Continued from Part 1
Case: Identity theft
I first became aware of identity theft in 1996 when my credit card number was stolen. I had rented a car, and my application had every piece of information that they could dig out of me, including a copy of the front and back of my credit card and my driver’s license. I can picture the rental agent leaving my file on the desk in her cubicle while she went to the car lot to check out a car for her next clients, who were sitting at her desk. While she was gone, they copied my information. At the time, I lived only a couple of hours away from the Canadian border. When the credit card company called to alert me because the card usage was not in line with my card profile, they told me somebody in Canada used my card to buy “services” over the phone. The charge was only $75, but it took forever to get it off my bill: paperwork, registered letters, phone calls, time, and frustration.
Of course, the car rental company (a nationwide chain) denied everything, but it was the only place I had used my card where the information was out of my sight, and the thieves had details such as my address.
Outcome: I persisted and eventually the charge was removed from my statement.
Case: Confidential information sent in email
We used the same accountant for years. One year after we completed the intake for our taxes, I asked him when we could stop back to pick up the completed forms. He said that he would email them to us. I asked if they would be encrypted and he said yes. I nodded and we left. Three days later, I received an email with our taxes attached as a PDF.
I was livid. I called his office, and asked why he had sent our taxes in an unencrypted PDF through email. He told me they were encrypted.
What he meant was that he filed taxes with the IRS using SSL encryption. He said that his IT staff told him they could not encrypt email attachments.
Email is not a secure method of communication. While it may be transmitted using TLS encryption (Transport Layer Security protocol provides encryption for transmission between servers), when receiving email servers do not accept encrypted transfers, your email is sent in unencrypted plain text.
I tried to explain to him that he could even use a compression program like WinZip (which I knew he had) with a shared password. Nope. He would not listen. I sent him a letter where I carefully explained cryptography and options for using it that were inexpensive and not difficult to implement. Then I explained that because he would not consider them, I was ending our business relationship. That was very difficult because our families had been friends for years.
Outcome: I changed our tax accountant.
Case: My financial institution leaked my information when they changed the monthly statement format.
I use online bill payment to pay most of my bills. I always reconcile my paper statement against my checkbook register. A couple of years ago when I glanced through my statement, I saw to my horror that both my social security number and my credit card number were printed in the transaction section of the statement. I realized that one of my Sallie Mae loans was using my social security number as the account number when they returned payment information.
I called the bank immediately.
The customer service representative did not understand my concerns. When I hung up, I wrote a letter to each board member at my financial institution and sent copies to Sallie Mae and my credit card company. The credit card company did not understand either, but Sallie Mae stopped using my social security number as my account number (which they should not have been doing anyway, it’s against the law).
Think about how many people this could have affected! If a breach of the banking website occurred, if someone at the printer looked through the statements, if the statements got lost in transit, if someone had stolen mail from a mailbox … there are a number of scenarios where statements could have been used by the nefarious.
Outcome: Sallie Mae changed my account number, and on the very next statement, only the last four numbers of my credit card number printed on my statement.
Case: Doctor’s office wants to submit my information to a research project.
I made an appointment with a new physician. Part of the paperwork was a permission form to submit my information to a research project. There was no ending date for permission to stop, no information about the research project, and no information about how they de-identified data. I asked the receptionist to clarify some of these details for me, so she called the nurse in charge of the research project. The nurse said de-identified data means that you cannot be identified. I asked her what specific identifying information they used in the study. Instead of answering me (I am pretty sure she did not know), she told me not to sign the form as the study was not being conducted any more anyway. Which brought up another question in my mind: If they were not using my information for a study, why were they asking me if they could use it?
Unfortunately, it takes very little data to identify someone by comparing identity information to public records such as voter registration. One such study conducted at Harvard University by Professor Latanya Sweeney showed that 87% of the population can be uniquely identified through three variables—a patient’s birth date, zip code, and gender.
Outcome: My information is not being used in a research project.
Case: My employer changed insurance companies
For the last 2 years, I have worked as a contractor. My employer decided to switch health insurance carriers. The experience was very disorganized from several standpoints, but from an information privacy perspective, it was a nightmare. The insurance company they chose (not Anthem)—very large and very old—combines a social security number with a three-digit employer code into an account number used for signing up. I called and asked if there was an alternative method of signing up. No.
Against my better judgment—since I needed medical insurance—I decided to sign up. The sign-up website is hosted by a benefits administrator subcontractor. Their privacy policies were a mess, mixing up personal pronouns with collective nouns in several places. A company that is careless about privacy policies often has gaps in other parts of their infrastructure.
Curious about how they treated passwords, I tried using a four-character password. It worked! Of course I changed it to something more secure immediately.
I wrote my employer and the insurance company’s senior management about my concerns, and sent copies to the US Department of Labor. The insurance company response explained that they and their benefit administrator used industry-standard security measures.
Two weeks later, the Anthem breach happened. So much for industry standards.
Outcome: I discontinued insurance coverage.
Case: Conference attendee information thrown in a wastebasket
I volunteer at events a couple of times a year. I like to work the registration desk because I meet a wide variety of people. As we were packing up the registration desk, I saw a listing of conference attendees—name, email, employer, and phone number—in the trash. I plucked it out, and said to the registration coordinator that the list should not be in the trash.
She said she did not have a shredder. I took the list home and shredded it myself.
The next day, I discussed it with the conference coordinator.
Outcome: New procedures to shred confidential information were implemented
Ask questions. Speak up. Nobody cares more about your data than you do! If you see private information leaking, it is very important to point it out. If you do not want to take the time to do it for yourself, do it for your children and your grandchildren. Do it for your older family members. Do it for people who do not understand how important privacy is. Do it to protect your job.
The fallout from a breach affects customers (identity theft and raised prices), employees (lost jobs and closed stores), and stockholders.
Be the change you want to see!