You would think after all the stories about data breaches that companies would not be asking you for your personal information via email.
As long as people will do it, companies will ask. After all, it is easy and when easy fights with secure, easy almost always wins.
In the source article for this post (see below), companies were asking for copies of credit cards, passports and drivers licenses via email. Since the people they were asking worked for a security consulting firm, they said no, but that is a drop in the bucket compared to all the ones that say yes.
Since email is (almost always) not encrypted and has no controls over what happens to it, providing your sensitive personal information via email puts you at higher risk for identity theft.
You could type the email address incorrectly or the requester could provide the wrong address. In addition, there may be many places along the route that email travels where it could be exposed.
Of course there could also be a rogue employee who decides to keep your information.
It is also likely that a company that engages in the questionable practice of asking for sensitive information via email probably engages in other poor cyber security practices.
It would also seem that storing that information in email likely breaks many state privacy laws that require that non-public personal information be encrypted in storage.
However, as long as people keep sending that information, companies will continue to ask for it.
Even financial services firms like mortgage companies and accountants may ask for your information via email.
Just don’t do it. Tell them that you are not comfortable providing your information that way. Ask them for a more secure method. YOU are actually in control.
If enough people vote with their feet and their pocketbooks (like former Yahoo customers who are leaving due to the breach and other privacy issues), then companies will get the message.
Unless the FTC explains the issue to them first, of course. They do frown on the practice, but they haven’t filed suit against anyone yet, that I am aware of.
Information for this post came from Risk Based Security.