"In this age of ever plummeting storage costs, some businesses are electing to "store it all" when it comes to consumer data. That is, businesses are storing data regardless of whether there is an actual need with the assumption that it might be of value in the future. This approach, however, can lead to liability from several sources.
First, cardholder information arising from credit card transactions is strictly controlled by the PCI Data Security Standards, as well as the card association rules. Storing and retaining more data than absolutely required by the transaction may run afoul of these requirements. Second, with the growing number of complex and conflicting state and federal (as well as international) laws and regulations governing personally identifiable data, businesses should be inclined to limit the data they collect to that which is required for the transaction, as opposed to retaining excess data that is not required. Possession of that data may, in and of itself, violate applicable law or simply increase the potential for liability because of the increased volume of data that must be secured."