Governance Risk & Compliance (GRC)

As a tenured technology professional, who has specialized in third-party risk for the past few years, I am always interested in strategies that organizations use to procure and protect sensitive information.

Upon check-in at my most recent dental cleaning, the receptionist asked me to hand over my driver’s license so that she could scan my license into their computer system. I asked, “Is having my driver’s license scanned a requirement to have my teeth cleaned?” The receptionist seemed surprised that I would ask this question, and said, “No, it’s not required, but everybody does it.” I was able to get my teeth cleaned without handing over my PPI and biometric data. As I sat in the lobby of the dentist waiting to be called, I watched as the next 4-5 appointments willfully handed over their driver’s licenses to be scanned.

At that moment, I thought back to an occasion at work, when the healthcare corporation I worked for had implemented a company-wide effort to eliminate passing Social Security numbers outside of the organization to third parties. As I was researching de-identification methods, I discovered Dr. Latanya Sweeney’s research, dating back 20 years, that indicates that “87% of the US population in the US had reported characteristics that likely made them unique based only on 5-digit ZIP, gender, date of birth.”

The article is somewhat technical, but the VENN diagram on p.3 gets to the heart of the matter. Seemingly “low-risk” data can be combined with other data to accurately identify people. Dr. Sweeney went on to disprove the notion by Massachusetts governor William Weld that de-identified hospital records were “scrubbed of identifying data” by emailing him his own medical records, using publicly accessible data.

I had a similar experience when I went to sign up for a gym membership at a nationally recognized chain. The employee escorted me around the facility for a tour and advised me that in order to sign up for a membership, I needed to hand over a voided check for monthly drafts. When I asked where my voided check would be stored, the employee pointed to a black file cabinet located at the front desk check-in area of the facility. The file cabinet was slightly ajar with folders and papers protruding.

I told the employee that I wouldn’t be comfortable with my bank account number and routing number being stored in an unlocked, unguarded cabinet, and I asked if I could sign up with a credit card instead. The employee confided that he ‘really didn’t know’, but handed me a business card and told me that he would speak with his supervisor. I called the corporate office of the chain, and sure enough, I was able to enroll in a monthly membership with a credit card.

As we seek to protect our community from identity threats, we need to normalize questioning the norm. Can you recall the last time you handed over your sensitive information because it was “easier” for the requestor, or it seemed “nicer” for you to follow their process rather than to question their process? Did you feel pressured to be compliant with the norm, rather than empowered to question the norm? Because women, in particular, are taught at a very young age to “be nice” we often choose “nice” over “protection”. This can be a detriment to women who find themselves in vulnerable situations.

My three daughters, who are 21 and 18 (twins), are my most important work, so empowering them to use their voice in setting personal boundaries has always been a normalized topic of conversation in our home. As they go into the world, protecting their identities where possible by using credit cards instead of bank cards, learning how to freeze and unfreeze their credit, and refusing to hand over their driver’s license at the dentist, or a voided check at the gym, is yet another facet to their education. I hope to save them from the struggle of losing their identities or having to spend years rebuilding their credit and the constant struggle of proving that they are who they claim to be after identity theft.