Will your data be your destiny?

It is not enough to work to protect your own data these days. You must also think about how the myriad organizations you deal with protect your data, whether or not you have a choice in the matter. Let’s look at a few examples and consider their implications.

Web browsing habits from the home, which may bring out the lowest common denominator in many people, though mostly innocuous, were initially ordered to be revealed by user name in the Viacom v. YouTube case before bulk views was agreed upon.

Many people have grown accustomed to using publicly available online resources where the implicit way these same resources are managed changes over time. Over the years we’ve seen companies that provide free email turn specific messages over to authorities, such as when Yahoo provided a journalist’s email to his government which then imprisoned him for divulging state secrets.

An employee of PA Consulting Group lost a memory stick with unencrypted data on tens of thousands of prisoners in the UK. The worst here is that the loss itself does not represent the real incompetence. I’m sure people will continue to lose things well into the future. But my guess is that the data were unencrypted and on a memory stick simply for the convenience of working with them in that format. It was probably PA Consulting Group policy not to work that way, but with a tight deadline, less safe timesaving methods were used.

There are further examples of how corporations do not protect personal information simply because they do not deem it worthwhile. For example, ConEd online account information (address, phone number, email) is available simply by inputting an account number. No password is required.

The Princeton Review published personal information and test scores for tens of thousands of students on its website.

There is also the possibility of data theft after information is turned over (we see enough examples of thieves stealing or companies losing credit card, social security and other personal data).

Protecting personal information is not solely in the domain of the individual. Companies that have access to personal data will continue to lose this data in the future. We just have to ask that they do a better job of protecting this data to begin with and give individuals a clear and easy to use option of keeping their data private.

Seriousness to the individual of the following:
Viacom v. YouTube: low to medium, depending on ability to identify individuals from the data.
Yahoo email share: high, since this resulted in a prison term for the journalist.
PA Consulting Group memory stick loss: potentially high.
ConEd: medium. Mostly a risk of identity theft or unintended pranks such as changing address or payment schedules.
Princeton Review posts student data: low to medium. More of an ability to snoop on data that will eventually be revealed to schools to which the students apply.
Credit card or Social Security data theft: medium to high. Opportunity for identity theft and fraud.