I’ve always felt uncomfortable giving out my zip code to retailers. Now, a Massachusetts ruling has sent a clear message to businesses by concluding that zip codes are considered personally identifiable information (PII), which limits the way those numbers can be used and recorded during credit card transactions.
In this case involving a large craft retailer, the plaintiff made a purchase with their credit card and, during the process, was prompted to give the cashier their zip code. Not unlike myself, the customer felt uneasy about giving out this personal information, but handed it over based on the belief that it was necessary to complete the transaction. Allegedly, the company then combined the zip code with other information to obtain the plaintiff’s home mailing address, and began sending unwanted marketing materials.
While the case was ultimately dismissed, the court’s decision to designate zip codes as PII is significant, because according to the Massachusetts court, zip codes now fit within the definition of PII and are therefore no different than PIN numbers used in debit card transactions, because both could be used to fraudulently to assume the identity of the cardholder.
Here at McAfee, many of our customers focus on the probability of a data breach and its perceived business impact to justify the addition of security controls. As privacy laws continue to evolve, I predict that similar cases to the above will follow in other states, prompting businesses to adjust and adapt. This has significant implications for the enterprise as well as the consumer. Only organizations that have the ability to address where their data resides – and who and what applications can access that data – will be able to smoothly adjust to these types of changes, and ensure that their database is secure.
Our Security Connected Reference Architecture can provide the framework and details for more efficient ways to manage the security and compliance of your organization’s data.