Initially:
Company has a policy that personal data cannot be accepted by e-mail. It must be sent by hard copy or FAX. Even if FAX is not always secure, it’s approved per privacy regulations.
1st Event:
HR requests that a document containing personal data be filled out and returned by e-mail. Employees do not have encryption.
Complaint: violates privacy policy.
Response: Correct, policy was violated. Rogue employee. Issue corrected.
2nd Event:
Wording that “personal data cannot be accepted by e-mail” quietly drops from policy.
Complaint: important privacy safeguard has been removed.
Response: Employees are *encouraged* to send in personal data by secure means, but it is their choice if this is not followed.
3rd Event:
Requests for insecure transmission of personal data become routine and numerous.
Complaint: encouraging insecure handling of data.
Response: No policy is being violated. There is no need to bring this up again.
4th Event:
More of the above.
Complaint: I don’t like my data being requested this way.
Response: Everybody is doing it. What is the problem?
—
You can see how privacy goes away. It gets to where e-mail is considered as secure as anything as far as privacy. If this happens on the front end, you can imagine that back end data from one company to another is also handled this way, and it is happening among many companies.
Love watching the progression in your Responses above. You’ve hit the proverbial nail on the head. 🙂
Sounds all too familiar…
Well said!!
Thank you!
As you can tell, it is a battle that was lost. It gets even worse than in my story, but I don’t want to wear it down. Teaser: “Take a pic of the document with your phone and text it to me. That’s safe!”
A worrisome thing is that I suspect it is this way in a lot of places: banks, schools, stores. Even if there is a decent security policy, an employee in a hurry to fulfill an information request will probably just clickity-click it into an e-mail.
I was working with a small company way out in the “boonies” one time where I saw HR handle something really well. She was repeatedly saying into the phone, “we only respond to written requests for information by FAX or mail that we can verify…no…no…the manager will tell you the same.” She hung up the phone. She made my day.
[b]Teaser: “Take a pic of the document with your phone and text it to me. That’s safe!”[/b]
Yup! You know, my bank refuses to change its password requirements. Six characters minimum, eight maximum. Mixture of smaller case and capital letters and numbers but no symbols. And that, my friends, is the long and short of it. Sort of instills a sense of security somewhere deep inside, eh? :p
Why must I think about this when I read about the 6-8 letter password requirements?
https://xkcd.com/936/
If I read that, I don’t wonder why I read almost every week (during the last half year almost every day) about the next security breach in combination with banking and credit cards. Things like the Target breach with over 100 million leaked full credit card customer information or the hacked Department of Homeland Security servers which led to theft of the financial information of about 114 *organizations* are only the tip of the iceberg …
Yup. But they don’t care. The last time I spoke with the bank’s technical advisor he assured me that they had “other” security software in place and that even if the account was hacked, it was all covered by insurance and I would not be out one cent. So reassuring, eh? LOL
There’s not much I can do due to my circumstances (long story and I’d rather not go into details). I have just come to accept it for what it is and the only precaution I take is to change the password periodically rather than leave it on a permanent basis.
The Target thing. I’m still shopping there with my Red Card as much as I ever did. I assume the issue is widespread and not all incidents are being reported. The usual. At least credit cards have some limit to the liability. If it became a tool in identity theft, I think there could be a lot of hurt there.
I’ve also been hearing some noise about Nordstrom, and according to Reuters, “two other unnamed retailers.” I wonder how you get to be unnamed? Maybe friends with the right official? Target must be on the protection “B” list.
It is worrisome and I’d be flippant if I were to pretend it doesn’t bother me in the least. But given the reality of doing business in our new brave world, what are we to do? I’ve spoken with folks who honestly believed that staying off the internet would completely protect them but in truth, our financial well-being is at risk whenever we hand over our credit cards in a restaurant, hotel, you-name-it. Several years ago I bought a piece of furniture from a place called Wicks. I handed over my credit card and the salesperson asked for my driver’s license which I duly handed to him. Right before my astonished eyes, he turned around and scanned by license and made a hard copy of it. I asked him what he was doing and he told me that the copy of my driver’s license would be kept at the store for future transactions. Kept at the store? Where? Evidently in an unsecured filing cabinet behind the counter. I said, “No you’re not going to do that. Give me that copy.” The guy after arguing with me took it and tore it up and asked it I was satisfied. I said, “No, give me the torn pieces.” He was furious (as was I) and handed them to me. Needless to say, I never shopped there again (and eventually they did go belly-up) but can you imagine the number of trusting folks whose identity was being stored in that unlocked filing cabinet? Unless all of our transactions are in cold, hard cash we’re at risk. And our identity sits at the motor vehicle department, the doctor’s office, the dentist’s office, our place of employment, etc etc.
Unfortunately there seems to be a significant number of people in the USA who buy and use something once and return it to the store for a refund. I think the big chain stores may have a problem with this. There is also the constant turnover of underpaid clerks who have no personal interest in the success of the company, which makes it possible for dishonest customers to go mostly unnoticed. So it seems companies put these invasive policies in place to protect themselves. But, think how easy it is for anyone to get a job like that, and get instant access to those piles of sensitive papers.
Our identity is at risk all the time. I suppose there are some precautions we can and should take but the bottom line is: we can’t lock this down so that it’s air-tight. I can put dead bolts on my main doors (and I have) but a thief can still kick in the windows. I can put alarms on my windows but they can be circumvented. I can use the best security suite available but still be caught by a zero-day exploit. To my way of thinking about the best I can do is to take “reasonable” precautions and not worry about the rest because my worrying will not help and in fact will likely be counter-productive since I don’t need further stress factors in my life. Ha. I’m going through two weeks of back pain right now. My daughter-in-law is insistent that I have further tests. I’ve already had an MRI but evidently it wasn’t thorough enough for her. What she fails to understand is, sometimes the cure is worse than the malady. I’ve heard of many back surgeries going very badly. One report recently stated that the sufferer had a 40% chance of improvement via the surgery and a 40% chance of further damage. I would not want that option UNLESS the present suffering was unbearable. Then I suppose you have to gamble. My point is this: there are no guarantees for anything: safe surfing, safe online banking, safe online shopping, secure homes, healthy bodies, etc. It’s life, guys. We do the best we can and then we try and live with the knowledge that even that might fail.
I bought two brand new laptops for my wife and me. They came with Norton installed and I immediately uninstalled it. They’re running Windows 8.1 and my attitude is: the built-in firewall, the built-in Smart Screen filter and the built-in Windows Defender should be adequate IF I exercise caution in what I download, where I surf, the links I click on, and the attachments I open. Some of my friends think I’m nuts… that WD isn’t adequate. The funny thing is, I know someone who has never had a virus issue and runs it and yet another who runs the top-ranking Bitdefender and has had issues. My point is – there are no guarantees… regardless of what you choose to use and in whatever field we happen to be discussing. Do your best and don’t sweat it.
I dig your approach to everything above. My feelings are similar.
I also agree about the management of the treatment for your back. I’m supportive of the patient having input on treatment decisions. I also think each person should be able to decline all or part of treatment with just a few exceptions. Your decisions sound informed and reasonable. Best wishes on your journey in this.
I appreciate your encouraging words. Forgive me for wandering off the main topic but right now this condition seems to trump all other thoughts. I’m keeping a follow-up appointment with my doctor for Friday. His assistant called last night to see how I was doing. She suggested I might benefit from seeing a back specialist. I thanked her and said that I wanted more time to allow the medications to work (one is a steroid to reduce the inflammation) and allow my back to heal itself. After that, I will opt for alternative solutions first (i.e. massage, acupuncture, chiropractic adjustments) BEFORE opting for the specialist. My experience in the past seems to indicate that once you go down the specialist route there is generally no turning back. And that almost always means surgery, therapy and big bucks with no guarantees of success. I’m 67 years old and in reasonably good health. I have a good pension, an enjoyable part-time job and a loving wife. Hey… what more could I ask for? (well… a strong back I suppose… LOL).
Anyway: apologies for wandering. I very much enjoyed reading your blog entry. Security is definitely something that occupies my thinking.
No worries on drifting off topic. I’ve never cared about that. I just like that there is chatting going on. We already paid homage to the topic in the first few comments.
I got my rear bitten off a few times at myopera for straying off topic. I never went back to those places.
Thanks. Much appreciated.