Do you know what personal information it is important to protect? Have you ever thought about what could happen if people manage to piece together the various bits of information about you that are stored in various databases or filing cabinets to create a more complete picture?

More specifically, most people in the US know not to share their Social Security Number with people at random. How about your driver’s license number, or state ID card number? Your passport number?

What prompted this post was being asked by an organization today to let them have a copy of my driver’s license or ID card to prove, in case of an audit, that they had asked for it. I refused to allow them to make a copy since they had no need to retain that information. Doing so puts part of my personal information at risk, as well as exposing the organization to problems should they ever suffer from a data breach (and the number of those occurring each year seems to be rising).

Was I being difficult, or paranoid? No. California, and other states, consider social security numbers, driver’s license numbers and state ID card numbers to all be equivalent in terms of the requirement to protect them (Cal. Civ. Code §1798.82(h)). If as a business you plan to store copies of driver’s licenses, or even just the number, then you need to protect that in the same way you would protect SSNs. In case of a breach, the business also needs to notify people in the same way as they would for an SSN breach.

What Information Should I Protect?

The first, and perhaps most critical group to protect are those that are considered unique identifiers. The Social Security Number, driver’s license number, ID card number and passport number all come under this category, but there are others like credit card numbers, bank account numbers & health insurance IDs. These are important to protect because they are unique to you. That makes them very useful for people looking to join data from different sources together to make a more complete picture of your identity.

The second group is not data that is unique to you, but are the things that are frequently used to verify your identity. Date of birth, place of birth, name of the street you grew up on, mother’s maiden name & name of your high school are all examples. On their own, these are not very useful, but if they can combine them with an email address, a phone number or some other unique identifier, these might let at attacker answer those so-called security questions & gain access to one or more of your online accounts.

Nobody Can Join This Together, Can They?

Sadly, in the modern age, it is often far simpler than you might imagine to collect this data en masse and use those unique identifiers to connect it all together. The tools to mine large amounts of data are easy to use, and readily available.

Sometimes organizations you give your data to make mistakes and do not encrypt it properly (or at all). They may think that encrypting items from that second group is unnecessary for example. The problem is, people tend to answer those questions accurately. That means, it only takes one site to be breached and that answer is out there for anybody who wants it. Most likely, it is associated with your email address or mobile phone number as well. The next breach is, let’s say, the place that took your DL number. They also have your phone number and/or email address. Now the hackers have your DL, phone, email and the answers to at least some of your security questions.

Case Study: SIM Jacking

SIM Jacking is the term used to describe a scenario when an attacker convinces your mobile phone operator to transfer your number to a new SIM. This may require some social engineering, it may also require some of those security questions, or other data (date of birth is a common one). The goal is to get your phone number transferred to a device they control so that they may receive SMS messages sent to your phone.

Those SMS messages are the ones sent out by sites wanting to verify a login by asking you for a code they sent to your registered phone number in a message. The ones that allow the attacker to change the password on your email account, bank account online access portals and more.

The more of that information that didn’t seem that important to you they can collect, the better the chance they will have what they need to take control of your email, and from there your other online accounts, all of which send their password change links to that email address.

Privacy Policies

Privacy policies protect me don’t they? Well, maybe they do, maybe they do not. There is no guarantee that because a site has a privacy policy that it will either abide by it, or that it will not change it in the future to something less protective.

In Europe, there are data protection laws that do a better job since they cannot be arbitrarily changed by the organizations that hold the data. They also restrict how much data an organization can collect in the sense that they cannot request PII they do not actually need to provide their service. So far, the US lacks anything like that, although some states have started implementing data protection laws.

A policy also does nothing to protect against a data breach. While there may be ramifications for the organization if it can be demonstrated that they were negligent, that is not easy to prove and oftentimes hackers will be exploiting zero-day vulnerabilities that have not be used before. Even if the company can be shown to have been negligent (e.g. they never apply any of the security patches for the operating systems and software they are running), the data is still out there.

The Bottom Line

The bottom line is simple. As a consumer, be vigilant about who you let retain a copy of your personal information. If you do not understand why an organization needs to retain a copy of your driver’s license, SSN, passport etc, ask them. If they do not have a good reason, do not let them have a copy of it. A car rental company has a good reason to retain a copy of your driver’s license; an elementary school does not.

If you are in charge of a project for an organization that is asking people for their personal information, think about whether you really need it. I have three guidelines for companies collecting PII:

1. Collect as little information as possible;
2. Destroy it as soon as you can;
3. Never collect information you do not absolutely need.

Also, no matter what you’re collecting, make sure you always store it encrypted. Never keep unencrypted copies, even on laptops, and always use https connections, with valid certificates, when collecting it through web forms.