Intentional Privacy

Continued from Part 1

Case: Identity theft

I first became aware of identity theft in 1996 when my credit card number was stolen. I had rented a car, and my application had every piece of information that they could dig out of me, including a copy of the front and back of my credit card and my driver’s license. I can picture the rental agent leaving my file on the desk in her cubicle while she went to the car lot to check out a car for her next clients, who were sitting at her desk. While she was gone, they copied my information. At the time, I lived only a couple of hours away from the Canadian border. When the credit card company called to alert me because the card usage was not in line with my card profile, they told me somebody in Canada used my card to buy “services” over the phone. The charge was only $75, but it took forever to get it off my bill: paperwork, registered letters, phone calls, time, and frustration.

Of course, the car rental company (a nationwide chain) denied everything, but it was the only place I had used my card where the information was out of my sight, and the thieves had details such as my address.

Outcome: I persisted and eventually the charge was removed from my statement.

Case: Confidential information sent in email

We used the same accountant for years. One year after we completed the intake for our taxes, I asked him when we could stop back to pick up the completed forms. He said that he would email them to us. I asked if they would be encrypted and he said yes. I nodded and we left. Three days later, I received an email with our taxes attached as a PDF.

I was livid. I called his office, and asked why he had sent our taxes in an unencrypted PDF through email. He told me they were encrypted.

What he meant was that he filed taxes with the IRS using SSL encryption. He said that his IT staff told him they could not encrypt email attachments.

Email is not a secure method of communication. While it may be transmitted using TLS encryption (Transport Layer Security protocol provides encryption for transmission between servers), when receiving email servers do not accept encrypted transfers, your email is sent in unencrypted plain text.

I tried to explain to him that he could even use a compression program like WinZip (which I knew he had) with a shared password. Nope. He would not listen. I sent him a letter where I carefully explained cryptography and options for using it that were inexpensive and not difficult to implement. Then I explained that because he would not consider them, I was ending our business relationship. That was very difficult because our families had been friends for years.

Outcome: I changed our tax accountant.

Case: My financial institution leaked my information when they changed the monthly statement format.

I use online bill payment to pay most of my bills. I always reconcile my paper statement against my checkbook register. A couple of years ago when I glanced through my statement, I saw to my horror that both my social security number and my credit card number were printed in the transaction section of the statement. I realized that one of my Sallie Mae loans was using my social security number as the account number when they returned payment information.

I called the bank immediately.

The customer service representative did not understand my concerns. When I hung up, I wrote a letter to each board member at my financial institution and sent copies to Sallie Mae and my credit card company. The credit card company did not understand either, but Sallie Mae stopped using my social security number as my account number (which they should not have been doing anyway, it’s against the law).

Think about how many people this could have affected! If a breach of the banking website occurred, if someone at the printer looked through the statements, if the statements got lost in transit, if someone had stolen mail from a mailbox … there are a number of scenarios where statements could have been used by the nefarious.

Outcome: Sallie Mae changed my account number, and on the very next statement, only the last four numbers of my credit card number printed on my statement.

Case: Doctor’s office wants to submit my information to a research project.

I made an appointment with a new physician. Part of the paperwork was a permission form to submit my information to a research project. There was no ending date for permission to stop, no information about the research project, and no information about how they de-identified data. I asked the receptionist to clarify some of these details for me, so she called the nurse in charge of the research project. The nurse said de-identified data means that you cannot be identified. I asked her what specific identifying information they used in the study. Instead of answering me (I am pretty sure she did not know), she told me not to sign the form as the study was not being conducted any more anyway. Which brought up another question in my mind: If they were not using my information for a study, why were they asking me if they could use it?

Unfortunately, it takes very little data to identify someone by comparing identity information to public records such as voter registration. One such study conducted at Harvard University by Professor Latanya Sweeney showed that 87% of the population can be uniquely identified through three variables—a patient’s birth date, zip code, and gender.

Outcome: My information is not being used in a research project.

Case: My employer changed insurance companies

For the last 2 years, I have worked as a contractor. My employer decided to switch health insurance carriers. The experience was very disorganized from several standpoints, but from an information privacy perspective, it was a nightmare. The insurance company they chose (not Anthem)—very large and very old—combines a social security number with a three-digit employer code into an account number used for signing up. I called and asked if there was an alternative method of signing up. No.

Against my better judgment—since I needed medical insurance—I decided to sign up. The sign-up website is hosted by a benefits administrator subcontractor. Their privacy policies were a mess, mixing up personal pronouns with collective nouns in several places. A company that is careless about privacy policies often has gaps in other parts of their infrastructure.

Curious about how they treated passwords, I tried using a four-character password. It worked! Of course I changed it to something more secure immediately.

I wrote my employer and the insurance company’s senior management about my concerns, and sent copies to the US Department of Labor. The insurance company response explained that they and their benefit administrator used industry-standard security measures.

Two weeks later, the Anthem breach happened. So much for industry standards.

Outcome: I discontinued insurance coverage.

Case: Conference attendee information thrown in a wastebasket

I volunteer at events a couple of times a year. I like to work the registration desk because I meet a wide variety of people. As we were packing up the registration desk, I saw a listing of conference attendees—name, email, employer, and phone number—in the trash. I plucked it out, and said to the registration coordinator that the list should not be in the trash.

She said she did not have a shredder. I took the list home and shredded it myself.

The next day, I discussed it with the conference coordinator.

Outcome: New procedures to shred confidential information were implemented

Ask questions. Speak up. Nobody cares more about your data than you do! If you see private information leaking, it is very important to point it out. If you do not want to take the time to do it for yourself, do it for your children and your grandchildren. Do it for your older family members. Do it for people who do not understand how important privacy is. Do it to protect your job.

The fallout from a breach affects customers (identity theft and raised prices), employees (lost jobs and closed stores), and stockholders.

Be the change you want to see!

Personal information about us leaks every day in multiple ways.

A friend told me recently that he has no expectation of privacy, and that no one else should either. He thinks that a lack of privacy will affect each of the six generations (according to NPR) that are around today until we work out what information should be private and how to protect it:

• The GI generation is anyone aged 90 or older; their probable privacy impact will be in the financial and medical information areas, or their identity could be stolen.
• The Silent generation is between the ages 72 to 89; their probable privacy impact will be in the financial and medical information areas, or their identity could be stolen. The privacy impact could be greater if they are still working or using social media, email, or electronic banking.
• Baby Boomers are those people between the ages 50 to 71, and they should think about the privacy of their information, especially if they still work. Many people in this generation use email, social media, and electronic banking. So tax returns, financial information, medical information, and other confidential information could be affected. Like every generation, they should protect themselves, their school-aged children, and elder family members against identity theft.
• Generation Xers are between the ages 35 to 49 and they should definitely consider privacy issues; many are far too free with their information on social media and through email. Financial information, medical information, and other confidential information are just some of the areas that could be affected, but they also must consider privacy issues for their children and elder family members. Like every generation, they should protect themselves, their school-aged children, and elder family members against identity theft.
• Millennials are between the ages 14 to 34; these people should definitely be concerned about the privacy of their information; many people in this age group are far too free with their information. Sometimes people in this age group even post photos of their credit card on Facebook (argh!). Financial and medical information, and other confidential information are just some of the areas that could be affected, but they also must consider privacy issues for their children. They should protect themselves and their school-aged children against identity theft.
• Generation Z (also known as the iGeneration) are children between the ages one to 13. Children have to depend on the ability of other people to protect their information. For instance, some parents do not understand that they need to check their children’s credit ratings as well as their own. By the time a child has reached an age where he or she can take out credit, their identity could have been stolen and their credit ruined. Bad credit can affect a person’s ability to get a job, rent or buy a home, or buy a car.

Most people do not understand the need for information privacy (until it affects them) and many organizations—because they are made up of people—do not understand either.

So, what do you do when you realize that an organization is not protecting your private information? Explain to them the change you want to see. I start with a phone call to customer service and if I do not achieve my goal, then I write letters to executives and send copies to regulatory agencies. I may not achieve the results I wanted, but I let them know that if they cannot address my issue, I will choose to move (whenever possible) to a different organization that is more supportive of my needs.

Maybe the organization will not listen this time, but they may be more receptive for the next customer.

Part 2 delivers case histories.