Treat Data Like Hazardous Material: Risks of Over-Collection and Retention
GM had marketed its OnStar “Smart Driver” feature as a way to help drivers improve safety and driving habits. Behind the scenes, precise location and driving behavior data—collected as often as every three seconds—was sold into insurance ecosystems and used to influence pricing and coverage decisions. The FTC called it “an egregious betrayal of consumers’ trust.”
For security leaders, the lesson isn’t about cars or telematics. It’s about something much broader and more uncomfortable: data collection itself has become a cybersecurity risk. The more data organizations stockpile, the more systemic risk they create—not just for individuals, but for every organization that relies on identity, authentication, and trust.
As we discussed in a recent Cyberside Chats episode, “Data is hazardous material. It’s like nuclear material. And the more data you collect, the more powerful it is, but also the more damage can be caused if it’s leaked or if it’s misused.” – Sherri Davidoff
Why the GM Case Matters to Every Organization
The GM enforcement action matters because it reflects a regulatory and risk shift that CISOs can’t afford to ignore. Historically, cybersecurity programs focused on preventing breaches: stop attackers, secure systems, respond quickly. That mindset assumed data was neutral until it was stolen.
That assumption no longer holds.
In the GM case, there was no traditional breach. Instead, data was collected, copied, sold, and reused—and that reuse caused real harm. Insurance decisions, pricing models, and coverage determinations were influenced by behavioral data drivers didn’t fully understand they were sharing.
This pattern is not unique to automakers. It exists anywhere data is treated as an asset without being treated as a liability.
Data Brokers and the Rise of Systemic Risk
California’s new data broker enforcement regime makes this risk impossible to ignore. Under the California Delete Act (SB 362), enforced by the California Privacy Protection Agency, data brokers must now comply with centralized deletion requests through the Delete Request and Opt-Out Platform (DROP).
This matters because data brokers amplify risk. The same person’s data can exist across dozens or hundreds of brokers simultaneously. Once data leaves your organization, control drops—but liability doesn’t.
This model echoes the EU’s Right to Be Forgotten, but with a uniquely operational twist: it exposes just how much personal data organizations never intended to manage long-term.
Data Is Hazardous Material
“any organization that collects information should be aware that when you collect data, you are collecting risk. You’re basically stockpiling risk. And that means that systemically, we have accumulated a ton of risk“ -Sherri Davidoff
One of the core themes of the podcast—and of LMG Security’s work—is simple but powerful: data is hazardous material.
Like hazardous material, data becomes more dangerous the more you accumulate it, the longer you store it, and the farther it spreads. Once it escapes containment, it’s nearly impossible to control.
From a security perspective, over-collection creates cascading risk:
- Breach impact increases
- Regulatory exposure expands
- Incident response becomes more complex
- Identity abuse becomes harder to contain
The Five Data Breach Risk Factors
In Data Breaches, Sherri Davidoff outlines five factors that consistently increase breach risk. These aren’t theoretical—they show up repeatedly in enforcement actions and real-world incidents:
- Retention – Risk increases the more data is stored
- Proliferation – Risk increases with the number of copies
- Access – Risk increases with the number and ease of access paths
- Liquidity – Risk increases with how easily data can be transferred or reused
- Value – Risk increases with the value of the data
Every data broker ecosystem, analytics platform, and identity system compounds these factors simultaneously.
Why This Affects Identity and Authentication Everywhere
One of the most important shifts to internalize is this: stolen personal data no longer stays confined to fraud.
Today, compromised personal data is reused for:
- Identity theft and synthetic identity fraud
- Fake job applications and hiring pipeline abuse
- Authentication and account recovery bypass
- Deepfake campaigns and social engineering
These threats affect organizations that never collected the original data. Once personal data escapes into brokered ecosystems or breach markets, it becomes shared risk across industries.
This is why identity systems built on static personal data—SSNs, dates of birth, addresses—are increasingly fragile. Security leaders must assume personal data is compromised by default.
What LMG Security Sees in vCISO Engagements
In LMG Security’s vCISO and advisory engagements, a consistent pattern emerges:
Organizations invest heavily in tools—EDR, SIEM, MFA, logging, response plans—without first understanding what data they’re protecting.
Common gaps include:
- No formal data inventory
- Unclear data ownership and flows
- Undefined retention rules
- Incomplete regulatory mapping
Without a data inventory, security programs are operating blind. Controls may exist, but they’re not aligned to actual risk.
LMG has written previously about the importance of data-centric security and governance; see, for example:
Make 2026 The Year of Data Mapping and Reduction
If 2025 made the risks impossible to ignore, 2026 is the year organizations act on them.
That means:
- Mapping what data you collect
- Understanding where it flows
- Defining how long it should exist
- Actively deleting what you don’t need
Data minimization is no longer just a privacy principle—it’s a core cybersecurity control.
“If you don’t need the data, don’t keep it. Every dataset you retain has a cost.” -Matt Durrin
Practical Steps for Security Leaders
For security leaders this doesn’t require boiling the ocean. Start with actions that reduce risk quickly:
- Conduct a defensible data inventory
- Implement and enforce a data classification policy
- Align retention with business and regulatory needs
- Design identity and recovery systems that don’t rely on static personal data
- Train teams on data handling, not just security tools
These steps directly reduce breach impact, compliance exposure, and operational complexity.
Conclusion: Turning Insight into Action
The GM enforcement action wasn’t just about cars. It was about how modern organizations create risk by collecting and retaining data without fully accounting for the downstream consequences.
At LMG Security, we help organizations move from tool-centric security to data-centric risk management through vCISO services, data inventories, and practical security strategy. If your security program has never started with a clear understanding of what data you have and why you keep it, now is the time. “The simplest way to reduce your risk is to reduce your data,” says our founder, Sherri Davidoff. Contact us today for expert guidance.
