|
Volume 4 Number 6 March
10, 2006 |
|
Guarding data Collecting personal information creates an
obligation of confidentiality It hasn't been a good month for those of us who worry about privacy. First, we were told that two
large newspapers in the Northeast used computer printouts containing the
names, credit-card numbers, and bank-routing numbers of subscribers to wrap
bundles of newspapers that were then just thrown off the backs of trucks across
Then, we learned that the
government of Finally, news reports said that investigators found in the hands of spammers and scammers a cache of 17 millions names -- along with phone numbers, addresses, e-mail addresses and internet IP addresses of customers making online purchases. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts . At first the reports said that the information came from an online pornography purveyor, but the pornography company now disputes that and says only three of its customers are on the list. The information, the company says, may have come from online "phishing" schemes. The jury is still out on that, but the last bit of news most likely brought forth a sigh of relief from 16,999,997 people, who would rather be portrayed as a victim in a phishing scheme than be revealed as a regular buyer of online porn. The bottom line in all of these cases, as well as in the cases we hear about with alarming regularity, is that people and companies that solicit personal information from us -- most often for legitimate reasons -- don't treat it with the respect it deserves. I have written before about privacy and confidentiality -- See: "Secrecy, privacy, confidentiality" -- and made the point, or tried to, that when we exercise our right of privacy and share personal data with someone for legitimate reasons, we do so with a reasonable expectation that the other person will keep that information confidential and treat it with the respect that we and it deserve. I keep using the phrase "for legitimate reasons," because I think that all bets are off if I share personal data with someone who has no legitimate need for it. If a stranger walks to me on the street and asks me for my credit-card numbers, social security number, and mother's maiden name, I am just plain stupid if I reveal them, and I have no defensible expectation of confidentiality. However, when a reputable merchant asks for my credit-card number and address, those are integral parts of the transaction, and I have to reveal them in order for the transaction to take place. I benefit from doing so, and -- as I argued in the column referenced above -- my doing so isn't a surrender if my privacy, but an exercise of it. I choose the person or entity to whom I reveal certain information. However, the person collecting the data also benefits, and this mutually beneficial relationship creates an obligation to treat the information that is traded as the valuable commodity it is. It's strange that banks and merchants treat both money and goods with a greater degree of security than they do personal data. Banks do not transfer money between branches by putting it in open cardboard boxes and throwing it into the back of a rental truck driven by two people from a temp agency. They use armed guards and armored cars, and they keep detailed records about the chain of custody. They know who gave it to whom, when, and where -- from the origin to the destination. Banks do not auction off money bags, at least without peeking inside to see whether there are any hundred-dollar bills still in there. Even the smallest store in a convenience-store chain keeps detailed records of its cash. Each clerk is responsible for the cash they are given at the beginning of a shift and the amount they have at the end of the shift, all balanced against the amount they should have as recorded in the registers. This is as it should be. What's disturbing is the cavalier attitude toward personal data that is, when you think about, far more valuable than a few dollars in the till of the local Gas 'N' Guzzle. Yet banks, major corporations, and government agencies routinely lose data, have their computers hacked into, and are generally sloppy with information that we guard -- or should guard -- preciously. In pondering the reason for this disparity, the only thing I can come up with is that these organizations are more careful with money than they are with personal data because the money is theirs and the personal data is yours. Basically, it's the fault of "free-market economics." There is an immediate penalty to them in losing money. There is no immediate penalty to them in losing your data, because it's your data and it's your life that will be seriously inconvenienced if the data falls into the wrong hands. I suppose someone could say that the "market" would correct the problem, because people would simply stop doing business with people who are sloppy with data, but that doesn't really work. We know who lost the data yesterday, but that doesn't tell us who will lose it tomorrow. And there's the possibility that the company that lost it yesterday has tightened up its procedures, so it could be that it won't do it again -- or not. And, while the "market" may punish the chronically sloppy, it will take a long time, and many people will be hurt -- and many unscrupulous people enriched -- before the hoped-for correction kicks in. Perhaps one way to make sure companies tighten up their procedures in advance of a loss is to create an immediate penalty for "misplacing" private financial data, just as there is a penalty for losing a million dollars. If a company had to pay a mere $1,000 for every record of personal data they lost, you can be sure that your name, social security number, credit-card number, etc., would be kept in secure locations, aggressively protected from hackers, and transported with the same care and chain-of-custody procedures as stacks of hundred-dollar bills. The $1,000 would be a pittance compared to the disruption caused in your life when your data is lost, but would be more than enough to keep companies and institutions on their toes, and make them live up to their ethical obligation to maintain the confidentiality you rightly expect. |
|
© Copyright 2006 Carlton Vogt |