Your customer data isn’t safe, but here’s how to protect it


Would it surprise you if I said consumers don’t believe the personal and financial data they submit to corporations is safe?

No? Well, don’t take my word for it. A recent survey found that 72 percent of consumers don’t believe companies take care of their data.

The research, commissioned by the cloud security company HyTrust, suggested people have good reason to worry, with the likes of Target, Neiman-Marcus, Michaels Stores, Adobe and White Lodging facing recent data breach issues.

Eric Chiu, the co-founder and president of HyTrust, called the level of distrust “breathtaking.”

“Many organizations maintain that they’re doing everything they can to protect private customer information, but the public at large believes otherwise,” he says.

Want to know what else is breathtaking? I’ll bet that if I polled companies right now and asked them if their customers care that the personal and financial data they submit to them is safe, they’d get a similar result. Customers don’t think their data is that important — unless, maybe, it falls into the wrong hands.

If it were otherwise, then the United States would have tougher data privacy laws. In Europe and Canada, for example, companies can’t indiscriminately share your information with a third party and they’re required to disclose to you the type of information they collect.

Here are three ways you can ensure your data stays safe even if the law won’t protect it.

Review the company’s privacy policy. Most consumers don’t bother to read a company’s data. If you did, you might find that companies give themselves a broad license to use your information any way they want. For example, Target’s policy allows it to share your data with a third party for marketing purposes. In order to opt out, you have to call the company. Here’s the thing: while I have few doubts that Target has learned its lesson after the recent data breach, can we be sure its marketing partners have? (By the way, if you’re wondering what a policy is worth, the answer is “a lot.” The Federal Trade Commission can force a company to honor the terms in its policy, as wishy-washy as they may be.)

Mind those pre-checked boxes. Whenever you make a purchase, particularly online, look out for those opt-ins. Many businesses will pre-check the box at the bottom of a page for your “convenience.” (Don’t they mean, for their convenience?) Unless you uncheck it, you’ll probably be agreeing to receive their catalog, share your data with anyone who wants it, or sign you up for an email newsletter.

Withhold your data. Perhaps the most effective way to protect your own data is to not give it to a company. Yes, they’ll scream — they’ll claim that withholding your address or email will not allow them to “provide excellent customer service.” But ask yourself: when’s the last time you received “excellent” service because a company knew your email address? When’s the last time you received “excellent” service, for that matter? Take baby steps. The next time you’re at a department store and someone asks for your phone number, say “no.” Maybe they’ll claim they need it to finish the transaction, but that’s nonsense. Maybe they’ll say the number is being used for research purposes only, and that your number won’t be added to a list. Don’t believe them. If you’re tired of receiving unsolicited phone calls at dinnertime, you know you have to stop giving your phone number out to strangers, don’t you?

Here’s the bottom line: If you want to protect your data, it needs to start with you. Sure, companies are responsible for safeguarding your personal information. Too many don’t. But ultimately, you control who gets that data, and if you’re not happy with the way corporations handle the information, you can — and you should — cut them off.

Do you trust companies with your data?

View Results

Loading ... Loading ...

Christopher Elliott

Christopher Elliott is an author, journalist and consumer advocate. You can read more about him on his personal website or contact him at Got a question or comment? You can post it on the new forum.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus

  • Jeanne_in_NE

    I’ve refused to give out my phone number and zip code to retailers for years. What’s thrown me for a loop in the last year or so is that some places are requiring my zip code to finalize a transaction with my credit card, such as purchasing gas. In the gas purchase instances, it’s when I’m swiping my card at the pump.

    We had a letter to the editor in the major newspaper around here suggesting that we remove our phone numbers from our voter registrations, as that’s how these PACs know to call me or my husband. Voter registration information is public knowledge. I *know* I don’t like how that information gets used!

  • Carver Clark Farrow

    Years ago, I purchased a Tivo from Best Buy. The woman at the cash register insisted that the Tivo Unit would wouldn’t work unless I disclosed my phone number and claimed the register wouldn’t process the transaction otherwise.So, I gave her a fake number. I read the number from the Best Buy business card at the register.

    Worked like a charm

  • Kairho

    I rarely give out my real phone number nor ‘main’ email address. As it’s easier just to give whoever a number, my stock answer is aaa-bbb-0000 where aaa and bbb are valid. Went for years like that (no one ever questioned the 0000 part) until I finally decided to call the number, just for fun. Turns out it was the local District Attorney’s office! Oops.

  • John Baker

    @Jeanne_in_NE:disqus The zip code is fraud control. They can use street address too. It gets validated when the rest of the information is sent for validation.

  • Christopher Elliott

    Not necessarily. When you’re pumping gas, the ZIP code is sometimes used to authenticate your card. But when you’re shopping at, say, a department store, the ZIP is being used for marketing purposes, often. It’s best to decline to give yours.

  • MarkKelling

    In any situation where the card device is unattended (like a pay at the pump set up) the ZIP is for fraud prevention as part of the authentication process. Like the lack of chip cards for US customers traveling to Europe, the requiring of a ZIP code for foreign card holders visiting the US causes major problems for customers wanting to use the unattended devices.

    The reason ZIP was used instead of the 3 digit code on the back of the card is so that when a card is copied for fraudulent use, the ZIP code is not present and should not be known by the person cloning the card — unless the frauding merchant asks for ZIP to complete the transaction!

    In the case of a face-to-face transaction, the presence of the card and the cardholder is all that is required to complete the transaction if the card issuer approves it.

    But I do agree that the less information that is given at time of purchase, the better for the customer.

  • Office_Bob

    Since US pumps don’t like Canadian postal codes; I just enter 90210 – I’ve never had a problem.

  • bodega3

    I don’t believe that works. It hasn’t for me. You do need the correct zip code for the card or it is declined.

  • bodega3

    Unfortunately in CA, political calls are permitted under the Do Not Call program. Gee, wonder how that happened :-( I changed my voter registration a few years back and put our fax line down as my phone number. We not longer have that number, but darn if I will change it :-)

  • bodega3

    I give phony numbers, too. I can’t remember the number I put down to get the CVS card…oh well!

  • Carver Clark Farrow

    lol. I did that once. I gave a sketchy telemarketer downtown police headquarters as my mailing address.

  • TheBride

    Never give out your real birthday–make up a fake one and stick to it. Always give out a phony phone number, they can get you on email if they have to. And have a “slop” email address for e-commerce and log-ins to unofficial sites. I only give real information to banks and official interactive sites. Period.

  • AJPeabody

    My phony number 555-1212 so if they want to call me, they call information.

  • Sarah M.

    I agree with not giving out your phone number, email, birthday, address or anything else that is connected to you personally, but I have no problem giving out my zip code. They use that information to track where groups of their consumers live and shop and I’m just part of a large group in that database.

    This can be a factor when they decide where to open new locations. Personally, I’d love to not have to commute as far sometimes to do my shopping, and I do want to keep brick and mortar businesses alive. I love the convenience of shopping on-line but sometimes nothing beats the experience of actually holding the object in your hand before you decide to buy.

    As for shopping on-line, I only use one-time use credit card numbers that are associated with a single merchant. If that number is compromised, it is useless anywhere else and if for some reason my primary card is replaced with a new number, all those other numbers that I’ve set up recurring payment plans on still work and I don’t have to go change them all.

  • MarkKelling

    You have a card or cards issued by US based banks, right? These all have a ZIP associated with them. Foreign cards do not. But the gas pump doesn’t know this so you have to enter something. When the transaction gets to where it goes for authorization, the ZIP field is checked. If there is no ZIP in the card record at the authorizer, it means the card is not US so that part of the authorization should be skipped. For any card that has a ZIP attached to it, it is true that it must match what was keyed in. Sometimes this does not work exactly this way resulting in foreign card holders getting declined at US gas pumps. But, as long as the 5 digit value that is entered is a valid US ZIP code, there should be no issue with the foreign cards as the authorizing entities are getting better at handling the foreign vs US cards..

  • bodega3

    Thanks for this information!

  • Jeanne_in_NE

    Keep that number handy! (Note: you may be too young to remember that jingle, LOL)

  • Jeanne_in_NE

    I decided to check out Target’s policy and then act on it to request an opt-out. Well, that’s a great deal harder than it should be. First, forget calling the 800#. That transfers you to a very limited set of menu options, none of which is obvious for opting out. I finally pressed the #2 option which allows me to chat with someone about a shopping experience, and then #4 to talk about something other than problems with items, groceries or recalls. I ended up speaking with a woman in Manila who had no idea in the world a) which company she was answering the phone for; and b) where “opt-out” was on her script.

    Use the on-line option instead. https://www-secure dot target dot com/contactus/guest-choice-form. Easy peasy.

  • Jeanne_in_NE

    Thank you! I was quite suspicious the first time I encountered that, at a gas station near Des Moines about a year ago.

  • TonyA_says

    I do address verfication for tickets I issue to people I do business the first time. Part of that is the street address and zip code. But I cannot address verify non USA credit cards so I just don’t sell to them. I believe address verification also exists in the UK.

    However, I understand that for card present transactions, a swipe, authorization, and signature protects the merchant. Not sure if there is no signature like pay at the pump. So maybe that’s why they add zip verification.

  • Matt Blumenfeld

    You can easily create a new email address to use as your “interacting with businesses” address. It’s usually pretty easy to have that email address forwarded to your regular inbox in case there actually is some excellent customer service communication. It’s also easy to use a Google Voice telephone number as a throw-away phone number that you don’t have to pay attention to if you don’t want to give out your real number.

  • LonnieC

    Love it!

  • Bill___A

    Unfortunately, foreign cards just can’t be used at “pay at the pump” most places in the USA.. Here’s an idea: Put stripe and chip readers in at all the pumps. Those with chip and pin can enter it and those with the old fashioned stripe can do the zip code thing.

  • emanon256

    I’ve worked with a few busienss who got discounted transaction fees when collecting a zip for in-person transactions. The merchant bank always said it was for fraud protection against stolen or cloned credit cards since they can be used in-person but the zip would not be known.

  • Judy Serie Nagy

    List your fax number! How clever is this!!??!

  • BMG4ME

    I find it amazing that in days past when we handed our credit card over and it was swiped manually leaving a paper trail for all to see, nobody complained. Today when it’s so much safer, people feel unsafe!