How often have you been asked to fill out a form in a professional’s office and there is space for your social security number causing you to wonder “why do they need that?” Often, if you ask, you fill find that the office staff has no idea, it has just always been done that way. It just seems easy to just ask customers for personal information that is not really needed without thinking about the potential consequences.
Last week I subscribed to a service that provides toll free numbers, automated attendants, voice mail, and other call routing functions. I selected this company because the plans and rates were pretty good plus I would be receiving a free IP phone as an incentive. The signup process was nothing out of the ordinary and the privacy policy was reasonable for a small business. I was all set…or so I thought.
A few hours later I received a call from the company telling me that to send me the IP phone they would need a picture ID, a copy of my license or passport was recommended. “Nothing to worry about” I was told, “we just keep it in our files.” Not that I was happy, but we negotiated that I would send my license with everything but my name and picture blocked out (these two things are publicly available on the web).
It was explained that the company is collecting the picture IDs to be sure that the person receiving the free phone was a “real” person. Asking for a government endorsement of a person’s existence seems like a reasonable way to go (until you find someone who doesn’t drive and doesn’t travel internationally). What the company did not realize is that since the license contains a first and last name plus a government ID (the driver’s license number) the company now must be sensitive to personal information protection and breach laws.
Take for example the Massachusetts law. Under 201 CMR 17.00 the combination of a person’s first and last name plus the driver’s license number is explicitly called out as personal information. The law’s requirement is for the company to
… develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards…
There are more prescriptive details in the law, but it is fair to say that meeting the law’s protection requirements may need to be viewed in the light of the value being provided by collecting the information.
Let’s say that file cabinet with the copies of licenses got lost or sold without removing the contents. You now have a data breach that will need to be reported to Massachusetts Attorney General’s office as well as the individuals whose personal information was lost.
Massachusetts is not the only state with this reporting requirement. In their PrivaWorks tool, Nimity identifies 47 states that define first and last name plus driver’s license number as personal information. How much can all this reporting and data breach remediation cost? The Ponemon Institute puts the cost of addressing a breach in the US at $214 per record. Lost 100 records? Expect to spend more than $20,000.
Collecting personal information has hidden expenses that many SMBs may not consider; I doubt the company I am dealing with took the time to consider these costs. Exploring ways to meet the business objectives without collecting personal information may find an alternative that will avoid these costs.