I want to move quickly through this next question: "Would my personal confidential data be at risk applying on www.healthcare.gov?"
So... to better answer that last question, Robert. I think everyone would agree that it is legitimate for an employer or someone else to ask for PII to run background checks...
Name, DOB, Zip/Address, SSN are the for basic PII elements that are needed to differentiate you from others.
Jason: That's a good point... Can you talk about some of the consumer protections? I know there is no federal statute, but there are state laws that deal with data privacy...
I would ask (re: SSN question) what this organization does with your PII once they are done with it...
Think about this: Typically once breaches are discovered, the breadth and scope of them are very quickly quantifiable. So while it's terrible some of these happen, there are significant efforts to minimize impacts... and we're getting better at protections too.
As scary as some of these breaches are, there are a lot of unheralded protections that are in place.
To speak to that last question -- I think you need to ask yourself how much you trust this particular Volunteer Organization...
I'd add that taking responsibility for your own financial well being is paramount. A little paranoia is good, but you don't need to drop off the grid.
This is where it may be good to use a free credit site like credit karma to watch for new credit accounts linked to your PII.
Here's another question: "Seems everywhere you go someone wants your SSN. Should we give out SSN to Volunteer Orginations? Do they really nead my SSN to run a background check? I was under the impression that they do not"
DDA, direct deposit account - it's the banking term for your checking account.
Can be initiated without a paper check.
Ach, automated clearing house, is the back end transaction fulfillment for moving money; initiated by writing and depositing a check.
Robert, What does ACH mean? Am I just being slow?
Robert: Define ACH and DDA for folks...
Lots in that one to respond to :). The easy one first; checks are likely less safe than you realize. They expose your DDA number and routing number, which is all one needs to initiate an ACH and withdraw funds.
Regarding your safety of work versus at home computing. It depends on what you do online, and how your devices are protected. If you're in an enterprise work environment, we could assume you may have more protections in place. But this is not to say you can't secure your own personal network and stay away from risky Internet sites.
Here is another question: "From a security stand point am I safer on line on my computer at work vs at home?"
That's a great point... If you're concerned about privacy, I'd say that it's better to be on a home computer...
On your home system, you have more privacy, but might not have the security controls in place.
So, on the work system I'd expect them to have basic controls to protect the safety of the system. But you are also under their watchful eye; sites you visit, actions you take, etc.
Safety vs privacy is an important distinction to make there.
I think it really depends, right?! (James, Robert or Jason, feel free to chime in...)
It's hard to tell without a bit more context. If this is something from your anti-virus program, it may warrant an update to your protections and a full scan. If the site is well known and reputable, you could put in a call to them. I would say your diligence is warranted, but it's hard to tell with the information.
Robert, Jason: Here's a question I'm seeing just come over: "I logged onto a internet game site for the 1st time today. I noticed when I closed the game site, a screen popped up and notated...that my personal information may not be extracted from my computer by this site manager based on my selection to block external information extraction??? Sounds good but.... What the what is this???? I pay bills and conduct many personal finance matters on my home computer."
To whomever just posted that question: Would you mind telling us the website, so we can follow up later and tell you if this particular site's terms of service calls for them to extract certain personal information from your machine?
Would need to investigate the ToS for that site to know more. Not sure what generated that message.
This can be complicated for accounts that are shared. We saw this recently with the @CNN account take over on twitter.
By adding a secondary challenge, say something that leverages something in their possession, like a phone, the attacker would need to both know something (the password) and have something (the phone) to take over the account.
We've seen this happen with online banking, with video games, and other applications where users care to keep their stuff "theirs"
If a user reuses the same password at multiple websites, then they are sharing that secret with a group. If any of those sites get compromised, then their secret is then compromised.
But how is that changing, Robert? I know Twitter has instituted multi-factor...
Sure: Passwords are the most commonly used factor of authentication used. Nearly every site that supports user accounts has passwords as part of the authentication experience.
Robert: I have a quick question for you: In our weekend story, we chatted a bit about authentication -- you're an expert -- can you talk about how a lot of online services are bolstering username/password with out of band techniques? And why that's important?
To be clear, that statute just deals with criminal intelligence systems... If you're a state employee, for instance, there might be different laws pertaining to your personal information.
So... I'm seeing the first question: Does the Georgia Open Records Act require that the government share my personal information when requested?
As an aside, for anyone interested in tweeting questions to me directly, my twitter handle is @seansposito.
Welcome to our live chat today on data breaches; Today, we have with us some of the experts that I (Sean Sposito) quoted in this weekends story: James Wester, a research director at IDC Financial Insights; Robert E. Lee, no relation to the civil war general, a security business partner at Intuit; And Jason Malo, a research director at CEB TowerGroup.
Hello everyone! We'll be here to answer your questions around data breaches and data security in 6 minutes. Feel free to start submitting questions now.