On Privacy
Greg Schaffer
Servant - Executive Information Security Advisor - vCISO - Author - Podcast Host - SME Contributor - Mentor - Entrepreneur - Owner vCISO Services, Second Chance Publishing, GSC - CISO Novelist - Veteran
When I write blog posts or LinkedIn articles, I like to find a relevant image. I really don't feel like that now, as I can't think of an image that can describe a privacy breach.
In all fairness, this isn't a breach per se, but certainly a disturbing action that I didn't expect. Well, it is a breach of trust, in my eyes. I'm a security and privacy professional. You'd think I'd be a bit more aware. But, no, I'm also a trusting individual. My problem is not that I trust people's intents to be honorable. I can figure that out pretty quickly. I'm just not as proficient as I need to be when considering others' privacy judgments.
Here's the scenario. I'm contacted through LinkedIn by someone who name drops a contact, says they provide investment services for the contact, and wonder if I'm interested. Okay, yes, that's a red flag there. But there have been a few instances in my life where cold calling worked for both parties. I had an insurance agent for over 20 years that started with him bringing homemade chocolate chip cookies to my door. Note - that still will likely work with me, as will home brewed beer (or even a sixer of Sam Adams).
I met with the adviser in person, and found him to be personable and honest. Again, I'm a self-proclaimed good judge of such. I want to emphasize now that I still think that the adviser is a solid, moral businessperson. Just misguided a bit.
We discussed at a high level my finances, and I agreed to continue the relationship with him, thinking that maybe he can help me with determining when would be an optimal time to retire. If you're over 50, you're considering it. It seemed like the beginning of a good relationship.
Then I got the marketing email, something about Happy Fourth of July. I'm as patriotic as the next person (I'm a veteran, and though you don't have to be a vet to be patriotic, if you sign a blank check to give your life for your country, I'm not sure there's a greater definition of patriotism). I get swamped with email every day; by virtue of my profession, I have email addresses with many organizations. I clicked the opt out. Apparently that cut me off with all communication with this adviser. I should have left it there.
But I didn't. I wanted to pursue the business relationship because it seemed like he could help me with my retirement question. We engaged on LinkedIn again (that is how we originally connected) and he gave me instructions on how to release the lock on receiving future emails, which I followed.
That didn't matter.
A couple of days later, I received a voicemail from a clothier, saying that the adviser had "spoken highly of me" and said "I was a great dresser." First of all, I buy my suits off the rack from Kohl's. I'll look presentable but I don't believe the clothes make the man (or woman), the man makes the man (or the woman...you get it). Right then I knew this was a sales deal.
The cold call didn't irk me. What did was the fact that my potential adviser had apparently given my information to a third party. Think about it - I'm a high-level executive and business owner who contacted an adviser about investment strategies. Doesn't that make me a qualified lead for the clothier?
Before I shut the door on the relationship, I contacted the adviser. He came clean, and said he was trying to help out the clothier, who is a "hard worker." Here's my message: I appreciate the sentiment, but that in no way gives you the right to disclose my private information. You may claim that my LinkedIn profile is public, but by virtue that I was working with a financial adviser made me a qualified prospect, based on what I told you. That's information that no one would have known.
Incidentally, I did let the adviser know that what he had done would have likely violated the GDPR if I were an EU citizen, possibly the CCPA if I were a California citizen and it was 2020, and could possibly violate the present GLBA provisions. The response? He disconnected me on LinkedIn, and I believe unfollowed my firm.
I debated whether or not to make this a public post for several weeks. In the end, my anger that someone would use my information given in trust in such a matter prevailed. It's hardened me. I have a few messages:
If you're a clothier, don't contact me. If I want to dress like Oscar Madison, so be it. He was pretty darn successful in his field.
If you're a professional that I give any private information to, use it only for the purpose intended. Yes, we don't have GDPR-type regs in the States yet (CCPA as an exception), but really, do you need a reg to do what is right? Come, on, think about it.
If you're me, and there's only one who is, don't let this harden your heart. Remember the adviser was doing what he thought was right.
But bring me a platter of homemade cookies and a keg of Sam Adams Boston Lager...