It seems every day a new company pops up to handle identity and related sensitive data; what should they do to earn your trust?
CANBERRA, Australia — Australia could have tough new data protection laws in place this year in an urgent response to a cyberattack that stole from a telecommunications company the personal data of 9.8 million customers, the attorney-general said Thursday. (ABC News, Sept 28, 2022)
A former Wells Fargo financial advisor in California faces up to two years in prison and a $250,000 fine after pleading guilty to aggravated identity theft amid charges he stole $158,000 from two bank customers. (Financial Adviser, September 29, 2022)
The Justice Department said that three U.S. Postal Service workers were arrested last week in connection with the theft and unauthorized use of credit cards resulting in the loss of more than $1.3 million.(Fox Business, October 4, 2022)
This is a very small sample of articles in the headlines today. There are many more examples every day. Theft of sensitive information is rampant and yet, we are expected to give up that sensitive data to do every day transactions for communication, financial services, commerce, utilities, government services etc. etc. We generally do this without any understanding of how the data will be used, how it is protected, where it is stored, or who it might be sold to. Before we give up this data that can lead to identity theft, fraud, and monetary theft, what should we (or possibly a regulator) be asking the requester?
The first question is WHY? Why do they need the data in the first place? Do they need to know my mother’s maiden name or the brand of the first car I ever owned? Do they need my birth date or my Social Security Number, National Identity Number, my address or my phone number, or my email address? Certainly some institutions need some of this for legal reasons. A bank cannot legally open an account without name, birthdate, address and SSN. But does an ecommerce site need any of that? Does a bookseller?
The second question is WHO has access to the data? Does anyone working in a contact center have access? In the case of healthcare, does anyone beyond the physician have access to the data? In the case of a bank, does every teller, manager, customer service rep, and IT person have access? The corollary question is do they need access? Does someone providing me support through a tech assistance line need to have personal identity information to provide support? Or do they just need to have my identity validated without seeing that personal info? Do they just need to know I am authorized?
The third question is WHAT personal information is being stored? Is it a name and an account number? Or enough data to steal an identity like addresses, SSN, birthdates? If so, WHY?
The fourth question is HOW is that stored data being protected? Does it meet the specifications set forth in the privacy by design standards? Is all data encrypted at rest? How is authorization for data access managed? Is it just user IDs and passwords that can be easily stolen or broken? The world’s most common password is “123456”. Does the authorization mechanism in place ensure authorization is more robust? Refer back to the second question here as well.
The fifth question is HOW is this data collected? Is the mechanism secure and robust? Are there attack surfaces that are part of the collection process? Are all communications encrypted? Is the source of the data validated?
The sixth question is HOW MUCH pressure testing is done to ensure all of the mechanisms in place (assuming they are acceptable) are tested for security robustness? Is penetration testing done? Are there tests for lateral attacks? Do they test for social engineering of employees? Are regular audits done to ensure the security architecture is not compromised or modified to create opportunities for breaches? For example, it is common for PCI DSS certified systems to become uncertifiable due to technological changes, updates and enhancements. Certification is a moment in time. What is being done to regularly audit to ensure certification is still valid on an ongoing basis?
The seventh question is WHAT happens when something goes wrong? Is there an incident response procedure in place? What is the incident response procedure? I have personally been the victim of a breach where I was not told until several months after the breach occurred. How quickly is an incident response initiated? How quickly are affected people informed? What actions are taken to protect those affected?
The eighth question is WHAT employee security education training is conducted? How often is it refreshed?
These questions should be asked of ALL enterprises and systems dealing with personal data. A high bar should be mandated, and “need to know” not “want to know” should be the standard.