Here’s a cartoon I created. It involves several Fair Information Practice Principles (FIPPs) and privacy best practices. The ones involved (and not heeded) in this cartoon are doing a data inventory, informing people about the purposes of the collection of their data, using data for only those purposes, and not keeping data longer than necessary to accomplish those purposes.
For many organizations, there is a lot of data collected that gets stored and forgotten, or that is collected with no apparent purpose in mind. Data inventories are a great way to take stock of this data and determine whether it is really necessary and appropriate to keep it.
Two notable differences are: (1) the form from Citibank’s website has a toll free phone number you can call to opt out; the form in the letter does not; (2) the addresses of the processing centers where the opt out forms are to be sent are different.
So my friend then called Citibank to find out what was going on. Had a fraudster acquired a card in her name? Was the letter an elaborate fishing scheme?
My friend recounted the conversation the best she could so I could recreate it on this blog. This is reconstructed from her memory, so it’s not exact. Although the transcript below doesn’t contain the precise words spoken, it hopefully will capture the gist of the conversation.