F ID I N E WS BEWARE THE PII TRAP How safe is your shippers personally identifiable information (PII), asks Marie-Pascale Frix, FIDI Business Intelligence Manager I MARIE-PASCALE FRIX, FIDI BUSINESS INTELLIGENCE MANAGER EVELYN DE JAEN, GENERAL MANAGER OF LACMA magine the following situation: you get a phone call from a very distressed customer, telling you their personal information is freely available on the internet since their move, via sea, to the USA. They ask how you could let this happen didnt you commit to protect their personal information? Some of you might have received such a call in recent years. You probably thought it was a case of hackers stealing and publishing personal data. The reality, however, might be quite different. Increasingly, reports show that some government agencies sell or share such personal data, more or less legally, depending on local legislation. In the USA, government authorities such as US Customs and Border Protection (CBP) are allowed to sellvessel manifest data, including personally identifiable information (PII) of shippers moving to or from the USA. This could include US private citizens or foreign nationals, US military service members and US government employees. A shippers PII includes: Shipper (transferee) name Shipper address Consignee name Consignee address Notify party name Notify party address Social security number Passport number While the official reasoning of the CBP is to give global data brokers the ability to produce statistical reports of US inbound and outbound shipments, the data, ultimately, ends up being freely available online. To safeguard the privacy of shippers under the responsibility of removal companies, the International Association of Movers (IAM) offers a Shippers Confidentiality Request Form on its website, and is actively pushing to introduce the Moving Americans Privacy Protection Act. This legislation, after approval by the US Senate, will prevent the CBP from selling personally identifiable information from international moves including socialsecurity numbers and passport data to third-party databrokers. At the time of writing, the IAM together with the American Moving & Storage Association (AMSA) and a national coalition of military and moving associations is urging the US Senate to pass this bill into law (law S.998) before the end of the year. In the meantime, to request confidentiality when importing or exporting personal effects in the US, fill out the IAMs online Shippers Confidentiality Request Form at bit.ly/2zClb40 Your responsibilities as a removal company As the booker, you should prevent personal information from your shippers being sold to third parties. Even if vessel manifest data selling and/ or sharing is allowed at government level, your company is responsible for mitigating such a risk by: 1. Removing the shippers PII from the vessel manifest (unless legally required) 2. Informing your customers of a potential databreach risk 3. Guiding your customers to the appropriate resources they can use to opt out and request PII data confidentiality (for example, IAM Shippers Confidentiality Request Form). THE SITUATION IN LATIN AMERICA Several cases of shippers personally identifiable information (PII) being available online have been brought to FIDIs attention over the past few months. Working with FIDI Latin America, we have found that most Latin American countries have laws to protect PII data, but if requested they may share it with international customs authorities/countries for statistical and legal matters. Nonetheless, not all countries have regulatory bodies to enforce compliance of existing data protection legislation. Evelyn de Jaen, General Manager of LACMA, says the recent implementation of the General Data Protection Regulation (GDPR) in the EU has prompted many Latin American countries to start work on developing and implementing stronger legislation to adhere to the GDPR. 32 FF289FebMar19 pp32-33 FIDI News.indd 32 WWW. F I D I . OR G 23/01/2019 16:34