Personal identifiable information online security
We all need to be aware and focus on having the very best online security. With so much information being leaked online, you need to employ robust password procedures, dynamic security protocols, and an innate assurance that all those tasked with enforcing these policies understands the urgency of their responsibility. As you can imagine, each time we go online it’s possible we left a breadcrumb trail of personal identifiable information behind.
Can’t I just erase the information or delete my account?
While we can try to erase the data, and delete the accounts, companies like Google, Spokeo, PIPL, and so on will continue to aggregate our information in bits and pieces, and they’ll maintain that data and possible use it in ways you may not approve of. Let’s face it, every service that’s free comes with a price. Plus, even the paid ISPs need to keep your personal data for various reasons.
You may not be aware of this, but there are websites out there whose sole responsibility, or maybe I should say agenda, is to aggregate information so if they are deleted, they can be republished on their site for viewing. Check out Politwoops. This is an archive of the public statements deleted by U.S. politicians. They allow you to explore the tweets they would prefer you not see. And there are many other sites that do this on much larger levels and may include your information.
The idea here is simple; you must be wary that your data can always be leaked online and you, and only you, must take responsibility for your online activity. It is up to you to find the best possible ways to stop any leaks from happening. Granted, this isn’t an easy task but the reality is, no one is going to protect you like you would protect yourself.
Case Management Systems and Personal Identifiable Information
During an investigation, you have a need to gather and use personal identifiable information, we all know that. However, when you’re done using the information, who is responsible for the proper maintenance and disposal of those records.
I’ve worked for several large private investigation firms and I can tell you, from my experience, breaches have been a reactionary problem without thought to a proactive solution. In fact, at one of the large firm, to test a report that included a massive amount of personal identifiable information, one of the developers use the name of a very popular football player who was involved in a very high-profile criminal case.
The developer certainly wasn’t supposed to use live data and never should have used such a high-profile individual; however, to make matters worse, he told a lot of people what he did and copies of the information were disseminated to certain people in the office. Could have been a disaster really.
Your case management should have processes and triggers that will flag this type of nefarious behavior. Additionally, the case management system you use should just allow but encourage your business to become paperless.
Not being paperless creates a whole new set of issues. One of which, people in the office must physically secure sensitive data in a locked drawer, cabinet, desk, or safe, when not in use or not otherwise under the control of a person with a need to know. This is a monumental task and takes everyone in the office to be on board with looking for offenders in an effort to maintain an effective policy. Paperless is the way to go!
I found this online and found it quite relevant. The Organization for Economic Co-operation and Development (OECD) identified the following Fair Information Practices:
- Collection Limitation – There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
- Data Quality – Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. Purpose
- Specification – The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
- Use Limitation – Personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except with the consent of the data subject or by the authority of law.
- Security Safeguards – Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
- Openness – There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
- Individual Participation – An individual should have the right:
- (a) to obtain from a data controller, or otherwise, confirmation of whether the data controller has data relating to him;
- (b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form, that is readily intelligible to him;
- (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and
- (d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed, or amended.
- Accountability – A data controller should be accountable for complying with measures which give effect to the principles stated above.
Companies generally must use and sometimes must maintain personal identifiable information in the normal course of business, such as, names, Social Security numbers, credit card numbers, or other account data that identifies the person it’s attached to.
This information can be necessary for a plethora of necessary business functions. However, if sensitive data falls into the wrong hands, the result is fraud, identity theft, or other nefarious acts. Because of the cost associated with a breach, safeguarding personal information is just good business.
5 Principles of a Sound Security Plan
- Take inventory of what personal information you have in your files and on your computers.
- Keep only what you need for your organization.
- Protect the information that you must maintain.
- Properly dispose of what you no longer need.
- Have a plan! Remember, even the best get breached. If you do, having a plan of what to do will be critical.
Surfing safely on the Internet during an investigation isn’t always a given nowadays. Having up to date virus protection and malware protection is important but what about when you’re traveling through the Internet? Did you know it’s pretty easy for hackers to know where you’ve been and what you’ve been researching?
Tor, an acronym for The Onion Router, is a network and software that adds another layer of protection and helps you surf the web anonymously. Tor hides where you go and what you’re looking at.
Tor encrypts the data you send across the Internet in multiple layers, like an onion. It sends that data through multiple relays, each one “peels back the onion”, until your information leaves the final relay and arrives at the intended destination. This is ‘onion routing’ and if used correctly, it can be one of the best ways to ensure your browsing will remain anonymous.
Check out the Tor site at torproject.org, and did I mention, it’s free.
INVESTIGATION BEST PRACTICE
CASE MANAGEMENT SOFTWARE