"What is private information" is a fundamental question that we must ask ourselves and collectively answer if we want to adequately:
We often hear about large data breach incidents which seem to hit companies very hard and surprise their management. It usually takes time to make some risk and impact assessments after the incidents occur but often we are quick to jump to conclusions. For example, The New York Times once reported that unnamed sources have said that about nine unnamed financial institutions have also been hit by the same group of foreign hackers who have stolen over 80 million records from JP Morgan. The Times also noted that "The hackers are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government."
First, there appears to be many presumptions and discrepancies about who we believe to be the hackers, their origins and any government sponsors behind them. But, as we analyze the damage caused by the data breach incidents and identify what information was stolen, we seem to be confused when attempting to answer what is private information in order to protect customers and comply with regulatory requirements.
For example, we were told that the J.P. Morgan data breach did not compromise customer financial information or personal information like Social Security Numbers. Officials at the bank say that only names, addresses, phone numbers and email addresses were compromised. The word "only" suggests that the company considers some stolen customer information to be more or less private and threatening to customers than others and to be more specific, an email address is considered public or less private information from the bank statement.
But the question which begs an answer is that aren't our names, home or email addresses, and phone numbers also private information? Just because these information may be on some public databases doesn’t mean that it should be OK if they are stolen or shared voluntarily with others for marketing purposes.
I want to make a specific case about one of these so called semi-private or public information which we may not consider as important to protect or respond to when they are stolen. As you know, we use our email address as our user ID to log into some accounts. Therefore, hackers who get their hands on our email addresses already have 50% of the information they need to access some of our accounts wherever we use our email address as the user ID. This half of the system access equation is static which means that even if we change our passwords, we will still remain at the same risk level until our user ID requirement is changed to another email or a non-email ID. The risk of unauthorized access is even greater when we consider the fact that many people use their names, user IDs or phone numbers as their passwords. Therefore, hackers who stole information that companies don’t consider as important as their customers’ financial information or passwords, actually have more than what they need to either access systems or obtain more information through phishing and pretexting scams.
Therefore we should be very clear and careful in our data breach assessment and response to what is private information. Let’s not forget that email addresses are sold all the time which are used for spam marketing and phishing purposes which can lead to the theft of other private information. And as mentioned, emails already solve half of hackers' challenges for accessing some of our accounts. In order to perform an adequate risk assessment before or after a data breach occurs, the answer to what is private information must be defined and the risk of its theft should be clearly identified and only then can we conclude that one stolen information is less important than others.