Do companies REALLY need your personal information?
“Thank you for your order. Your burger, fries and soda are ready for you at the drive through window. I will just need a copy of your driver’s license, social security number, blood type along with your payment at the next window….”
Ok….ok, I realize this is a bit of an extreme hypothetical, but doesn’t it seem like we are being asked to provide more and more private and sensitive personal information for routine transactions? Here are some alarming statistics to digest:
- The FTC has reported that US consumers lost nearly $8.8 billion to fraud in 2022, which is an increase of more than 30% from the prior year.[1]
- There were approximately 1.8 million data compromise events in the US in 2022.[2]
- A “data compromise” is an overall term used to refer to events when personal information is accessed by unauthorized individuals and/or for unintended purposes inclusive of data breaches, data exposures and data leaks.
The takeaways here are simple.
- There has been an alarming increase in identify theft and data breach events.
- We ALL must be smarter in scrutinizing the sensitive personal information we make available to third parties. Yes, there are a few key financial or personal transactions where such sensitive personal information may actually be required (such as background or credit checks for employers and significant financial transactions) but in reality, the list of such transactions is very small.
My advice: The next time you are asked for sensitive personal information (such as a copy of your driver’s license, social security number and/or date of birth – especially when that information will be combined with your name and address – making this combination of data the “Holy Grail” for identity thieves):
- Ask the requestor the following questions:
- Why do you need this information?
- Who will have access to this information at your organization?
- With whom does your organization share my information?
- How does your organization protect and secure my information?
- Has your organization suffered a data breach in the last 24 months?
- How will your organization help me if you have a future data breach?
- What is your data breach response plan?
- If the information is requested by email:
- What secure file transfer tool/portal do you have to provide my information?
- Do you have two factor authentication for access to my online account?
If an organization truly requires your sensitive personal information, chances are that federal or state law require that organization to a) have policies and procedures with specific answers to the above questions and b) provide notice to their customers of such policies and procedures.
See below links with helpful information to further research your data privacy rights and actions to take if your identity is stolen.
Summary of various US laws/Federal offices that manage privacy matters:
Practical guidance on rights if your identity is stolen:
https://www.identitytheft.gov/#/Know-Your-Rights
If you are an employer and need help with your data privacy compliance, JAME Consulting can help:
Please also see our contact information below:
Website: www.jameconsulting.com
Phone: 713-446-1060
Email: JBarrett@jameconsulting.com
[1] https://www.ftc.gov/news-events/news/press-releases/2023/02/new-ftc-data-show-consumers-reported-losing-nearly-88-billion-scams-2022
[2] https://www.iii.org/fact-statistic/facts-statistics-identity-theft-and-cybercrime
