Thursday, October 9, 2008

Personally Identifiable Information (PII) Guidlines


WARNING: ACRONYMS AHEAD:

WTIA (Washington Technology Industry Association)
PII (personally identifiable information)
IT (information technology)
SSN (Social Security Numbers)
RFID (Radio-frequency identification)

(You have been warned)

I am a member of the WTIA (Washington Technology Industry Association) task force on privacy. Recently, Lew McMurran, VP, Government and External Affairs and chair of the task force, sent out a set of principles developed to guide WTIA members and the technology industry of Washington state when using personally identifiable information (PII) in the course of business.

As he pointed out in his email, the loss, misuse and stealing of PII is a national problem, and if businesses don't respond to the problem seriously and effectively, then a government body likely will. Already many state legislatures are proposing and passing laws requiring a number of protective measures from encryption to limitations on target marketing.

In the long run, businesses need to take the lead in adopting standards and guidelines to protect individuals and consumers from threats both real and imagined. With that, Lew drafted and sent out for review some guidelines, which I am posting here. Take a look and offer opinion if you are so inclined. This is a draft only, and will be subject to discussion and review. I would like to open that review to you all as well.

PII is information about people. Any misuse, loss or stealing of PII affects the lives of people. This must be kept foremost in the minds of WTIA members and the technology industry.

PII is critical data for business. It must be understood that way from the top of an organization to the bottom. Loss, misuse or stealing of PII should not be tolerated and policies to protect PII must be developed that apply to everyone in an organization.

Access to PII within an organization should be limited to those who have a critical need for it. For those within an organization that need access to PII, personal financial information should be segregated from other PII to lessen the opportunity for misuse or stealing of personal financial information.

Organizations must be transparent to consumers and individuals about what PII they collect, how they use it, with whom it is shared, what protective measures are in place and options consumers have to limit disclosure of PII. Privacy policies can serve this purpose but should be written in plain English, be more prominent and must be developed with the input of legal, marketing, IT and others who will have access to PII.

Consumers may or may not be aware that companies are using behavioral targeting as a means to develop and market products and services. The use of behavioral targeting tools, such as cookies, web bugs, web beacons and others must be disclosed prominently, either within privacy policies or separately.

Organizations must closely monitor third party vendors for access to and use of PII. Access to personal financial information and SSNs should be limited only to those where it is necessary. Third party vendors’ use of PII should be restricted to only what is contracted and be prohibited from transferring PII to anyone else.

New information gathering technologies, such as RFID, must be carefully monitored when deployed. When using new technologies, PII should be collected with a consumer’s or individual’s knowledge with a convenient means to opt out.


This is the start of an important discussion and not an exhaustive list. The WTIA is taking the lead in advocating for the market adoption of these principles, and though the organization lobbies for market based, industry self regulation, they still may support legislative measures that make sense.

31 comments:

Anonymous said...

Interesting read. I'm somewhat glad that the Washington Technology Industry Association is seriously looking at the possibilities and dangers of NOT keeping personally identifiable information safely secure, and are planning accordingly.

I think a lot of people today expect that protective measures are already in place with regards to their personal information and may not realize that that is not always true.

Racer06 said...

This such a huge topic... even to touch just a fraction of the issues surrounding this, is mind bloggling and maddening. But in a nutshell, I think businesses should be held accountable when they provide or leave our information vulnerable. Like the guy who had VA social security numbers on his laptop computer that was stolen. Why did he even have it on his laptop that was taken out of the office? "Bad judgment" http://www.afa.org/magazine/sept2006/0906scandal.asp My husband was one of those SS# and i was frightened by the fall out, that never came, thankfully. I know first hand what it's like to have your credit taken, they haven't ever taken my name, (i didn't want it either. lol) But they have taken my cc numbers and made thier own cards and went to town on my accounts. Convenience checks too! Sent to my mail box, i never have asked for them, nor have i ever used one. And all the sudden, every single one of my accounts has a convenience check written on it. It wasn't even one of my own credit card companies who caught it. Go figure. How did a company that i don't have credit with know, it wasn't me writting these checks??? Yes, it is definatley mind boggling, how our PII's are handled & misused without consent.I had to call EVERY single CC company to have them NOT send cashier's checks, which incidentally, took 6 weeks to take effect. (????) I personally, think it is all backwards, we shoud have to call them, to ALLOW them to send crap we really don't want. Yes, definately hold companies, especially credit card companies, liable for the amount of PII they sell off. It should be illegal to do so! And if not, then where is my cut, it's MY PII!!

WritersHairClip said...

I think it would be good if there was legislation on the sharing and accessing of personal infromation. Wheter or not protective measures would be payed attention to is another matter. It's hard to regulate what goes on the internet, becuase things happen to fast and are harder to track down.

RT said...

I've always thought there should be some kind of outline of rules for the misuse of personal information, so im glad the WTIA is taking inititave to stop the misuse of it, because you never know who is looking you up and at your personal information, and suddenly it can get leaked by "accident" especially financial information which was a good point brought up on the post. Because with your financial records being misused or thrown around, that will cause serious consequences.

scott1223 said...

The world is moving towards the bigger, faster, stronger use of technology.

There is always that scare of who can get access to your information though. Problem is, no matter how great the security measures taken, if someone really wants PII they can get it. Look at the rising number of identity thefts today, without all the PII around floating in the airwaves digitally.

I remember reading about how the RFID tags in the new passports caused a huge roar regarding privacy issues.

As technology advances, new ways to secure and potentially access your PII will become available. It can be scary, but it won't be anymore scary than the old ways of people doing it in times gone by. This is just going to be the generation's next challenge.

Gossip Girl said...

I think it’s important that WTIA is taking part in the misuse of personal information. More people should be aware that it’s so easy to gather information online about other people in a matter of clicking some buttons. Since technology is moving at such a fast pace its hard to keep up with everything. Many people aren’t even aware certain information is out there about them. With rules taking place I think it will help protect peoples personal rights from the Internet and the public.

Shortey said...

This looks like a great step into the right direction towards resolving this global issue. One of the problems that I’ve noticed with people who have been affected with their privacy being invaded is that there tends to be a lack of knowledge or education about the matter. We all hear information you better protect yourselves, don’t do this don’t do that, but how do you really protect ourselves, if a lot of us don’t even know how our actions on the web is affecting us. By having corporations take on the role of creating these standards could boost consumer confidence even more. I agree with the section that mentions the segregation of duties. Consumer’s private information is like the financial aspects of a corporation. You want to ensure that capital within a business is not stolen or misrepresented, like the same way you don’t want consumer’s private information to be misused. I know as a consumer, if an online site is more reputable and secured I would use it more, and right now I rely on the same websites for many repurchases, like Amazon. In the long run, having a set of principles can possible increase online revenues and create a web wide standard for privacy protection.

Ziggy said...

There should be some sort of regulation to what is done with peoples information. I support any local laws regarding this subject and any laws passed down by legislation . There should be consequences for not following these rules. Also some sort of company should be set up to regulate these rules and distribute the consequences. I think you can regulate the internet and one day a program or company will be put into effect that regulates the internet.

Gabrielle Baldwin said...

It seems like the Washington Technology Industry Association is taking the first step in providing a type of security that could be helping many people think twice about unconsciously giving out personally identifiable information. This is a somewhat scary topic when you think about how many businesses may have PII files saved in their systems and how many of those businesses are involved in the buying and selling of that information on the internet in order to gain profit.
People should take advantage of the tips that the WTIA is providing in an attempt to secure themselves from possible dangers that come with unprotected PII.

McNasty said...

So, does it freak anyone else out that our information can, for the most part, be viewed by almost anybody (depending on their determination to seek a certain individual out)? Obviously, identity theft has become an outstanding deal in recent years, and even with today's technology it's apparent that our information is not as much of a secret as we thought. Therefore, I believe the steps in which WTIA is taking in making sure that personal information is kept secure is definitely a step in the right direction.

Duathlon Dawg said...

Business ethics come to mind. While I think this a noble effort, with merit, I hope companies with PII have already thought through these issues. With this being said, I still believe the WTIA should make a public statement concerning this topic. The world of PII will only grow more complicated from here on out. I believe this statement from the WTIA is similar to the Constitution of the United States in that it serves as a framework that can be amended and updated to fit the times as needed. Also, when and if PII becomes a bigger issue, or god forbid a big problem, these guidelines should serve as a starting place for lawmakers proposing regulation and/or legislation.

Phillipians 2:5 said...

I think that guidelines for PII are wonderful.I'm happy that people are trying to stay ahead of the game but sometimes the whole process is filled with lots of bureaucracy and a great deal of time is required to get the change started.

I also think not only do we have to protect our info from the outside sometimes the info taking happens from the inside too. Just recently we had a women and her mom working to steal info in a bank.. Now what is that? I believe that we need to work on inside policies also... =)

Besides not only do we need to work on our Country's policies we need to make sure our info is protected outside of the U.S.

Mindful Biz said...

This is definately a critical topic. Financial institutions use the profiles to monitor what type of spending habits a person has. The information targets everything from what type of groceries a person buys. Alcohol? Smokes? how often? Are they a big gambler? they can track exactly what casino and how often. This really is a make or break when applying for a loan to what kind of limit you get on your credit card. This just adds to the paranoia of how our every move is monitored. Perhaps the only way to stay off the grid is to not be a member of any financial institution and simply pay cash for everything.....

Bekkah29 said...

I recently spent two years working for a financial institute. Everyone had access to hundreds of thousands of peoples PII. Files that included credit reports, SSN's, addresses, phone numbers, co-signers, etc., floated around the company from dept to dept as a way of business. Not to say policies weren't in line, there were disposals for sensitive documents and we weren't supose to leave files out at night, but the policies were way to loose in my opinion. The bottom line is that the information was easily and readily available to all employees! When people are having hard times, you never know what they'll do. From my prospective on the outside, as a customer of other companies & especially after reading this article, lol, I'm a little uncomfortable with the thought of any of that info being my PII.

I would strongly support the legislator stepping in and making things more secure and I'm glad this is being looked at. I'll stay tuned....

Cinderella said...

It is so scary to know that people can easily take your identity off line in a matter of minutes or even seconds. It's good to know there are some measures being taken to protect people's personal lives. I think that with certain measures being taken and guidelines that are being built will help keep from identities being stolen or at least harder for it to happen. You know people aren't even aware of what’s out there about them and as time goes on, with out some kind of rules of protection, no one is really safe… Think about it, if there was no action taken against this, then everyone would be at risk, potentially, no one will really have their own identity…

Zhang Ming Su said...

This is what I've been waiting to hear (or read). I feel relieved knowing that there is a governing body that regulates the use, acquisition and, distribution of such Personal Identifiable Information (PII). Imagine what a big headache if somebody has an easy access to your PII, and use that information to impersonate you for their own iniquitous intentions.

However, I will still be cautious on giving my PII online. I always check the site if it's secure or not whenever I have to give some of my PII online.

Knowing the difference between a SECURE Website (https://.....) and an UNSECURE Website (http://.....) sometimes helps.

A secure website starts with a https://..., while an unsecure website starts with a http://.

Cheers!

Ptrang said...

PII or personally identifiable information is a national problem and I believe it is great that there are guidelines addressing this issue. Today our personal information is out on the web and it must be protected. People social security information could be leaked and this could cause major problems in the future. I agree with zhang ming su on the secure websites. I noticed that bank of America website uses encryption, but is it breakable?

Chase111 said...

For the most part, the sites I go to are safe and secure, but I am still cautious as to what information I provide. It'd be great at some point to never have to worry about where your personal information being thrown around, but I'm afraid that will never happen. The fact that protective measures are somewhat intact is a little relieving, but they should be 100% of the time.

mdkrblog said...

With all the information people can gather about others on the internet I believe that a person can get anyone’s PII. It gives me some comfort knowing that the Washington Technology Industry Association is stating that theft of PII is dangerous. With the internet continuously growing I believe that theft of PII will continue to happen.

Jay said...

I think it's great that WTIA is doing something about the privacy issues facing companies today. Information is too easily accessible from computers now a days, there's a desperate need to control this before it's too late.

Many people put PII on their computers thinking it will be secure; when in reality it can easily be obtained by hackers and thieves. Business should advocate important ways of storing information on their computers; while limiting ease of access to that information by others that don't need it.

Brock said...

Legislation can only go so far. As we have seen time and time again, the government is always playing catch up in the technology field. Education is what will really help.

Perhaps a TV ad showing an elderly couple crying and consoling each other after learning that they have lost their life savings. Have the voice over mention a link to a Learn More site and display it on the screen at the end.

Americans are always more motivated when they are scared.

NewKidsOnTheBlog said...

What an interesting read, it's great to hear that the WTIA is looking out for people and their information. With the world wide web so big and that everyone is on it, anyone could just get your PII. If the WTIA or anyone not stopping others from obtaining your PII, it would be such a mess for everyone. At the same time, as technology evolves, people or whoever will find several other ways to obtain your information, so that said, at least the WTIA is staying ahead of the pack and trying to keep your identities safe.

timmay said...

This really is a huge topic because on some levels people have no idea how much information there is published about them on the web as we found in our vanity search. On the other hand people cannot completely hold businesses accountable. On some level people need to have a understanding that the web is not safe and whatever information they put out there can be found by someone else

Blue Spearow said...

I'm glad that the WTIA is looking into keeping PII secure but I also think that it's ironic how people are so freaked out by the thought of getting their identity stolen (I have personal experience in this area because my wallet was stolen and my mom was so scared for me but luckily nothings happened yet) but they give out information to companies and internet sites they think they can trust all the time. There's always someone out there trying to get that info and if they really want to they can.

Technology: No Place for Wimps! said...

This is a very important issue we should all be paying more attention to. People go online and click at everything they see, but they don’t realize that websites are storing their information and their behavior for their use. It is good to know WTIA is taking some action. We fill out forms with our name, address, and other information on so many different web sites. If we don’t have strict rules and guidelines in place for the use of this information for businesses, we are going to see a lot of misuse and stealing of our information.

Special K said...

I agree with the commenters above. This is an important topic to discuss. I was shocked about the amount of information on members of my family that I found on the internet. Combine this with PII not being secure, and it is even easier to steal a person's identity.

Its good that credit card companies don't make consumers responsible for fraudulent charges. However, it is a huge pain in the butt to get everything taken care of if one's purse is lost or stolen, let alone if the person's identity is used. Getting false information removed from one's credit report is a huge pain... Having PII online makes stealing from someone even easier. Being stolen from can be a giant inconvenient hassle.

I think it is interesting to note that when I bought my renter's insurance I was given the opportunity to buy identity fraud protection- to cover time/money lost due to identity theft.

HumblyOpinionated said...

Keeping my identity out of the hands of criminals is a very important issue and if it takes state legislation to keep that from happening than I am on board. I also believe that the responsibility should lie on the businesses that hold the information. There negligence has the capability to ruin lives, when your dealing with personal information there has to be check and balance entity.
As a victim of credit fraud I firmly believe that all personal information needs to be carefully handled and regulated to prevent theft from happening.

S.Phoung diggity said...

I am glad that they taking at there is step to protect people's privacy in way. New techonology do come with new dangers which the law should come up with new laws to protect people. My dad has had someone made checks with their name or supposedly their name and my dad's name on the check. They bought shoes at nordstorm and stuff, but the bank caught on before they got to spend too much. It is important that people aren't taken advantage of because of the information available out there.

LoneShinobi said...

Very informative article!! To me, privacy on the Web is pretty important. I'd hate for my Social Security Number or Credit Card Numbers to get in the wrong hands and end up in the Identity Theft category. Let's hope Government gets involved sooner or later on this.

BEAR253 said...

It's a scary subject to think of what information can be gathered about so many people just with the click of a button. I would say that alot of what is being done by the WTIA can help stop the solicitation of personal information online. I just want to know what right and for what purpose are these sites here for. The amount of power that the corporation has in American law is no secret. I wonder if these corporations are using this information as well. It's the fear of the unknown that probably gets to most students when they find out that when the life they thought they had under control is actually being sold to anybody who wants the info. Laws should be in place to curb some of the information obtainable online, but can the laws protect free speech while protecting peoples privacy.

pdpmusician07 said...

There are a lot of people out there that think that they can go by, day by day, without worrying about their personal information being secure, and that is a big problem, as you have agreed with. The fact that just how much information is out there on a person is unknown, is very scary.

I am pretty happy to see that it is being looked at. but once its out, its out.

Second Book of Short Stories Out on Amazon

During the last year I wrote four short read collections called the Three Twisted Tales . Today they are available in aggregate as The Clock...