Your data is valuable — in the wrong hands it exposes you to identity theft, fraud and privacy violations. If a business collects your data, they are expected to prevent that data from being lost, stolen or wrongfully accessed. We call this legal requirement “reasonable data security.”
This might all seem obvious, but we must remind ourselves of first principles as we worry about data breaches, vendors that sell insecure software, and vendors that are entrusted with sensitive employee, customer or student data. It can be easy to get lost in the weeds, but the ultimate goal of the regulators is not to police data security — it is to protect consumers.
Ryan Kriger is an Assistant Attorney General for the State of Vermont. He writes on privacy and data security and teaches about privacy, consumer protection and policy at the University of Vermont.