By Cynthia Hetherington

Data, at its most annoying, is a commodity with social media sites selling your Likes to data providers. Data, at its most dangerous, allows terrorists and scammers—as near as your neighbor or from faraway lands—to farm from open sources the personal addresses of our military personnel to threaten them and their families. They robocall mercilessly and prey on the elderly. Unfortunately, we share much of the data that generates these annoyances and threats

In this new blog series, we help you understand the dark side of information sharing. You will learn the pitfalls of oversharing and how to reduce your online risks. You will gain useful tips for protecting your personally identifiable information (PPI) and preventing identity theft, learn how to opt out of online vendors and how to remove your PPI from three major DNA collection retrieval services.

A variety of information is available to businesses and organizations. While most of the information is non-sensitive, some of it can be sensitive. This week, we review types of information, where it is stored, and federal laws regulating the sharing of such information.

Public Records

Collected primarily from state and federal government sources, information about you may come from public records, including property deeds, marriage and professional licenses, and birth and death records. Information is also available from other public records such as court proceedings, voter registration files, driver’s license records, and motor vehicle registrations. Note that various federal and state laws place restrictions on the use of some of these sources.

Publicly Available Information

Some information is considered in the public domain, i.e., anyone has access to it. This type of information includes telephone directory listings, professional registries, classified ads, information posted online in chat rooms, on blogs, and in public sections (or areas designated as public) on online social network sites. Publicly available information is not always regulated by law, but responsible providers self-regulate its use through industry codes of conduct.

Customer Information

Customer information is collected when you provide details about yourself to an organization when you inquire about a product, donate, make a purchase, register a product warranty, or receive a service. The detailed information you provide can include how to contact you, and a record of your interactions with the company or organization. In some cases, this information is regulated by law, and, in other cases, by industry practice. It is worth noting responsible organizations develop their own policies to assure appropriate use of the information.

Self-reported Information

Information you voluntarily provide on a survey or questionnaire is considered self-reported. When this type of information is collected, you should be informed of the intended uses and your options for said use. Both law and industry practices limit the use of this information.

Passively Collected Information

The Internet and other technologies, such as mobile devices with location tracking features and interactive televisions, may collect information about you or your device without you taking any action. In fact, in many cases you may not be aware any collection takes place. Some of the collection is necessary to provide you a service, such as recording the number of times you go through the express lane of a tollbooth so you can be charged for the toll, or when you have had a car accident and emergency assistance needs to locate your car to send help. The collection of information can also be used to provide you relevant advertising, such as offering a discount on a specialty coffee from a coffee shop you are near or to provide online advertising tailored to interests that have been identified based on other Websites you recently visited or keywords you recently used in a search. Both law and industry practices limit the use of these types of information.

Personally Identifiable Information (Sensitive)

Some information, if used inappropriately, can have more serious consequences. This type of information includes your Social Security number, driver’s license number, medical records, wage and salary information, tax reports, credit reports, and any information that personally identifies your children. Sensitive information should be kept confidential and is usually not provided to other organizations unless you give specific permission or unless it is permitted, or required, under state or federal law.

To develop credit reports, credit reporting agencies gather information from banks and other financial institutions with which you have a relationship. Employers, landlords, and insurance companies may ask your permission to perform a background check. This activity involves verifying the information you provided on your application with the source of the data. Background checks can also involve obtaining a credit report, if your financial situation is pertinent to the employer or landlord.

To protect consumers from potential fraudulent activities, the Federal Trade Commission closely regulates the use of this sensitive personally identifiable information as directed by the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA). In 2018, the European Union enacted the Global Data Privacy Act (GDPR). This overarching legislation has had a tremendous impact on privacy laws and practices. It regulates the transfer of personally identifiable information from and into Europe—essentially blanketing all data transmission globally.

Our new series, Info Exposed, is meant to help you to facilitate your personal privacy in a very open online world. There is no one solution, no one vendor, that has all the answers. The best security practices start at home. Using our tips as a guide, you can begin to remove, obstruct, or obscure the open source information that leaves you and your family vulnerable online. The entire report, Information Exposed, is also available to download for free.

Are you an analyst or investigator looking for advanced OSINT training on risk assessment and risk monitoring? If so, check out Hg’s webinar series, where you can attend live sessions and receive CEUs or watch previously recorded sessions to beef up your investigative skills.

 

 

Are you concerned about your company’s or employees’ points of vulnerability through online and open sources? Our skilled analysts are experts at removing personal information that puts you, your business partners, and your family at risk. Learn how our team can assist you in assessing and monitoring your risks. 

 

 

Cynthia Hetherington, MLS, MSM, CFE, CII is the founder and president of Hetherington Group, a consulting, publishing, and training firm that leads in due diligence, corporate intelligence, and cyber investigations by keeping pace with the latest security threats and assessments. She has authored three books on how to conduct investigations, is the publisher of the newsletter, Data2know: Internet and Online Intelligence, and annually trains thousands of investigators, security professionals, attorneys, accountants, auditors, military intelligence professionals, and federal, state, and local agencies on best practices in the public and private sectors.