Thanks for Misusing My Personal Data!
15 months ago, I bought a house.
During the course of that transaction, I had to disclose personal information to:
- The finance company (two, since we dropped the first one)
- The insurance company
- The title company
I was required by Federal law to disclose information, including my:
- Birthday and date
- Social Security Number
- Full Name
You know, everything you might need to, you know, KNOW in order to steal my identity.
The business purpose for this was ostensibly to:
- Obtain credit information
- Review my financial records and assets
- Report a financial transaction to the IRS
And, it was ostensibly to be used ONLY in the course of doing business.
A year passes…
I get a “Happy Birthday” e-mail from:
- BOTH finance companies, even though I dropped one of them
- The insurance company
In addition, I got an actual birthday card in the mail from the finance company that we ended up using.
Two decades ago, I would have thought “how quaint!” and moved on.
However, in the days of identity theft, YOUR BIRTHDAY is a significant piece of non-public personal data that should be closely guarded.
If I had gotten a birthday card at the beginning of the month with a note that says “Hey, happy birthday this month!” We know it’s your birthday, but we respect your privacy, so we’ve stored a generic representation of your personal data rather than your actual birthday.
The reason storing my ACTUAL BIRTHDAY is NOT ACCEPTABLE, is twofold:
- YOU HAVE NO REASON TO STORE IT. Once you’ve pulled my credit, sold me a house, and reported all of this to the government, there is no legitimate ongoing business need to continue to retain that information.
If your company stores data for which there is no valid, ongoing business purpose, you’re inviting a data breach.
- YOU PROBABLY AREN’T STORING IT SECURELY. Is my birthday in a spreadsheet, stored on your laptop that you take to your house every night, which someone could steal from your house, or even worse, steal from the back seat of your car when you stop to pick up dinner on the way home?
Don’t laugh – I worked for a company where this exact situation happened – a spreadsheet containing personnel records, including social security numbers, was stored un-encrypted on the hard drive of a company-issued laptop that was stolen out of the back of someone’s car while parked in a restaurant parking lot.
So hopefully not on a laptop, but, pursuant to GLBA or FCRA or HIPAA or a number of other laws, we should hope that my birthday is stored on a server that’s encrypted, logically-secured, physically-secured, logged, monitored, audited, sitting behind a firewall, etc. More realistically, it’s stored “in the cloud” in your company’s sales system.
In addition to appearing completely unprofessional, the situation gives rise to the following, UNCOMFORTABLE QUESTIONS:
- What else are you storing without my knowledge and consent?
- Who do you share it with?
- Is it all stored by social security number? I hope not, but that’s how businesses were run 30 years ago.
If WE NEVER DID BUSINESS AT ALL because MY WIFE FIRED YOU, then you have NO LEGITIMATE PURPOSE for storing my data, and ZERO REASONS to send me a birthday e-mail.
You know who you are…
Most data breaches result when companies store data that they don’t need, or store improperly, or both.
- Identify and catalog all systems that store Personally-Identifiable Information (PII) / Non-Public Personal Information (NPPI) / Protected Health Information (PHI) and other sensitive, personal data.
- Make sure these systems are secured properly – the Federal government provides guidance on securing financial and healthcare data.
- Audit the data regularly to make sure you are only storing what is needed for legitimate business purposes. This includes purging old data, as well as ensuring that you are not unnecessarily, permanently storing personal data fields.
- In most cases, a business is only required to retain business records for 3 to 7 years, depending on the type of business. If you have data older than that, you need to delete it!
- If you have data fields that are necessary, say, to perform a credit check, you need to store them temporarily, and then delete them when no longer needed. Those data fields should live only as long as the transaction, and no longer. 3 months to a year would be more than sufficient.
- If you want to store demographic information, or, you know, send birthday cards in a quaint attempt to appear personable, then at least use legitimate techniques to anonymize the data.
- Don’t store the birth year at all (if not needed for demographics)
- If you DO need demographic information, Round the birth year to a multiple of 5
- if y’=y then y’=y’+5
- In your CRM system, set everyone’s birthday to the first of the month. If my birthday is April 22, store 4/1.
Send me a birthday card at the first of the month, and let me know that because you respect my privacy, you DO NOT STORE MY ACTUAL BIRTHDAY.
Stores are out of bread (and tortillas).
Tortillas are easy to make, and they last about a week if stored in an air-tight zip-top bag.
- Combine 2 cups of flour, a pinch of salt, 3/4 cup of water, and about 3 tablespoons of fat (butter, lard, vegetable oil, olive oil)
- Roll in to 1″ balls, and then flatten each ball in to a small disc
- Use a floured tortilla press or a rolling pin on a floured surface to roll out each ball to 10″.
- In a lightly-greased skillet on medium heat, cook each one on both sides for about 1 minute per side.
Makes 8-10 tortillas.
Here are things you can do with tortillas:
- Sprinkle some meat and other toppings on half of a tortilla
- Sprinkle some cheese on it.
- Fold in half
- Grill or fry for 2-3 minutes per side, until the cheese melts and the tortilla is golden-brown on both sides
- Fajitas / Street tacos
- Cut your meat in to strips.
- Grill or fry over high heat with onions and peppers
- Steam some tortillas to warm them, or use a microwave tortilla warmer
- Serve family-style with cheese, sour cream, pico, and other toppings
- Tear tortillas in to strips
- Bake until crispy
- Cover with chili, cheese and other toppings
- Bake until cheese melts
- Roll / wrap – makes an excellent substitute for a sandwich. Lay out a tortilla, then stack on lunch meat, cheese, and other sandwich toppings, and simply roll it up.
- Thin-crust pizza
- Stack 2 tortillas, with some cheese sprinkled between them
- on the top tortilla, spread some pizza sauce, spaghetti sauce, or whatever you have laying around
- Sprinkle some cheese
- Add toppings
- Sprinkle some more cheese (do it, or you’re a communist)
- Bake for 10 minutes until the bottom tortilla is crispy and the cheese is melted
- Enchiladas. I’m not quite sure how that works, but my wife does. I’m sure you can google for a recipe.
- Lay out a tortilla
- Fill with beans, rice, meat, cheese and other toppings
- Fold carefully
- Take that burrito, and deep fry it
Toilet paper isn’t scarce. The raw material for toilet paper literally grows on trees. To MAKE it scarce takes layers of stupidity, each with its own nuances.
Not sure who all needs this, but here it is:
In the event that you run out of toilet paper…
Go to your local hardware store, and buy one of these:
This is a 1 gallon “garden lawn sprayer” that you can buy online for about $12, or it should be in your local big-box hardware store for about $16.
Note the angled wand…
After you buy a new one (DO NOT use the one from your garage), wash it out thoroughly.
When you go to the bathroom:
- Fill with warm water from the sink
- Close the lid, air-tight
- Pressurize by pumping the handle a few times
- Instant, portable bidet
This is cheaper than modifying your plumbing, and warmer than buying a bidet kit that connects to your toilet’s water supply.
That One Time I Expensed a Gun Case
Setting the Scene…
Back in the early-2000’s, WiFi was far from ubiquitous.
- Most laptops and other mobile devices didn’t even support WiFi unless you added a PC Card.
- WiFi really sucked back then. Typical distances were maybe 50 feet through walls, or even up to 100 feet with a clear line of sight. If the signal was blocked by anything brick or metal, simply forget it.
- Back then, an access point and a “router” (firewall) were two different devices, making WiFi a little bit more difficult to configure, and much harder to secure.
At the time, the company I worked for sold software and consulting services for financial institutions, and it was normal for our company to have a booth at one of several technical or trade shows throughout the year.
One of the guys who worked some of those trade shows came to us and said “Normally, we get a single ethernet connection for internet access, and if we bring a router [firewall], we can at least share a single connection, but all these cables make it prohibitive to do anything productive. Can you guys think of a way that we could plug something in that would allow us to all use WiFi instead?”
One of my guys came up with the idea to get a router, an access point, some cables, a power strip, and some WiFi PC Cards, put all of it in a box, and pre-configure everything so that all you needed was power and ethernet.
We even had an extra-long uplink cable so that the box could be located almost anywhere, allowing you to be able to optimize the position of the AP to get the greatest coverage.
The only thing left was to figure out how to ship this thing across the country, repeatedly, without having to package it each time.
At the time, you could get a padded, hard-sided camera case for about $200, which was not going to fly, since IT was paying for it, and we had virtually no budget.
So we went to Wal-Mart to see if we could improvise.
After looking through almost the entire store with no luck, we happened to be in the sporting goods section, and what do you know? There’s a hard-sided, padded pistol case, with briefcase-style combination locks for about $20.
And that’s how I came to expense a gun case.
Of course, the poor fellow in Accounting who processed my expense report saw the receipt, which clearly stated “gun case” and was rather alarmed.
After a quick explanation, we showed him a picture of the case with the equipment inside, and everything was fine.
He did say that this was one of the most unusual expense reports he’s ever processed, but not THE most unusual, and you really have to wonder about that.
Because it looked like something that might contain nuclear launch codes, we called it the “Wireless Football“.
After a few faithful years of service, all the cables and PC Cards were looted by another department. By that time, it was kind of unnecessary, because most venues were starting to offer free WiFi and most devices had built-in WiFi cards.
We ended up re-purposing the router and AP to build a home VPN lab. The case sat around for quite some time, and I think we even used it a couple of times to ship equipment. Eventually it disappeared – either “appropriated” by another department, or thrown away during one of the many equipment purges.
Thanks to Aaron for the pictures!