It’s the Most Wonderful Time of the Year, Part II

Working on the premise that during these holidays you find yourself in situations where you are “the explainer” and/or see the need to be one, here’s a guide on what you can do about data.

Specifically, your data. Or encourage people to do with their data.

The very first part of this is a bummer so you may want to pull up a glass of eggnog while choking this down (if you aren’t already choking on the eggnog): your data is not 100% private no matter what you do. Not ever. The only thing you can control (somewhat) is the length to which it is shared and the compartmentalization of that sharing so as to reduce the amount of destruction that can happen with a Data Breach. The other bummer with Data Breaches is that they are not something YOU did wrong – some entity that was responsible for storing data was infiltrated by Bad Persons who now have your data. Even if you had a unique password, even if you had MFA. Usually what gets stolen are credentials (the ID part of them, hopefully not the actual passwords) because what is supposed to happen is that sensitive things like social security numbers, credit cards, etc. are supposed to be “hashed“. That said, there are clever hackers and there are dumb companies, and so you don’t want to trust that everything works “the way it is supposed to”.

The following are suggestions for discussion/implementation as you get called in as The Person Who Knows These Things. If you actually do get a data breach, the most immediate steps are:

1. Change the password for the given site(s) that was(were) breached.
2. Check your credit cards/bank accounts to see if there are any fishy charges.
3. Make sure they have 2FA on them
4. Pull a credit report and freeze your credit – and in the credit report look for anything fishy (new accounts, for example).

Otherwise, we’ll assume the time slots you have below are based on how much time you have — or are willing to have — to disseminate knowledge :).

15 Minutes

With 15 minutes you have a selection of things you can do/advise:

• Unique passwords for each site (at least, at the very least, for anything tied to finance – bank cards, store cards, etc.) – this reduces what a potential attacker has access to if there is/was a data breach with that one site. With 15 minutes you probably can do like, 2, but you can include the explainer on why they should do this for the rest of their sites.
• Provide an explainer on data breaches:
  • They are somewhat inevitable because no system is perfect,
  • This is why you don’t want to do things like store credit card information with retailers or on your browser,
  • This is why people should have two emails (or more) – one that all their finance stuff goes to vs. the “spamhole”,
  • This is why you activate 2FA or MFA on all your stuff (again, if data found in data breach is being leveraged by bad guys then at least make it a little harder for them).
  • Whenever you get a notice of one you change the password on that site – and any you think may be tied to it – immediately.

30 Minutes

• Show them how to freeze, and temporarily unfreeze, their credit, and why.
• Discuss options like Delete Me.
• Take the free credit monitoring
  • Almost every data breach notification comes way too late after this particular horse is stolen from this particular barn, BUT, free credit monitoring is free credit monitoring.
    • When they sign up for that it should be with a unique password.
    • Put in a reminder for the couple of weeks before the monitoring is set to expire so they can/should decide if they want to continue it on their own payment or cancel it once it is no longer “Free”
      • (An unfortunate reality is with the frequency of data breaches you could probably stack these 😦 ).

45 Minutes or Longer

• Get a Password Vault app (e.g., Bitwarden) and an Authenticator app installed
• Set up that 2nd email and update accordingly to financial sites
• Google yourself and see what comes up. If you don’t want whatever does come up, file a request with the owner of that site or leverage something like DeleteMe.

The last thing I’d point out is that there is an astonishing amount of information out there on you that is publicly available. County assessors include your information and real estate tax information publicly, county and state court websites have records, etc.

The Real World

I will end with an example: recently, some folks I know were buying a house here in WA. Specifically in King County. They had seen a house, and they wanted to know more about it. Naturally, working with a realtor, they got some information. However, through about 15 minutes of searching, I could see: every permit that had been applied for, and accepted/rejected (and why) for that house, the previous homes the current owner lived in, how much they bought and sold those homes for, the current owner’s court records including their recent altercation at their house, a speeding ticket, their previous marriage, their previous divorce settlement, their current partner, their place of employment, their previous employment, the location of their families across the country, their voter registration, etc. etc. This is/was all publicly available data- I didn’t have to pay anything or even register anywhere to search it. Bonus: the folks I knew were checking with their own realtor about their own house to see how it was titled. and I was able to pull their title -an actual copy of their title – in 5 minutes.

This is what I mean when I say you will not be able to be 100% private. Certainly, there are ways to obfuscate this: you can get court records sealed, you can register your home in the name of a trust or a shell company, you can scrape your name off of as many sites as possible, etc. When you get the notice of the data breach, pay attention to what was breached – and respond accordingly.