First Published on Technorati: December 18, 2009 at 12:40 pm
Personally Identifiable Information (PII) makes it possible for a marketer, salesman or hacker to uniquely identify you. But what happens when your unique personal data, like your home address or phone number, appears in a stranger's customer's record? Is it still your information to control?
In my last Technorati post on the topic of personal data, "Who's Protecting My Information in the Cloud?", I highlighted a challenge consumers have tracing their identity with platforms that share your account info, like Facebook, in order to extend capabilities through the Internet cloud. But what happens when a company erroneously possesses your data in an account they believe authorizes them to use it to market to you? What rights do you have as a consumer to remove your personal data from another person's account and opt-out of the marketing?
I, like many other consumers, have placed my phone numbers on the National Do Not Call List, so when I received an automated call from Sprint, on my Verizon landline phone, I was perplexed. I have not been a Sprint customer since the turn of the century. I have owned this landline number since 2006. My wireless accounts are with T-Mobile and AT&T.
The automated voice on the other end of the phone notified me that a refund check in the amount of $37.67 had been approved and was in the mail from Sprint . The bot repeated the message and hung up. I was concerned this call might be a scam, or reflect a misappropriation of my identity. Thanks to caller ID, I could return the call and the 800 number it resolved to turned out, in fact, to be a call center for Sprint.
After navigating their menu of options that kept asking me for my Sprint account information, which I don’t have since I am not a customer, I got to a live rep. The rep acknowledged after a few minutes she couldn’t access the customer account where my landline number was stored to remove it. Why? Because I couldn’t give her the PIN for that account, let alone the Sprint account number.
I requested they stop calling me since they had no explicit permission to use the number as the listed owner of the landline. I offered to fax an affidavit and a copy of my phone bill which showed my address, to verify it didn’t match their records for the customer who was associated with my home phone number.
I even suggested there might be a risk that more of my personal data could have been co-opted, perhaps by someone perpetrating an identity theft for credit. “It was probably just a typo by the person who entered it,” she casually offered. Escalation to her supervisor was no more successful, and he summed up the situation this way: “There is no one in the Sprint or Nextel call center who can remove your personal information without a PIN.” A PIN, of course, which is only given to a Sprint customer, which I am not.
After two more automated bot calls from the Sprint 800#, I decided as a consumer I needed to understand the company's corporate policy on how they verify who 'owns' the actual data in the records they protect. Sprint’s representative provided the following official comment about its willingness to verify personal information and remove it from a customer record:
Sprint strives to maintain the most up-to-date and accurate customer account information. Inevitably, situations arise where inaccurate data is incorporated into our account records. When such a situation is brought to our attention, we will take the appropriate steps to resolve it.
In this instance, Sprint's Office of Privacy is reaching out to the Sprint accountholder whose information includes your landline phone number. Out of concern for customer privacy, we must first verify the change with the accountholder. Once the accountholder consents to the change, we will promptly update the information.
If an individual who is not a Sprint customer is contacted by Sprint about a Sprint account-related issue, we encourage them to contact our Office of Privacy at email@example.com, or visit http://www.sprint.com/legal/privacy.html. Our Office of Privacy will analyze the facts of the case and assist in resolving the issue.
The important insight in the above statement is that the Sprint customer must verify that the data can be removed. Companies contract to protect the personal information of customers, not any consumer. The bias is to protect the people who pay them to do so.
I asked Sprint specifically, then, how they verify their account holder has permission to use the data in question, especially if one of their customers may be using the appropriated data to commit identity theft. I further asked them to provide instructions for what recourse a consumer has to expunge the “inaccurate data” if the Sprint customer does not permit the change.
Apparently that policy is still formulating, as Sprint has not provided a clarification on this point. The State's Attorney General's office could not be reached for comment.