Schneier blames the ”hype cycle of big data” on the risks that have been created…

Companies and governments are still punch-drunk on data, and have believed the wildest of promises on how valuable that data is.

The research showing that more data isn’t necessarily better, and that there are serious diminishing returns when adding additional data to processes like personalized advertising, is just starting to come out.

He also points out that many companies underestimate the risks and impacts of data breaches and overestimate their ability to mitigate against them.

And in some cases, Schneier believes, companies choose to take unreasonable risks with data because they’re encouraged to.

“The culture of venture-capital-funded startup companies is one of extreme risk taking,” he argues.

[These companies] are so far from profitability that their only hope for surviving is to get even more money, which means they need to demonstrate rapid growth or increasing value.

This motivates those companies to take risks that larger, more established, companies would never take. They might take extreme chances with our data, even flout regulations, because they literally have nothing to lose.

Realistic versus unrealistic solutions

Not surprisingly, as a security expert and privacy advocate, Schneier wants greater regulation of data “collection, storage, use, resale and disposal” and even suggests that certain business practices that involve “surveilling people” be made illegal.

Ostensibly, this includes much of the activities associated with digital advertising.

While greater regulation around data is indeed likely given the growing number of costly breaches, it’s highly unlikely that large swaths of the big data economy will be rendered illegal.

Even so, companies shouldn’t ignore Schneier’s arguments.

Data is digital black gold and it’s similar to the black gold that comes out of the ground. That black gold, when controlled, fuels the industrial economy, but when spilled, is the source of environmental disaster.

Likewise, digital black gold fuels the internet economy, but can also be the source of disaster when it leaks.

What companies should do

So what should companies do to avoid disaster? Here are several suggestions.

1. Develop a data strategy

In most cases, companies aren’t collecting more and more data because storing it is so cheap. Many are storing all the data they can get their hands on because they don’t have a data strategy.

Without a strategy, decision makers will favor storing any and all data in the hope that they might develop a use for it later on.

In reality, “we don’t know if we’ll need it therefore we’ll keep it” is typically a poor excuse for data collection and retention, the result of laziness and not true lack of knowledge.

2. Develop data acquisition and retention policies

With a data strategy in place, companies can create sensible data acquisition and retention policies.

Such policies can ensure that they have the data they need to meet business goals while reducing the risk that they’re storing data that they don’t need, or storing data in ways that are unnecessarily risky.

3. Treat data differently

Sensible data and retention policies will inherently reflect the fact that data differs in nature.

For example, data that contains personally identifiable information (PII) isn’t the same as data that doesn’t contain PII, and should be handled and stored differently as a result. 

4. Embrace compliance and risk management

Certain types of data are already subject to regulation.

For instance, in the US, some health information is protected by Health Insurance Portability and Accountability Act (HIPAA) rules.

Companies subject to these rules should see compliance as an opportunity to ensure that they’re taking all the steps they can to secure their data.

Even companies that aren’t subject to government regulation have the opportunity to embrace data security through risk management.

It’s now possible to acquire data breach insurance, and companies that opt to do so can use the process as a means to implement data security best practices.