Everywhere you turn these days there’s word of a new data breach. Your old college – archives hacked. Your dentist’s office – files stolen. The local retailer – credit cards skimmed. Government offices – accidental posting of information online.
In the course of our lifetime, our “personal identifying information (PII)” is shared with hundreds of companies, governmental agencies, educational facilities, businesses and healthcare providers. Social Security Numbers, account numbers, birthdates, and other identifiers are diffused into thousands of databases, each with its own risk of exposing our PII.
These are all areas that the ITRC recognizes as areas “beyond your personal control”. While you make every effort to protect your personal identifying information, the same cannot always be said for those who hold it in their possession.
Data breaches (the inadvertent or malicious exposure of our sensitive personal information) are a fact of modern life as evidenced by the many high profile data security breaches which have occurred throughout 2011. Late in 2010 the ITRC predicted an increase in breaches aimed at email lists which would lead to more social networking scams and malware attacks. This has indeed come to pass.
The harsh reality is that our personal information is simply available in too many places to ensure a high level of security over a long period of time. So what can a consumer do to minimize their risk in these areas which are beyond our control? Before you provide your personal information, ask the following questions:
- Why do you need my Social Security number?
- What will happen if I don’t provide it?
- Is there an alternative identifier you can use instead?
- How is it going to be used?
- Do you have published policies about data protection?
Depending on the answers, you may have a decision to make. You can decide to continue with that company, or find one that will provide acceptable answers. It’s your data they will control.
Businesses have both an ethical and legal responsibility to protect personal identifying information and control access to such information. Businesses should clearly identify their specific need to collect sensitive personal information and to ensure that those within a company, who access this information, have a recognized need for such access
Additionally, consumers need to make the case with businesses that data protection is a critical issue. This point can be made by alerting businesses that access to an individual’s SSN should never be taken lightly.