Here are some best practices for keeping your GTM container secure.
Don’t collect Personally Identifiable Information (PII)
GTM permits you to write code that "sees" everything that happens client-side on your website -- including data that a user enters into a form field. This could result in collecting names, addresses, and even social security information.
Furthermore, this kind of collection might happen by accident. Some web forms store PII in their markup -- in a input's value attribute, for example -- and collecting those values might inadvertently result in collecting PII data. We recommend that anyone creating code to collect data work closely with site developers to avoid accidental PII collection pitfalls.
Don't expose PII in the dataLayer
Another way that user data might be exposed is if you push it to the dataLayer. Since all client-side code has access to the dataLayer, personal information you store there could be accessed by malicious third-party applications.
In addition to all this, it is against Google's terms of service to send PII data to Google Analytics. Here's an article that further describes some of the possible PII issues that web analytics developers might run in to.
Updating passwords & managing permissions
You should keep track of and regularly audit the list of people who have access to your Tag Manager container(s). We require that instead of using personal Google accounts to access GTM, you associate your state email with a Google Account. This makes it easier to manage former employees' access to GTM.
If Mass Digital is managing your container, you should let us know whenever you need to remove a team member's access, e.g. if they move to another team that doesn't need access to your website's container, or another state organization.
Additionally, not everyone with access to GTM requires the same level of permissions. Limit the number of people who can deploy tags, and ensure that you have a review process for any code that's deployed to your live site. This reduces the risk of malicious or troublesome code being added to the site.
Finally, you should make sure you require 2-factor authentication for anyone with access to your account. (You can do this under Admin -> Account settings.) Mass Digital has this setting turned on for all containers we manage.
Another common practice is injecting code into your site that provides some other organization, such as Facebook, access to your site's code. This usually allows the the third party to deliver additional analytics & marketing services.
It also could allow those third party organizations to collect your visitors' data, as their pixels will have access to anything available on the client side of your website. We recommend a conservative stance with respect to adding third-party pixels, especially if you are unfamiliar with the organization who owns it.