligence process tied to regulated financial industry participants – the restaurant example has a much different function. Banks and FIs have much broader retention (and disclosure) obligations.
Here, let’s put it slightly differently. I’ll reference Canadian regulations/processes more, as those are the ones I’m most familiar with. If you’re a bank, you’re required to flag suspicious transactions related to the customer – and in order to know when those transactions are suspicious, you need some way of reviewing it within the context of the customer. You may even have an obligation to second guess / question / try and advise the customer ‘not’ to make a transaction, based on knowing your customer.
The most basic example of that, is where Credit Cards will decline payments / request a call if you try and make a purchase in a totally abnormal location – like you “know your customer” lives in Toronto, but suddenly see them spending money in Mexico? Or if they called you before they took a trip to mexico, that’d also go into a KYC type file to let people know to expect those sorts of charges and let em get processed. That’s tied to KYC.
The media will often run stories about seniors getting scammed, with the general message being “WHY DIDNT BANKS DO MORE TO PROTECT?”. Well, that’s KYC too. You gotta ‘know’ your senior members, and their spending habits to some extent, to find those outliers. You also need to be familiar with them enough to know whether its “normal” for them to come by and take out cash, and in what quantities and for what purpose, cause seniors will sometimes ‘show up’ with a person pressuring them to take out cash to ‘pay a bill’ (scammms galore!). All part of KYC due diligence.
Or the somewhat obvious elephant in the room – if you have a “personal” account member, who keeps receiving etransfers to his “jeevacation@gmail.com” account for some reason, you gotta look into it a bit and sort out what all those payments are related to, cause it isn’t a business account. And if you see anything suspicious, it gets reported to the authorities, where, most likely, Trump shits himself and Americans ignore the crimes.
Notably there have been almost zero data breaches of large banks, because their requirements for security are significantly higher than most other companies. My original comment was not about banks, they obviously need to retain a lot of customer data, and most of that is not exposed to the internet at all. I was talking about things like a pizza shop or an online retailer. There’s no need for Burger King or a webcomic artist I’m buying a print from to have a login or my email address for longer than it takes me to get my items.
Yeah, but this breach is specifically about KYC, about financial industry stuff. The company that got porked, was the company the banks used for their KYC stuff.