Many of our personal information become public information when we carelessly share them on the internet and with others. And when our personal information like name, address and even unlisted phone numbers become widely available to the public, it’s impossible to retrieve them. There are many undesired consequences of publicly disclosed personal information such as prank phone calls, spam and identity theft.
The Identity KAOS principles emphasize the importance of limited collection, sharing or duplication and retention of personal information on the part of individuals and companies to secure personal information and prevent them from becoming public information. Many people continue to unnecessarily and carelessly accumulate identity components without any regard for the consequences of their actions. What consumers should know is that once they share their personal information with others, it’s extremely hard if not impossible to recollect the shared information especially when the information is posted on the internet.
For example, individuals are guilty of collecting excessive number of credit cards and creating many online accounts unnecessarily sharing their personal information with others making them public information. And when individuals create a multitude of accounts, they fail to reassess their needs periodically and close the ones they no longer need and which have not been used in a very long time. Many of us have credit cards and online accounts we no longer use but yet they remain active and vulnerable to misuse and identity fraud.
Companies are also not exempt from the identity management risks when they carelessly and unnecessarily accumulate, share and retain some customer information that they might falsely consider as business requirements. Companies must constantly reassess and validate the business requirements they consider absolute necessities for running their business transactions. Not only certain information may not be absolute necessity for running a business but also, the risk and efforts for securing and managing the customer information may not be worth the collection and ownership of the information. Identity management risks are constantly changing primarily due to the technology and expanding laws, as such, business practices and risks with regards to customer identity management must continuously be assessed to ensure not only the absolute minimum and necessary information is collected but also appropriate identity management practices are in place to properly manage and secure the collected information. There are many business, legal and moral responsibilities and risks tied to customer personal information that companies might routinely collect. By limiting the number of personal information they collect, businesses can reduce their legal, security and privacy risks.
Companies must also carefully assess their business contracts with third parties when they intend to outsource their business operations to third parties which might require sharing access to their customer information. Many business contracts fail to address security, privacy and monitoring requirements with third party processors and service providers. Sometimes, third party service providers are the ones that lose millions of customer information because business contracts fail to address security and monitoring requirements, and even when contracts address such requirements, contracts are not enforced through monitoring and independent audits.
And lastly, companies retain all necessary customer information longer than they need to retain, especially, the information they willingly shared with third parties and subsequently failed to recollect and destroy. I can’t stress enough how important it is to keep an eye on third party service providers that collect your customer information. The ultimate risk lies with whoever initially collected customer information for business reasons. After a security breach and loss of millions of customer data by third parties, companies can sue and maybe recover some of the costs from the third party service providers, but not before the business image is destroyed in the media leading to lost revenues and customers.
The dissemination of and transformation of personal information into public information is a fact of life especially after the introduction of the internet. But we still have some control over what information we collect, share, or retain, and with whom, or how frequently.
Read the Identity KAOS principles and learn to prevent personal information from becoming public information.