As a PCI compliant company I already treat data as a liability. So much data collection is unnecessary, or the the result of defaults, like logs left on that nobody ever looks at.