We're not numb and we do care!

Today's Computerworld news is hopping with identity theft and personal data stories.  Online stock brokerages TD Ameritrade and Etrade both suffered data breaches at the hands of hackers.  8500 People in the UK and 60 other countries had their personal information stolen by identity thieves.  And then there's this study that found that people whose identity is put at risk by a third-party vendor will likely go elsewhere.

I didn't find the study surprising.  I try to approach data security from a 'how would I feel' perspective.  It's a luxury that many organizations don't have, because those organization also have to think about bottom lines and all of the other elements that go along with collecting personal data.  But I guess some people might.

Especially if those people thought that identity theft would become one of those little problems that's troublesome but you deal with it and go on.  The problem with that theory is that identity theft isn't a little problem any more.  Today, it's one of the most troublesome problems plaguing the Internet, and we're no closer to finding an swers today than we were five or ten years ago (when it was FAR less prevalent).

So, of course people are taking notice.  As Larry Poneman is quoted as saying,

"They're not numb and they do care and they're leaving" business relationships with companies that don't adequately protect their personal information."

Of course people are leaving companies that allow a third party vendor to put us at risk.  It's bad enough that your personal information can be put at risk by the company with which you're doing business, but when one of their vendors puts your personal information at risk...that's a whole different story.

The first question that goes through a person's mind is: "Did I give them permission to give my information to that company?"  And most of the time, the answer is no.  Or more accurately, not directly.  But even if there's good reason for a company to give your personal information to a third party vendor, it's still upsetting (or shocking) when that information is put at risk by the third party.  And even if there is consent involved, human nature is to say, "I didn't tell you you could do that."

To help ensure that people know you're passing their personal information on to a third party vendor for whatever reason, companies need to do a better job of notifying customers.  If an organization does business with a vendor that will be handling customer information, then the organization should disclose this to the customer at the start of the relationship.  Not because it's legislated that it should happen (I don't think it is--yet), and not because the company doesn't want to face a lawsuit at some point in the future. 

Instead, the fact that a vendor has access to personal information should be disclosed because it's the right thing to do.  After all, if you were in the position to make the decision about disclosing that information, and it was your personal information that was at risk, you'd want to know, right?  Everyone would. And that's the tool that will get you further in protecting your customer's information than any technology or expert advice you can get.

Treat all of your customer's data as if it were your own data.  And protect it accordingly.