What is PII (Personal Identifiable Information)

United States General Services Administration defines PII as

“any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” So, for example, a user’s IP address as used in a communication exchange is classed as PII regardless of whether it may or may not on its own be able to uniquely identify a person.

Why is this important to you:

A company as the obligation to keep your name safe and secure from thieves (crooks, hackers, the bad guys).

Depending on the type of information lost/stolen, an individual may suffer social, economic, or physical harm. If the information lost is sufficient to be exploited by an identity thief, the person can suffer, for example, from a loss of money, damage to credit, a compromise of medical records, threats, and/or harassment. The individual may suffer tremendous losses of time and money to address the damage. Other types of harm that may occur to individuals include denial of government benefits, blackmail, discrimination, and physical harm.

Because of the power of modern re-identification algorithms (aka data science), the absence of PII data does not mean that the remaining data does not identify individuals.

Home devices and your digital data.

NOTE – there is no way I can list every device that collects data in your home. But I’ll list the ones I use.  You can add or delete to your list.

A digital device is one that has memory, via hardware/software. The memory can be local/internal or connect to external services via wi-fi, blue tooth, etc.

Data stored can be all sorts of information. From how often it is on to what settings. Something simple would be your home thermostat. If it may have connected to a website or mobile app.

  • My iPhone. Any smart phone.
  • My iPad. Any tablets, game consoles, laptops.
  • AT&T Digital life – aka my alarm system. Depending on the various components connected to your system, it knows when you are home, how often you leave the house. Commonly used doors and windows.
    • Don’t let your guard. The alarm system is for my physical wellbeing. Which has a digital component, a website and app. So I only have cameras on the outside of the house. I also keep a sticker over my cameras on my MAC, laptop and tablets.
  • At&T internet and cable TV, And all streaming entertainment (Hulu, Netflix, YouTube). They know when you are watching, how long you are watching, what time you are watching, type of device you are using.
    • There are some viewing devices that use voice commands and motion sensor, and would be able to determine when the room is occupied and the activities.
  • My Buick and OnStar. Besides the GPS information, where you go, how often and when, your vehicle’s diagnostics system collects; tire pressures and other engine conditions.
  • Alexa (aka Echo). This devices is always on and listening. FYI – all request you make to Alexa are captured in history within the Echo app (accessed online). Echo is an Amazon product, marring online shopping and at home activity into an individual’s profile.
  • GoPro and other digital cameras/videos. Time and location are stored in the memory with the photos. A camera that uses 35 mm film may have some memory within the camera software itself.
  • Printers. Did you know that trapped deep in the printer memory is a copy of everything that has been scanned and printed. There is a tiny memory chip that compresses the files to achieve. This chip allows the system to recall the last X copies and other fun features.
  • FitBit and other health monitors.
  • Craftsman Garage Opener. Wireless keypad and accessible via mobile app.
  • Roku
  • Wii and other gaming consoles.

That is a good list, considering I claim to be low tech (maybe I’m medium tech). I’m not an early adopter, but I am curious. It takes me time to commit to purchasing new tech gadget, but I do have a collection of digital devices.

You may have a baby monitor, automatic vacuum, anything that connects to a mobile app, website or router.

 

The battle between E-MAIL & ACCOUNT ID & USER NAME

What’s the difference? Are they the same? How do I know which to use when?

As my mom signs up for Echo apps, she is constantly getting tangled in the web of when to  an email and when to use (any numerous) account ids.Sorry mom there is no simple answer.

E-MAIL – for this blog post we are going to assume an email belongs to only one person.

  • E-mail addresses are unique – like a phone number  or physical address there is only one destination per address.
  • E-mail address are NOT case sensitive (PASSWORDS are CASE sensitive.)
  • E-mails always have 3 parts; username, domain (followed by an actual dot) and the extension. There are more rules to what can be included in a e-mail address and what the computer will not except. Usually your e-mail host provider will send you an email back to your inbox if your e-mail could not be delivered due to technological error. example using a bad character in your email address like a space.
  • Some e-mails are anonymous. The person who created the email did not have to prove they were JOHN smith to use the email address johnsmith@domain.com. Nor did they have to prove they were ablueclown@surprise.com.
  • You could have lots of e-mail addresses and use only one e-mail program to read all your new e-mails.
  • There is no magic look up find all email addresses’ belonging to the same person. Even if the personalization (front part of the @ symbol) is the exact same. In the same manner, there is no validation or look up to connect or join email with mobile numbers.

ACCOUNT/USER + ID/NAME (or any combination)

  • An Account ID, is an unique id for a webpage, business, app. You may use the same account/user name across multiple applications or logins. But each business probably doesn’t know that. As companies merged rules around how a customer can access their digital information gets tricky for the customer experience and development teams.
  • Or account id, may or may not be tied to an email. Usually when creating a new account with a new business, they will ask for contact details, address, email, phone – they would prefer someway to contact you if need be.
  • If your account id is your email address – they will usually note it on the login screen.
  • Every website/company creates their own rules for what makes an valid account id. Some allow spaces, some allow numbers. It is all how the site was programmed and there are no set standards for how this should be developed.
  • Usually account ids are not case sensitive. Off-hand I can’t think of one site that uses a case sensitive account id.
  • Some businesses will only let you sign up one account to one email. The account id is how you login into their site and the email is how they will contact you.
  • When you change email addresses, your accounts will need to be updated. Now this is a tricky bit. If a business uses an email account as the login name, if the email address changes, can the individual update their personal details or is the original email locked-in?

When a developer is creating a new system that requires the user to maintain personal and contact details on file, there are multiple facets to consider. Does it require a password? Will it require the user to have an email or phone number to contact them in the future and for what reasonsCan we collect permissions from the user via Terms and Conditions to use cookies and contacts to gather detailed user information?

I’ve come across many website that validate you are you, by sending a text with a code to your phone, to be entered onto the website This provides a double validation/security point for you the user, and provides both your email and phone contact information back to the business.

Think of your EMAIL ADDRESS as physical delivery address for just you for all your incoming e-mails.

Think of you ACCOUNT ID as your unique nickname used by a business.

Not all big companies have it together. I use AT&T in my house; this includes mobile phone, cable, internet and home security. But I have 3 separate accounts with AT&T today. One email address, one physical address, one phone number and 3 account numbers and 3 user names. I have to log into each account site separately to see any billings, account statements, etc. Even with my knowledge of logins and how they work across large systems, I still had no idea what was going on with my accounts, when one was saying ‘everything is fine’ online and the TV keep splashing a ‘time to pay your bill message’. I (thought) I had set up the auto pay (I noticed during the set up conversations that the security system is separated from all the mobile and cable logins) for 2 accounts. But much to my dismay the cable/tv can not be combined with the mobile account, and I have 2 logins for the website to manage 2 accounts both in my name.

NOTE: AT&T and Comcast both assign you an e-mail address within their own domain. example: yourname@att.com. I’m not sure why they do this, it made it complicated on my end, one more e-mail address to manage. And it appears that now that I’m no longer a Comcast customer, I can not access that e-mail account.

ALSO NOTE: The set up of certain apps on Echo has proved to be difficult. Both my mom and myself are using iPad and iPhone with the Amazon Echo (which is integrated with google). So the conversation of email and ids has been a struggle during setup. There are no standards with in the digital world for the user to understand. Only standards for the developers to keep in mind due to back end processes.

Autonomous vehicles

When you think about an autonomous car what do you picture in your mind? Something like the Jetsons or KITT form Knight Rider.  When we talk to our friends and co-workers about autonomous cars – the conversation gets heated. Some against it, are for it, some think they will never see it happen. What does autonomous really mean? Automated? Self-driving? Handsfree? Does it pick up your Starbucks before you?

Well we know autonomous cars  are vehicles that are capable of sensing its environment and navigating without human input. And I believe the number one selling point for an autonomous car is the safety factors. But I’m still not sold that in my near life time (2020/2025) there will be 100% autonomous communities. We have different ideas of what to expect out of autonomous and transportation. My vision is more like the Jetsons. Flies through the air and is quick.

Are you thinking about how an autonomous car would affect your life?

Changes to our neighborhoods:

  • What happens to our garage attached to our house? Parking structures and handicap parking spaces?
  • Are they fuel efficient & environmentally friendly?
  • Do they just appear and dis-appear as needed?
  • Does it eliminate Valet parking?
  • Are they self charging?
  • Truck drivers?

Vehicle Ownership

  • Does everyone car-share?
  • Can an average individual afford their own autonomous vehicle?
  • Will there be as much as an emphases on customization of  vehicles?
  • Will it create value in the collector cars – ie ’66 vet?

Respondents to an independent survey were found to be most concerned about software hacking/misuse, and were also concerned about legal issues and safety.

Sensors and data will play a part in the infrastructure designed for autonomous cars. 2012, Computer scientists at the University of Texas in Austin began developing smart intersections designed for autonomous cars. The intersections will have no traffic lights and no stop signs, instead using computer programs that will communicate directly with each car on the road.

But even after all the technology is built, we have rules that conflicts with innovation. The Vienna Convention on Road Traffic This international treaty, designed to facilitate international road traffic and increase road safety, was agreed upon at the United Nations Economic and Social Council’s Conference on Road Traffic in 1968 and came into force on May 21, 1977 (http://www.unece.org/trans/conventn/ crt1968e.pdf). The convention states that “Every driver shall at all times be able to control his vehicle,” which conflicts somewhat with the automatic control concept. Systems such as antilock braking systems or electronic stability programs are acceptable because they do not take full control of the vehicle but rather help the driver to follow a desired path, possibly in situations where control of the vehicle has already been lost. Wider use of technological advances, however, will require amendment of the convention.

Do you manage your own personal data?

We often talk about how the data is used or could be used. We argue about the sensitivity of when data becomes so detailed it becomes ‘stalking’. We hurry to move past the introduction of the ‘terms and conditions’ just to get the app, the game, the connection.  We hear a lot about identity hacking and stolen personal information.  We talk a lot about keeping your data safe. Your network secured.

So their customer data is your data, data collected about you. Your likes, your behaviors, your preferences, your triggers, your digital footprint. Not only is it used to keep you safe, it is used to predict the future. But what happens when you are ‘done’ with the equipment or vehicle, is your mile by mile driving history in someone else’s hand? I want to talk to you about these things, from our perspective. Not from the perspective of customer data, but from mine and yours – personal information. Who controls it? – you know who controls your finance and money, why not your own personal information.

There are rules and laws that companies must be transparent in their terms and conditions. They have to be clear on how to opt out or into communications.  But each channel has different rules and even the largest of companies haven’t figured out how to manage the communications across their business units.  Making it necessary for you to manage multiple user ids and passwords. Is a digital wallet easy and safe? I want to have open conversations with you on what information exchange is happening between you and the information about you.

What information is aggregated and what is uniquely tied to you as an individual.

WHAT MAKES YOU UNIQUE

When you give an email with an online order, what happens to the email information? What are the rules? I think if more individuals know what to expect, and how to turn off ‘unwanted’ emails and exchange or their own contact details, and the companies are forced to oblige then we can really make the system work for us – the individual.

I like to think this is a conversation between my friends and family and myself. I want people to know what options are out there, what to do with personal digital content

Our digital world is running at lightning speed. This change in our ecosystem has us opting in and out, for what? Our digital world gives us wearables, vehicles and smart homes. All the same time it is collecting and measuring inputs and outputs.  I want individuals to understand the laws and how these companies are ‘allowed’ to store and use it.

Identity theft

password

With the use of digital data – we expose ourselves to digital identity theft. And it is not just your financial information. Through a  couple of (fairly) easy questions a hacker can access your email. And it not just your email they now have access too, think off how often you have had to retrieve your security password for an account and they sent the link to your email. A password can be just as valuable as a financial account number to a hacker.

HOW MANY TIMES HAS YOUR DIGITAL DATA BEEN EXPOSED?

My corporate credit card number was stolen this week. All is okay, it was a card that only gets used for business expenses and the credit company is issuing me a new number and dealing with the fraudulent charges themselves. Somehow the thief was able to create a new card using my card number. Not total sure how that works, but it happened. That kind of vulnerability got me thinking, time to beef up my own security…

  1. Change your passwords. If you have been using the same passwords for ‘years’ it is time to upgrade. When you are creating your password think bank security – strong and unique.

There are password managers out there. Some store your passwords in a digital safe. Some help you manage your logins across devices.

LEARN ABOUT TWO FACTOR AUTHENTICATION

2. Monitor your accounts online and off line. Be sure to monitor your account statements. Set up text messaging alerts for high risk accounts.

I personally purchase identify theft monitoring systems. I’ve had my house broken into and my personal laptop stolen. Although the computer itself was password protected. I’m sure if you looked hard enough I had one time downloaded a financial statement of two, and my emails accounts were ‘always’ logged-in.’ I get a monthly updated on an activity that uses my identity, such as credit reports.

ON AN ODD NOTE: A friend of mines knows the passwords to her son’s accounts (he is over 21 and graduating from college this spring). I’m guessing he doesn’t know he is being stalked by his own mother. She has access to his Facebook account, both school and personal emails and uses Apple’s Track My iPhone app regularly to know where he is at all times.

It is probably never safe to allow your device to safe your password or auto login. But I have to admit I do it, who has time to re-enter this information every day. If your device is lost/stolen it only takes accessing the device to enter/access private sites.

So take a couple of minutes this week to reconsider how you create and save your password and account information. And then create your password strategy:

  1. Create a couple of different passwords to use.
  2. Use two factor authentication when available.
  3. Update your contact details on old accounts.
  4. Delete old accounts not being used.
  5. Spend some time looking at security applications provided by the products you use today.

Yahoo has a process to create an app password that enables a Second Sign-In Verification. Apple has iCloud Keychain. And there are numerous free apps that provide password management tools.

Now go and create a digitally secure world for yourself.

Credit Card Charges – Part I

money on trees
Balancing your credit card statement

 

Not many people balance their credit card statements. (Not sure who balances their checkbook today, besides my mom – she says it is therapeutic?!??!)  I have always given my credit card statements a quick glance, looking for charges I didn’t make. But recently I met someone who religiously balances his charge statements, in a course of one year, he found approximately $500 in overcharges, not in his favor.  (Oh, of course there were some charges that were in his favor – he didn’t bother to correct these.)

So I started watching my credit card charges more carefully. Here are the 3 mistakes I caught in 3 months:

Continue reading Credit Card Charges – Part I

What data should you provide to a retailer at checkout?

It can get tricky getting out of a checkout line. You have to show your id, the back of the credit card and possibly your loyalty/rewards card. But what information is for your protection and what information is for the retailers back end analysis?

Policies are created differently by state. As well as the vast differences in the retailer’s own polices and equipment. So each retailer may require a different process for credit validation, loyalty update or simple enrollment into their loyalty/rewards card.

Here is my recent story that I thought I should share. As a customer I was confused as to the way I was being treated. As a customer data expert I was concerned as to the use of my data. Why was it being captured, how was it being stored/used AND most importantly was I being put at any risk?

I was shopping a couple days ago at the mall. (Somerset in Troy, MI) , I was asked for my driver’s license for my transaction using my Macy’s credit card (cashier Shirley) .  During this time the cashier collected my driver’s license number and entered into the register.  I requested that this information not be captured.  She informed me that it was only used to validate I am who I am.  After I walked out of the store, I begin thinking, validate against what?  Macy’s uses my last 4 social and zip code to validate over the phone.  And I don’t believe I ever gave Macy’s my driver’s license number (as this is not usual a required piece of information for credit).  I called the call center number on my card and asked (to Gerard) the question – how is Macy’s using my driver’s license number? is it a requirement to use Macy’s credit, and what do they plan on use this for in the future?  The call center could not answer any of these questions.  I began questioning if there is concern to be alarmed. Did the cashier (Shirley) do something fishy?  So I returned to the store to talk to the store manager (Judy) , she was unsure of why this particular transaction required a confirmation with a driver’s license number.  She called (I assume the call center) privately.  After a short time, she handed me the phone and explained the call center wanted to explain to me Macy’s credit policy.  He (Mario) informed me that it is Macy’s policy to have a valid driver’s license number on file to use a Macy’s credit card. When I hung up the phone I asked the store manager of this is true? Does Macy’s require 100% of all Macy’s charge customers to have a valid and updated driver’s license number on Macy’s files in order to use the card?  (She could not look me straight in the face) And said if that is what the call center said it must be true. And then said good night, turned her back and walked away.

No one at Macy’s could tell me their policy on collecting, using or storing data. Their call center and store manager were willing to do what ever it took to get me to leave them alone. All the while I still confused on Macy’s policy. And disturbed that one single company can have so much personal information on one single person. 

FYI – my overall experience shopping at Macy’s has been poor.  From the credit card payment errors, badly marked prices/signs, to poor customer service in the store.  On the same note; friendly, smiling faces does not equal great customer experience.  Helping the customer is great customer experience.  Your staff at Somerset knows how to smile, but not how to help.

Credit and identity theft

data3If you are not actively monitoring and preventing your data identity theft, then it is recommend you pull your credit report every 3 months. You can find FREE credit reports from your credit card company and online, there are plenty of credit tools.

The information in a credit report includes: how often you make your payments on time, how much credit you have, how much credit you have available, how much credit you are using, and whether a debt or bill collector is collecting on money you owe. Credit reports also can contain rental repayment information if you are a property renter.

A credit report is easiest way to find out if someone else is using your credit – a sure sign of identity theft! It may take weeks or months for a credit collector to contact you regarding credit that was given to use, but spend by the thief.

FYI – everyone should know their credit score – it drives so many financial decisions; interest rates for credit cards, car loans and home mortgages. . Your credit rate scores drive your ability to get a loan, and there are some employment agencies that look at your credit score as a data point for your character assessment.