Resources / blog

The "Need To Know" Rule

Markus spiske 666905 unsplash

The ATM asked for my mobile number recently. Why? The bank already has my phone number and email.

My dentist wants my mobile number. Probably so they can call me if I’m late for an appointment. Okay, kinda makes sense.

My car dealership demanded my mobile number (“because the loan company requires it”). And sold my email and phone number to telemarketers. Same for my domain name provider.

Now I use a “go-directly-to-voicemail” number for them all.

You know, I’m actually not too concerned with security on my systems. I use strong passwords and I don’t leave my laptop unlocked. I’m less concerned a hacker will get into my system; I’m more concerned a hacker will get into YOUR systems. These system hacks make my skin crawl.

  • Yahoo [3 billion user accounts]
  • Equifax [143 million consumers]
  • Target [110 million people]
  • Uber [57 million Uber users]
  • JP Morgan Chase [76 million households]
  • Anthem [78 million current and former customers]
  • Home Depot [56 million customers]
  • Adobe [38 million user records]

After all, why bother hacking an individual system to get one password when you can hack one system and get everyone’s passwords?

I know why businesses want loads of personal info. Either they use it to contact me. Or market to me. Or sell it so others can market to me.

The lesson: Use the “need to know” rule when sharing information with any business.

The term "need to know", when used by government and other organizations, describes the restriction of data which is considered very sensitive.

Businesses have a long list of things they would “like” to know. And a much smaller set of info they need to know.

Product managers and marketers take note. It’s reasonable to ask for name and email. Maybe a phone number and title. Not much else. 

There are three types of requirements beyond functional (ie., features):

  • Security (often considered)
  • Performance (sometimes considered)
  • Privacy (rarely considered)

Add this list for consideration in your next product team discussion. And please take a fresh look at your landing pages and popups.

Because businesses have abused their access to personal information, I no longer answer my phone unless the caller is in my contact list. You better leave a voice mail.

If you really need to reach me, try my email.

Photo: Markus Spiske via Unsplash

Return to Blogs