Personally Identifiable Information – Beyond SSN


It seems that most people are now aware that collecting SSN information from people and storing it a computer system is a risk to that person’s identity protection.  However, the risk does not stop with SSN.  There are other types of information that you should carefully secure after it is collected and furthermore, you should only collect it if there is a real valid reason why it must be collected.  Collecting information just because you can or just because you might one day need to use it is not an excuse when doing so could result in that person suffering at some point from identity theft.

So what else should be protected?  What about email address.  It seems like everyone wants to collect email addresses these days.  You can hardly log into a site on the web without them asking for your email address.  Some people live their lives happily with only one or two email addresses and they use that email address for everything ranging from securing their phones or other mobile devices, accounts on-line, contact lists, etc.  Now even Windows 8 allows you to use a Hotmail (or Outlook) email address as your desktop login.  How can you protect your email address when you don’t know if the programmers are encrypting that information the same way they encrypt (or should encrypt) SSN values?  Simply go out and get a throwaway email address that you use for logging into web sites.  You can get extra email accounts from many places, but I recommend either Hotmail (Outlook) or Google because you get not only an email address from these two, but you also get a fair amount of online storage where you can store files and documents.  Furthermore, Hotmail (Outlook) also allows you to create alias accounts associated with the main account.  The real advantage of these alias accounts is that you can create rules to redirect all email to these accounts directly to the trash if you have the account only as an email address for sites that require one.  (It is a great way to avoid spam too!)

There are other things that should also be protected such as phone numbers and addresses.  Why do you need to include an address when you register with a web site?  It is not as if they are going to actually send you physical mail is it?  After all, that is one of the reasons why the post office will be stopping Saturday deliveries later this year.  Total mail volume is down.  (You thought not getting all of that junk mail was a good thing!) Junk mail paid for a major portion of the post office expenses.  But it is not just that.  People don’t send letters or cards anymore.  They use email message, instant messages, texting, and e-cards.  Many people don’t get physical magazines either because they read most magazines online and not have to guess what is missing from the torn pages of magazines that get shredded during the delivery process.  People also pay bills online rather than sending checks.  And the list goes on.  So why ask for an address that really isn’t needed, but could be used to locate where a person lives.   Imagine a fictitious criminal organization that buys customer information including email addresses from high-end online sales companies so they can target which communities and even homes are more likely to have valuable stuff that their contracted thugs can burglarize.

Phone numbers to some extent fall into that same category.  It is one thing perhaps for the company on whose site you registered to give you a call about their products or services.  However, it is quite another when they sell that information to information brokers to make a few extra bucks because you didn’t buy anything anyway (or even if you did).

Ok, so we are not going to solve all the privacy problems here.  However, I still would encourage those of you who develop databases or who manage databases to consider encrypting more than just the SSN and passwords of people from whom you collect personal information.  Also, please consider if you are collecting that information because it is something that you or your organization will actually act on or whether you are merely collecting it because you just threw it into the pot along with the kitchen sink.

Advertisements
By sharepointmike Posted in Finance

One comment on “Personally Identifiable Information – Beyond SSN

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s