The Naked CIO: Identity crisis

Like most IT directors, the Naked CIO is extremely careful with other people's data. So why as a consumer does he blithely share his own personal details at the drop of a hat?

Today is a normal day. On my way to work I stop off for petrol and pay using my credit card. Drop by the grocer and buy some food for lunch. Again I pay with the mighty plastic.

Once in my office, I buy flowers for delivery to my significant other, purchase a golfing magazine subscription, pay some bills and buy an iTunes gift voucher for a friend - all using my credit or debit card information.

New exclusive:
The Naked CIO

Innovation - why does better always end up being the same?

Online, before I give my credit information, I have to provide my home address, phone number and email account.

Today is a typical day and I estimate I have parted with personal information about 10 times in mundane transactions.

Furthermore, I've received several bills and statements by mail - why everything is not online is beyond me. Each of these pieces of paper holds sensitive information about me that could be damaging in the wrong hands.

The amount of sharing of personal information is at an all-time high. Sharing this information is important, especially online, to confirm personal identity. Yet sharing it so frequently must also contribute to the problem of identity theft - the very thing it is designed to prevent.

With Sarbanes-Oxley, data protection and new US PCI standards, businesses have an obligation to comply with standards for securing this information. But, as many of you already know, this is not so easy.

The amount of entry and exit points, not to mention access points of information is extraordinarily difficult to contain.

My company has personal data on tens of millions of individuals drawn from business relationships, web activity, membership and a variety of other sources.

Databases must be protected yet functional - users must be able to confirm identity, yet cannot see particular personal information.

I spend about 20 per cent of my time preparing and reviewing audit remediation requirements to ensure we are meeting our principal obligations.

With each new initiative and with continued business growth it is becoming increasingly difficult, with ever greater consequences as recent events have shown.

I have security checkpoints within each major group and a governance department that spends 100 per cent of its time preparing remediation and planning for audits and reviewing security policy.

My legal department is constantly ensuring confidentiality and privacy are standard within any contract. They always want to ensure our vendors comply with the highest standard while bullying them to accept a much lower standard for our treatment of their information. This complicates and extends simple negotiations.

I wonder how much I pay as a consumer for the privilege of using digital and electronics for purchases and to manage my life.

Whatever that cost, I'm certain that given the needs of online businesses and with the scale of the information flow there are major gaps in the handling of personal data.

In many cases these failings may not be created through ignorance but rather complexity. It is rapid growth and oversights that cause personal information to be exposed.

The other day we shipped a disk of information to one of the largest middleware providers in the world so they could create an environment in their lab for our enterprise data warehouse to address some technical anomalies we were having.

We spent a day encrypting the data, sent the encryption key by person on a plane followed by the disk in the possession of another person. Just to be careful.

On top of those precautions, we first stripped out dates of birth, credit card information and personal security information such as driving licence details and national insurance numbers.

Yet today I freely exposed my own personal information about 10 times to various vendors and agencies without a single thought about whether they would protect my identity.