{"id":6023,"date":"2020-07-22T01:00:56","date_gmt":"2020-07-22T06:00:56","guid":{"rendered":"https:\/\/justinparrtech.com\/JustinParr-Tech\/?p=6023"},"modified":"2020-07-21T23:42:47","modified_gmt":"2020-07-22T04:42:47","slug":"thanks-for-misusing-my-personal-data","status":"publish","type":"post","link":"https:\/\/justinparrtech.com\/JustinParr-Tech\/thanks-for-misusing-my-personal-data\/","title":{"rendered":"Thanks for Misusing My Personal Data!"},"content":{"rendered":"<h2>Thanks for Misusing My Personal Data!<\/h2>\n<p>15 months ago, I bought a house.<\/p>\n<p>During the course of that transaction, I had to disclose personal information to:<\/p>\n<ul>\n<li>The finance company (two, since we dropped the first one)<\/li>\n<li>The insurance company<\/li>\n<li>The title company<\/li>\n<\/ul>\n<p>I was required by Federal law to disclose information, including my:<\/p>\n<ul>\n<li>Birthday and date<\/li>\n<li>Social Security Number<\/li>\n<li>Full Name<\/li>\n<li>Address<\/li>\n<\/ul>\n<p><span style=\"color: #ff0000;\">You know, everything you might need to, you know, KNOW in order to steal my identity.<\/span><\/p>\n<p>The business purpose for this was ostensibly to:<\/p>\n<ul>\n<li>Obtain credit information<\/li>\n<li>Review my financial records and assets<\/li>\n<li>Report a financial transaction to the IRS<\/li>\n<\/ul>\n<p>And, it was ostensibly to be used ONLY in the course of doing business.<\/p>\n<p>A year passes&#8230;<\/p>\n<p>I get a &#8220;Happy Birthday&#8221; e-mail from:<\/p>\n<ul>\n<li>BOTH finance companies, even though I dropped one of them<\/li>\n<li>The insurance company<\/li>\n<\/ul>\n<p>In addition, I got an <span style=\"color: #ff0000;\">actual birthday card in the mail<\/span> from the finance company that we ended up using.<\/p>\n<p><span style=\"color: #ff6600;\">Two decades ago, I would have thought &#8220;how quaint!&#8221; and moved on.<\/span><\/p>\n<p><strong>However, in the days of identity theft, YOUR BIRTHDAY is a significant piece of non-public personal data that should be closely guarded.<\/strong><\/p>\n<p>If I had gotten a birthday card at the beginning of the month with a note that says &#8220;Hey, happy birthday this month!&#8221; <span style=\"color: #00ff00;\">We know it&#8217;s your birthday, but we respect your privacy, so we&#8217;ve stored a generic representation of your personal data rather than your actual birthday.<\/span><\/p>\n<p>Completely acceptable.<\/p>\n<p>The reason storing my ACTUAL BIRTHDAY is NOT ACCEPTABLE, is twofold:<\/p>\n<ol>\n<li>YOU HAVE NO REASON TO STORE IT.\u00a0 Once you&#8217;ve pulled my credit, sold me a house, and reported all of this to the government, there is no <em>legitimate <\/em>ongoing business need to continue to retain that information.\u00a0 <BR><BR>If your company stores data for which there is no valid, ongoing business purpose, you&#8217;re inviting a data breach.<\/li>\n<li>YOU PROBABLY AREN&#8217;T STORING IT SECURELY.\u00a0 Is my birthday in a spreadsheet, stored on your laptop that you take to your house every night, which someone could steal from your house, or even worse, steal from the back seat of your car when you stop to pick up dinner on the way home?\u00a0 <BR><BR>Don&#8217;t laugh &#8211; I worked for a company where this exact situation happened &#8211; a spreadsheet containing personnel records, including social security numbers, was stored un-encrypted on the hard drive of a company-issued laptop that was stolen out of the back of someone&#8217;s car while parked in a restaurant parking lot.<BR><BR>So hopefully not on a laptop, but, pursuant to GLBA or FCRA or HIPAA or a number of other laws, we should hope that my birthday is stored on a server that&#8217;s encrypted, logically-secured, physically-secured, logged, monitored, audited, sitting behind a firewall, etc.\u00a0 More realistically, it&#8217;s stored &#8220;in the cloud&#8221; in your company&#8217;s sales system.<\/li>\n<\/ol>\n<p>In addition to appearing completely unprofessional, the situation gives rise to the following, UNCOMFORTABLE QUESTIONS:<\/p>\n<ul>\n<li>What else are you storing without my knowledge and consent?<\/li>\n<li>Who do you share it with?<\/li>\n<li>Is it all stored by social security number?\u00a0 I hope not, but that&#8217;s how businesses were run 30 years ago.<\/li>\n<\/ul>\n<p><span style=\"color: #ff0000;\">&lt;RANT&gt;<\/span><\/p>\n<p><span style=\"color: #ff0000;\">And&#8230;<\/span><\/p>\n<p><span style=\"color: #ff0000;\">If WE NEVER DID BUSINESS AT ALL because MY WIFE FIRED YOU, then you have NO LEGITIMATE PURPOSE for storing my data, and ZERO REASONS to send me a birthday e-mail.<\/span><\/p>\n<p><span style=\"color: #ff0000;\">You know who you are&#8230;<\/span><\/p>\n<p><span style=\"color: #ff0000;\">&lt;\/RANT&gt;<\/span><\/p>\n<p>&nbsp;<\/p>\n<h3>Best Practices<\/h3>\n<p><strong>Most data breaches result when companies store data that they don&#8217;t need, or store improperly, or both.<\/strong><\/p>\n<ul>\n<li>Identify and catalog all systems that store Personally-Identifiable Information (PII) \/ Non-Public Personal Information (NPPI) \/ Protected Health Information (PHI) and other sensitive, personal data.<\/li>\n<li>Make sure these systems are secured properly &#8211; the Federal government provides guidance on securing financial and healthcare data.<\/li>\n<li>Audit the data regularly to make sure you are <em>only<\/em> storing what is needed\u00a0<em>for legitimate business purposes<\/em>.\u00a0 This includes purging old data, as well as ensuring that you are not unnecessarily, permanently storing personal data fields.\n<ul>\n<li>In most cases, a business is only required to retain business records for 3 to 7 years, depending on the type of business.\u00a0 If you have data older than that, you need to delete it!<\/li>\n<li>If you have data fields that are necessary, say, to perform a credit check, you need to store them\u00a0<em>temporarily<\/em>, and then delete them when no longer needed<em>.<\/em>\u00a0 Those data fields should live only as long as the transaction, and no longer.\u00a0 3 months to a year would be more than sufficient.<\/li>\n<\/ul>\n<\/li>\n<li>If you want to store demographic information, or, you know, send birthday cards in a quaint attempt to appear personable, then at least use legitimate techniques to anonymize the data.\n<ul>\n<li>Don&#8217;t store the birth year at all (if not needed for demographics)<\/li>\n<li>If you DO need demographic information, Round the birth year to a multiple of 5\n<ul>\n<li>y&#8217;=int(y\/5)*5<\/li>\n<li>if y&#8217;=y then y&#8217;=y&#8217;+5<\/li>\n<\/ul>\n<\/li>\n<li>In your CRM system, set everyone&#8217;s birthday to the first of the month.\u00a0 If my birthday is April 22, store 4\/1.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"color: #00ff00;\">Send me a birthday card at the first of the month, and let me know that because you respect my privacy, you DO NOT STORE MY ACTUAL BIRTHDAY.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Thanks for Misusing My Personal Data! 15 months ago, I bought a house. During the course of that transaction, I had to disclose personal information to: The finance company (two, since we dropped the first one) The insurance company The title company I was required by Federal law to disclose information, including my: Birthday and [&hellip;]<\/p>\n","protected":false},"author":16,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"aside","meta":{"footnotes":""},"categories":[7,17,4,5],"tags":[],"class_list":["post-6023","post","type-post","status-publish","format-aside","hentry","category-analyses-and-responses","category-good-design-bad-design","category-rants","category-the-light-side","post_format-post-format-aside"],"_links":{"self":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts\/6023","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/users\/16"}],"replies":[{"embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/comments?post=6023"}],"version-history":[{"count":10,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts\/6023\/revisions"}],"predecessor-version":[{"id":6037,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts\/6023\/revisions\/6037"}],"wp:attachment":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/media?parent=6023"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/categories?post=6023"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/tags?post=6023"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}