Data minimization is coming to the United States.
The Federal Trade Commission cited failure to delete information which is no longer needed as a failure to implement reasonable protection.
In its complaint, the FTC alleges that InfoTrax and its former CEO Mark Rawlins failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information it maintained on behalf of its clients. This includes failing to inventory and delete personal information it no longer needed.
As part of the proposed settlement with the FTC, InfoTrax is prohibited from collecting, selling, sharing or storing personal information unless it implements an information security program that would address the security failures identified in the complaint. This includes assessing and documenting internal and external security risks; implementing safeguards to protect personal information from cybersecurity risks; and testing and monitoring the effectiveness of those safeguards.