Simon Says – Musings of a Technology CTO

Today I received yet another of those annoying “We may have lost your personal information…” letters from my bank. No information on how it happened, or what they are doing to stop it happening again. It’s almost as though this was an inevitable and repeatable condition of doing business….

Yet again I’m going to get another bank card, yet again I’m going to have to change the numbers in my Blockbuster, Amazon, etc. accounts, and (again) I have yet another free 12 month subscription to “Identity Theft Monitoring.”

Great news indeed, but I suspect many readers of this blog have also been through this a few times as well.

Two things really exasperate me in this situation. First, that they “may” have lost my info (We have a phrase in England to describe this – “wishy-washy”). Either you did, or you did not loose my info, and which one makes a great deal of difference to me. The fact that they don’t really know either way disturbs me.

The second annoying thing is that, yet again, I have another free subscription for a service which will tell me if/when my identity gets compromised – but, of course, provides no remediation of the fact. It bothers me that my bank may/may not have lost my info, but if they did, it’s up to me to sort out the resulting mess if someone steals my identity.

That seems a little unfair to me, and I suspect anyone else who’s been through that situation feels the same way.

I moved to the USA from England a few years ago, and, one of the things I was not expecting was the sudden removal of my good credit record. If you’ve not made a transatlantic move, you might be surprised to know that your credit rating does not cross over with you. I speculate for some that could be a good thing, but for most (including myself), probably not. In my case I went from the equivalent of a 810 in USA terms to sub 600 – which I’m lead to believe is less than most high school kids, and also less than some people who’ve been repeatedly bankrupt. In fact, my score on arrival was so bad I was refused credit at Rooms-To-Go, after getting my score they would not even take a personal check from me. Rooms-To-Go has standards after all.

You can appreciate, I don’t ever want to be in that position again.

For my bank to put me at such risk is bad enough, but to “possibly” do it? That’s just salt in the wound. Why don’t they know what info they’ve lost? Why did they lose it in the first place? As a customer, I’m frustrated by the whole lack of facts, lack of defense and, it seems lack of appreciation of the pain it caused people. I want to know exactly what happened, and what they are doing to stop it happening again. I want my bank to feel my pain, and I want to know they care about me.

Am I asking too much?

As individuals, we care immensely about our reputation, honor, and good standing in our community (in fact, in Finland you have a legal right to all three!) – having your identity stolen can compromise these overnight. Companies claim to care about us, their customers, so why do they take such risks with our identities? Why do the vast majority of companies consider data protection an insurance policy against regulatory fines, rather than an integral tool to moral business practice? Why do I hear repeatedly that the “user community” is so powerful and influential, that the simple act of protecting data cannot be considered as they would simply not accept it.

Has anyone ever heard from their IT department “We couldn’t possibly protect our data (with technical measures or training..) – our users would rebel against it?”

I’m a “user,” but I care about my identity, and I actually care about everyone else’s as well. I would think it would be hard to find someone who would admit to being cavalier with other peoples identities, and who would strongly object to having a few measures in place to help them in this.

Am I really so wrong? Would you really object to having technology prevent you copying confidential information to USB sticks without protecting it? Would you really object to systems stopping you from sending personnel databases to external email addresses?

I think as individuals, we would all gladly accept a little inconvenience in our daily lives if it meant protecting our and others’ identities. It’s interesting that, as a community, we users deliver an opposing message to the people who decide which technology we should have (and which we can effectively deal with) as an enabler to our jobs.

The tide needs to turn, companies should be embracing data protection from the coal face up. Maybe as “users” we can help by not resisting so much and by accepting that yes, passwords and data controls are annoying, but are something we will embrace willingly. We should encourage awareness of the results of good (and bad) data protection.

If the user community is seen to support data protection for good moral reasons, rather than just regulatory pressure, maybe so can our companies and both you and I will stop getting these annoying letters.