January 28 is Data Privacy Day. Recognized globally, the purpose of the day is for individuals to become informed about how their personal data is being collected, used, and shared. While many of us hope that the governments, institutions, companies, and organizations that we share our data with will protect our privacy, that hope is sometimes misplaced. As such, each person serves as the last line of defense for the protection of their data.
Basic Privacy Practices for Individuals
While there might not be much you can do if an organization you do business with has a data breach, there are several steps you can take to better protect your privacy. Personal privacy-protective actions include:
- Read privacy notices. When you download a new app or sign up for a new service, be sure to read any privacy notices that are available to you and understand the data that you are sharing (including location tracking data on mobile devices) with the service provider. Whenever possible, share the minimum amount of data needed to obtain the desired app or service. If you don’t like the amount of data that the app or service collects, and you cannot modify those settings, make a conscious decision not to use the app or service.
- Check your privacy settings on all your existing apps or services a couple of times a year. Sometimes an organization’s data collection, sharing, and use practices may change and you may not receive (or read) notices regarding those changes. Much like changing smoke detector batteries twice a year helps to protect your life from a house fire, checking privacy settings a couple of times a year helps protect your data.
- When organizations ask for your data, ask why that data is being collected. Brick-and-mortar stores frequently will ask you for your email address before processing your transaction. They often ask for this information to provide electronic marketing materials to you or to enroll you in a rewards program. If the rewards program doesn’t matter to you, and you don’t want more marketing email, you can ask that the transaction be processed without providing this information. Let the store clerk know that your privacy is important to you and that is why you are choosing not to share extraneous information.
- Be judicious with sharing your Social Security number (SSN). Some transactions require you to provide your SSN to another entity, such as when filing forms for the Internal Revenue Service (IRS) or a government agency that provides benefits (e.g., Medicare, food stamps, or disability insurance). You have to provide your SSN when you start a new job (for tax- and health insurance-related purposes) or to establish employment eligibility. You may have to provide your SSN to establish creditworthiness when you sign up for a monthly service, when opening a bank account, or when buying a car or taking out a mortgage. When in doubt about whether or not you need to provide your SSN, ask why the entity needs that number and what happens if you choose not to provide it. Sometimes you can provide a different number, like a driver’s license number or state ID number, instead.
- Use multi-factor authentication (MFA) whenever it is available to you. One consequence of our increasingly digital and online world is that password reuse is a real problem for many of us. The problem with password reuse across multiple accounts is that if the password is ever compromised for one account, it is compromised for all accounts that use that same password. Enabling MFA helps to mitigate password reuse and weak passwords and can better protect your online accounts. MFA verifies a user’s identity by requiring multiple credentials, instead of just one credential like a password.
Basic Privacy Practices for Entities
While many states (Hello California!) are starting to enact laws that direct governments, businesses, and non-profit entities to protect consumer privacy, there is currently no comprehensive U.S. federal data privacy law. Nonetheless, governments, educational institutions, businesses, and non-profit entities can implement privacy practices designed to protect both the underlying entity and the individuals doing business with the entity. Some privacy-protective actions that entities can consider include:
- Minimize the amount of data you collect and how long it is retained. Entities can review their data collection, use, and storage practices to collect and use only the minimum amount of data needed to provide quality goods and services to consumers. Collecting extra data just because it might be needed “someday” can create physical storage issues and data security issues.
- Give consumers meaningful and clear choices about the data that they provide to you. A one-size-fits-all policy for data is not always reasonable—especially if multiple services using different types of data are offered. Giving consumers the ability to control how their personal information is collected, used, and shared based upon its level of sensitivity is a best practice that can help create trust and consumer loyalty.
- Secure the data that you do collect. Many states now have data breach notification laws requiring governments, higher education institutions, businesses, and non-profit organizations to notify consumers if the entity experiences a data breach involving certain types of data. Be sure you are protecting consumer data in a manner outlined by these laws and in accordance with information security frameworks. Securing data properly is not an issue of competitive advantage, it is a consumer expectation.
Everyone, from individuals to the entities that we interact with every day, has a role to play in protecting data privacy. You can learn more about privacy issues and Data Privacy Day at Stay Safe Online.
This blog was authored by Associate Vice President Joanna Lyn Grama, JD, CISSP who advises clients on information security policy, compliance, governance, and data privacy issues as part of Vantage’s Strategic Planning and Technology Management practice.