By Cynthia Hetherington
The Importance of Protecting Your Personally Identifiable Information
Data, at its most annoying, is a commodity with social media sites selling your Likes to data providers. Data, at its most dangerous, allows terrorists and scammers—as near as your neighbor or from faraway lands—to farm from open sources the personal addresses of our military personnel to threaten them and their families. They robocall mercilessly and prey on the elderly. Unfortunately, we share much of the data that generates these annoyances and threats.
In this blog series, we help you understand the dark side of information sharing. You will learn the pitfalls of oversharing and how to reduce your online risks. You will gain useful tips for protecting your personally identifiable information (PPI) and preventing identity theft, learn how to opt out of online vendors and how to remove your PPI from three major DNA collection retrieval services.
A variety of information is available to businesses and organizations. While most of the information is non-sensitive, some of it can be sensitive. In our final blog of this series, we provide guidance on how to engage in social media with a minimalist approach.
Online Protections & Identity Theft Prevention
The following tips can help you take measures to prevent your information from landing online and into the wrong hands.
» Mail: Have your postal mail sent to a United States Post Office Box or your office address. Avoid using your personal address as your business address. Business listings are much more difficult online to remove than listings for people.
» Phones: Un-list and un-publish your landline phone number. Check with your mobile service company to find out if they sell their subscribers’ information and how to opt out of that list. Register all your phone numbers with the National Do Not Call Registry (www.donotcall.gov) to remove yourself from popular telemarketing lists.
» Protect Your Data: Never put your name, phone number, or personal information of any sort on any form or application without learning what the company’s policy is. If you are not legally bound to enter personally identifiable information, then do not offer it.
» Financial Institutions: Mail a written request to all your credit card companies and personal banking institutions requesting your personal information be removed. Be on alert for any privacy notices mailed from your credit card vendors and insurers and read those notices. Be aware of their policies and updates to those policies.
» Credit Reports: Obtain your credit report annually and subscribe to a monthly credit agency reporting service such as Experian, Transunion, or Equifax.
» Warranty Registrations: Do not fill out and return any warranty cards. This information is resold to marketing houses, which sell to public record database companies. If you must, use an alternative address such as a Post Office box or mail drop. Alternatively, save with the original sales receipts. Provided you have both items in-hand when filing a warranty claim, the store must honor your warranty.
» Magazines: Do not use your own name or personal address for any magazine subscriptions.
» DNA Registries: Do not participate in DNA collection services, i.e., 23andme.com, myheritage. com, ancestrydna.com
» Public Records Vendors: Opt out of Public Records Data Vendors. Some of the vendor sites will ask for verification of your contact information. This may seem counter-beneficial, but it is a necessary step to ensure your information is removed.
» Online Activity—Social Media & Apps
• Secure online space: Make sure all personal accounts are set to private and passwords are regularly changed. Avoid using common passwords such as family members’ names, birth or anniversary dates, dog names, etc.
• Report Abuse: If someone is posting inappropriate comments about you or your family on a social network platform, report the abusive behavior to the social network’s account security, e.g., the “Report” link on Facebook and LinkedIn.
• Ignore Bullies. If you come across an upsetting personal post, resist the temptation to retort. Do not reply. Antagonizing a bully will only give the bully what he or she wants: Attention. If you ignore the bully, try to contact the appropriate authorities. If you are the appropriate authority or have contacted the appropriate authorities to no avail, contact a professional service firm to assist you with the matter.
» Campaign Contributions: Avoid using personal addresses for campaign contributions. Campaign donor receipts are public record and easily accessible online.
» Assets: Consider moving all current assets under a shell organization, e.g., trust fund, dba. Purchase any future assets through the shell organization, i.e., property records in your name may be public through online county databases, which are scraped and shared elsewhere online.
» Your Name: Monitor your name online. Set up Google Alerts (www.google.com/alerts) on your own name. If anything is said about you—either in a social network or elsewhere online—these services will send you a notification via email.
» Memorable Word: Tweak your memorable word (in a memorable way, of course). Come up with a surrogate word for the answers to your challenge questions. For example, if your first dog’s name was Java, use the word coffee as a challenge answer and memorize that tweaked word. Or pick one obtuse word, such as rollerblade, to answer every challenge question and, again, memorize that obtuse word.
» Who’s Who: If someone you have not communicated with in decades tries to contact you on a social network, ask them your own challenge question: “Hey, do you remember Jorge Beale getting stuck at the top of ropes in gym class?” The question can be honest, or you can make one up. Pay more attention to the answer—does it seem authentic?
» Discretion Knows Best: Be discreet online. Do not publish your life story on social networks. Your full name and the general vicinity of your residence are sufficient identifying information.
» Minimize Points of Exposure Online: Most importantly, do offer up mentions of Mom’s deployment, Dad’s late-night shift, the family vacation, soccer practice, or any other time or location sensitive information that will easily pinpoint when and where you will—or will not—be.
Our series, Info Exposed, is meant to help you to facilitate your personal privacy in a very open online world. There is no one solution, no one vendor, that has all the answers. The best security practices start at home. Using our tips as a guide, you can begin to remove, obstruct, or obscure the open source information that leaves you and your family vulnerable online. The entire report, Information Exposed, is also available to download for free.
Are you an analyst or investigator looking for advanced OSINT training on risk assessment and risk monitoring? If so, check out Hg’s webinar series, where you can attend live sessions and receive CEUs or watch previously recorded sessions to beef up your investigative skills.
Are you concerned about your company’s or employees’ points of vulnerability through online and open sources? Our skilled analysts are experts at removing personal information that puts you, your business partners, and your family at risk. Learn how our team can assist you in assessing and monitoring your risks.
Cynthia Hetherington, MLS, MSM, CFE, CII is the founder and president of Hetherington Group, a consulting, publishing, and training firm that leads in due diligence, corporate intelligence, and cyber investigations by keeping pace with the latest security threats and assessments. She has authored three books on how to conduct investigations, is the publisher of the newsletter, Data2know: Internet and Online Intelligence, and annually trains thousands of investigators, security professionals, attorneys, accountants, auditors, military intelligence professionals, and federal, state, and local agencies on best practices in the public and private sectors.