Yesterday, I went to buy my Whey Protein at the local store. The chirpy cashier casually asked me for my phone number to ring in the order. I am so tired of unsolicited telemarketing calls so always refuse to give my phone number. Having refused giving my phone number for quite a while, I decided to play nice and gave her my phone number cautioning that I don’t want it to get into some marketing call center. Her next question was to ask for my address. At this point, I decided to draw the line and asked her if this was mandatory for the sale and she said “no”. I paid and left without giving the address.
A week ago, I had to return some items purchased on my card. The cashier wanted my phone number and address and insisted that without that I won’t get the credit back into my card. That set me thinking that while I bought the item, I just had to tap my card and did not have to give address and phone number. The combination of name, address and phone number is a sensitive personal information. Why would they need my address and phone number to credit the purchase return to the credit card I used in the first place? Would they not already have my address and phone number at the card company based on my credit card number?
I recollect that a few years ago, there was this school boy trying to sell subscription for the local daily and was offering special deals to sign up. Since he wanted my credit card number, I asked him if others have given him their number and to my surprise he showed me an A4 size sheet with name, address and credit card number with CVV for many of my neighbors. Cyber criminals would drool over this A4 sheet as this is akin to treasure for them. I refused to subscribe through him though it felt bad to refuse a kid from the neighborhood. If that sheet of paper fell in the hands of the wrong person, it could have caused considerable harm. I also wonder how the news paper company handled the A4 sheet when the boy would have handed it over to them. Did they admonish him? Did they cross shred the paper? We will never know.
There are stores of all sizes big and small. They probably do not understand the risk they face due to lack of data security and having a clear policy around what data is needed and how long it will be retained and how it will be handled and guarded. We have already had high profile hacks such as the Target hack but it seems just a few months is enough to remove it from the public memory. <update 25 Oct, 2017>The latest Equifax hack shows how bad things could get even with large corporations with their own I.T departments in sensitive data based business.
As a past participant of the I.T industry and banking industry, I am aware of my risks and control my browser as well as what information I personally give to stores. The general public transacts based on trust. With the world going digital, companies need to aggressively invest in training the staff about cyber risks, how to protect the transaction data that originates at the Point of Sale (POS) device and to protect the documents containing sensitive personal and financial information and safe disposal of electronic devices. This becomes more important as part time employment increases and wages remain stagnant. More and more responsible jobs now will staff precariously and vetting employee background and reliability becomes that much more important and the question is whether small business will have the willingness and discipline to adhere to such standards given the cost pressures. <update 25 Oct, 2017> What protections can our government afford us when outsourced data operations are compromised given that the CRTC has been unable to clamp down on the abuse of the telephone directory for unsolicited telemarketing calls from companies based abroad.
To summarize, I recommend that just because a store asks you for personal information, you don’t have to give them the information. Give them the information only if they can convince you that they need it to complete your order and that your personal information will be securely handled. It is up to each one of us to educate ourselves about the emerging risks to our personal finance and to proactively learn about sensitive personal data and how to protect it.