When handling applications for permits, licenses, and just about everything, there's a great deal of information you're gathering that should be protected. Mostly, you'll want to protect Personal Identifiable Information (PII), you can read more about it here, but in short:
PII is sensitive data that could be used to identify, contact, or locate an individual. The loss of PII can lead to identity theft or other fraudulent use of the information. A PII breach is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term.
Information such as business phone numbers and race, religion, gender, workplace, and job titles are typically not considered PII.
PII includes:
Name
Address
Social security number
Other identifying numbers or codes
Telephone number
Email
Passport number
Driver's license number
Taxpayer identification number
Patient identification number
Financial account or credit card number
A lot of Civic Review's users like to publish lists of business licenses or issued permits online, and that's okay! Our strong recommendation is to avoid publishing PII, as listed above. Here's a great example why you should refrain from posting this kind of information:
You Don't Want to Invite Phishing Attacks
A phishing attack is where an attacker sends a fraudulent communication that appears to come from a reputable source, such as an email, text message, or phone call, to steal sensitive data.
All this information you have could make it easier for a malicious actor to pose as an official representative to trick people into trusting their communications.
We had a customer publish a list that included business legal name, dba, business address, phone, owner name, contact email (which is often the owner's email address), and owner mailing address. Somebody grabbed this list and sent emails to everybody telling them they needed to verify their business information, and included a table of information from the published list. The email looked something like this:
Dear John Doe,
It's time to verify your business information with the city of Townsville. Please review this information below and click the "verify" link to complete your verification.
Name | The Candy Store |
License Number | 1234567 |
Owner Name | John Doe |
Owner Address | 123 Boulevard |
Contact Email |
[Click Here to Verify]
As set forth in Article IV or Article V, the City makes no other representation of the above information, implied at law, In respect of the Company’s business, and any such other representations or warranties are hereby expressly disclaimed; provided, however, that the foregoing is not intended to limit in any respect, the representations and warranties expressly set forth in this Article IV or Article V.
Notice how tricky this email is. By using the city's logo at the top of the email, showing business information that only the city would have (like license number), and that bogus disclaimer about "Article IV and Article V", this email appears to be quite official.
The link in the email went to a carefully-crafted webpage that asked applicants to login with their email credentials to get started. It asked them to choose outlook or gmail, and then had a login form. It's likely several individuals fell for this trap and gave away their email password!
What to Include in Public Lists
When publishing lists of records, keep in mind that even though this information is public domain, and a lot can even be accessed with a formal public information request, you should minimize what you share. When it comes to any form of contact information, we recommend sharing what you might find in a phone book, and we recommend NOT sharing any kind of email address, even if it's the official business email.
Official Emails from Civic Review
Official emails such as renewal notices, requests for payment, etc, will come from civicreview.com - we take great care to tell applicants to look out for emails from us for official communication regarding their applications. Emails from other domains are not to be trusted, and we would never EVER ask for passwords over email, and we would never have a webpage asking for a password for anything except a Civic Review password on a login page.