Stop Collecting PII You Can’t Protect

A government auditor’s plea to cut the PII hoarding habit

Let’s just say it: Government agencies need to stop collecting so much personally identifiable information (PII).

Why? Because most of you can’t protect it. And that’s not a personal attack, it’s just math.

Every byte of sensitive data you collect adds to your cybersecurity risk. When it inevitably gets breached (and yes, inevitably is fair), you don’t just face a PR nightmare, you put real people at risk. People who trusted you. People like me.

Let me tell you a little story.

Recently, to become a vendor with a certain state (no names, but let’s just say their motto is about liberty), I had to fill out a mountain of forms. And I mean mountain. What did they ask for? Everything but my blood type:

• Bank account number
• Routing number
• EIN
• Business address
• My personal email address
• A wet signature
• Copies of incorporation docs
• A letter from my bank with their wet signature on their letterhead
• My social security number
• My driver’s license number
• Possibly a DNA sample (I’m still not sure what that last upload was for)

Here’s the kicker

Not once did they explain why they needed each piece of information nor did they assure me how it would be protected. Not once did they give me a way to redact or limit the information shared. They just…asked. And I, like most vendors, complied. I pushed back several times, but if I want the business, what choice do I have?

But here’s what I do know: All that data now lives on a server somewhere. Maybe it’s encrypted, maybe it’s not. Maybe it’s backed up on a flash drive in someone’s desk drawer next to an unopened bag of Skittles. Or, maybe it’s in the cloud floating among thousands of other vendors’ sensitive information with one poorly configured permission setting away from being front-page news.

PII is a liability, not a flex

Let’s get something straight: collecting more PII doesn’t make your process more official, more secure, or more thorough. It makes it riskier. You’re creating a honeypot for hackers, insiders, disgruntled employees, and ransomware cartels who love nothing more than a juicy Excel file called 2025_Vendors_FINAL_FINAL2.xlsx.

What do you plan to do with all that data anyway?

Are you running a background check? Verifying eligibility? Direct-depositing funds? Great! Collect only the information specifically needed for that one function and nothing more.

Don’t:

• Collect a routing number to mail a paper check
• Require incorporation documents if you don’t check business status
• Ask for a signature if you don’t actually verify it

And, for the love of all that is secure, don’t store everything forever just in case you might need it.

When governments hoard, citizens pay

We live in a time where ransomware attacks on government entities have become so common they’re no longer shocking. They’re expected. Local governments, school districts, water utilities, state agencies… you name it. And every time it happens, citizens lose.

• Their Social Security numbers end up on the dark web
• Their bank accounts are drained
• Their identities are sold to the highest bidder
• Their trust in government erodes

This isn’t just theoretical. It’s happening all over the country. You don’t want to be the next headline, and we don’t want to be your collateral damage.

So here’s a wild idea: don’t collect what you don’t absolutely need.

Less is more: The principle of data minimization

Ever heard of the concept of data minimization? It’s one of the foundational principles of good data governance and a best practice baked into laws like GDPR and (increasingly) U.S. state privacy laws.

Data minimization means you collect the minimum amount of information necessary to complete a function. No more. No less. It’s the Marie Kondo of cybersecurity: if it doesn’t serve a clear and immediate purpose, it doesn’t belong in your form, your inbox, or your server.

Some practical examples:

• If you don’t directly deposit funds, don’t collect bank account details
• If a W-9 form already includes the EIN, don’t require it again on another form
• If an email address is optional, treat it as such
• If you only verify business legitimacy, consider using public databases instead of asking for original articles of incorporation

In short: Collect only what you need to act. Not what you might want someday.

You are the custodian, not the owner

It’s easy to forget this, but as a government agency, you are not the ‘owner’ of PII. You are merely a custodian responsible for protecting it as if it were your own. (Spoiler alert: if your systems are breached, it may become your own, legally speaking.)

So ask yourself this, before building another bloated PDF form: If this data got leaked tomorrow, would it hurt someone? Would it cause reputational damage? Would it erode public trust?

If the answer is “yes,” and you don’t need it for a legitimate, timely purpose? Don’t collect it.

Fixing the process: What you can do now

Want to be a hero in the story instead of the cautionary tale? Here are five steps to take today:

1. Conduct a PII audit: Identify what you collect, why you collect it, where it’s stored, and for how long
2. Scrub your forms: Revise applications and onboarding forms with a “need to know” mindset
3. Build in expiration: Set timelines for secure deletion or redaction of sensitive documents
4. Limit access: Only people who need the data should have access to the data. Period
5. Train your team: Make data minimization and breach prevention part of your staff culture

Final PII thought: Be worthy of the public’s trust

Governments are entrusted with an enormous amount of personal information. It’s not just data… it’s someone’s livelihood, identity, and financial security. It deserves reverence and restraint.

If you can’t guarantee its safety, you shouldn’t be collecting it.

Looking for high-quality and convenient CPE?

We have you covered! Our live webinars are a great choice if you want the learning to come to you. Just log on at the scheduled time and enjoy wherever you are! Here are a few of our upcoming courses:

• Oct 9: Data Analytics Deep Dive for Dazzling Audits (4 CPE Hours)
• Oct 15: Excel Charts & Graphs (2 CPE Hours)
• Oct 16: Would You Recognize Fraud? Government Cases (2 CPE Hours)
• Oct 20-24: Leading an Audit Project (27 CPE hours = 22.5 live + 4.5 bonus self-study)
• Oct 28: Measuring Audit Value, Not Just Activity (2 CPE Hours)

Need to do things at your own speed, but still get all your credits? Plan your CPE around your life, not the other way around! Yellowbook-CPE.com has dozens of self-study e-book and video courses, including the Audit Reporting Bundle. Are your audit reports sexy? Do they comply with standards? Can you confidently identify the root cause of any reportable condition? This bundle ensures the only product your audit client likely reads is legible and interesting!