Not entirely. The companies that must collect presumably have better security safeguards than those just wanting it just because it's easy or customary.
I have a client that must collect and store drivers license copies for 2 years by state law. The system encrypts with GnuPG, such that only an offline private key stored on a crypto smart card can decrypt, and the encrypted image into a cloud storage bucket with an expiration date. Unless they get a spoliation order because the police come knocking no one ever sees the data. After 2 years, the file auto deletes and a record is left indicating that the record was "deleted in the ordinary course of business." The company does not really want to do all of this, but its required by law and good infosec practices.
I have a client that must collect and store drivers license copies for 2 years by state law. The system encrypts with GnuPG, such that only an offline private key stored on a crypto smart card can decrypt, and the encrypted image into a cloud storage bucket with an expiration date. Unless they get a spoliation order because the police come knocking no one ever sees the data. After 2 years, the file auto deletes and a record is left indicating that the record was "deleted in the ordinary course of business." The company does not really want to do all of this, but its required by law and good infosec practices.
Handling data breach material is expensive.