Workplace identity obesity is a real threat to consumer identity privacy and protection. Identity obesity refers to the unnecessary collection, retention and sharing of personal information which increase the identity security and privacy risks even when security controls are in place because we all know that information protection controls are not one hundred percent effective at all times for a variety of reasons either because policies and procedures do not exist or they are not followed.
Workplace identity obesity is not very different from consumer identity obesity whereby personal identity component are carelessly and unnecessarily placed at risk. The main differences are the impact level and the party other than the person placing the person’s identity at risk. You see, when companies are identity obese, they place their customer information at risk of privacy disclosure, theft and fraud.
Workplace identity obesity is very common and has more severe consequences because it can affect millions of customers. As I mentioned, similar to consumers, companies also become identity obese by unnecessarily collecting, sharing, retaining and exposing their customer personal information.
Let’s explore a few ways by which businesses increase their customer identity risks by becoming identity obese:
1. They collect more personal information than needed to sign up new customers. Companies should asses their online or offline applications and determine whether all requested information is needed because with identity data acquisition also comes a huge responsibility to properly manage the data.
2. The way customer information is collected or processed adds additional risks to consumer privacy and identity protection. For example, how many businesses ask their customers to write down their credit card information on the invoices and mail the information through regular mail?
3. Documents containing personal information are often left on open desks and public printers for hours and even days for everyone to see.
4. Personal information is often shared with subcontractors and third parties without assessing the needs, signed confidentiality and non-disclosure agreements, or proper monitoring.
5. Personal information is retained for unnecessary length of time exposing them to unnecessary risks.
Often customers have no knowledge about or control over what businesses do to their personal information and privacy policies have become too generic and lengthy to offer any meaningful information for decision making purposes. For example, customers can not avoid sharing excessive and unnecessary information requested by companies such as when applying for a mortgage, or dispute the means by which information is shared with the requesting company but it is generally a good practice for consumers to raise their concerns when they become aware of potential risks and for the companies to listen to this customers’ concerns while avoiding similar mistakes made by other companies such as Facebook.
With the rising risk of identity theft and availability of free information online, lack of awareness and education can no longer be tolerated for preventing identity theft.