Take a good, hard look at patrons' data privacy in LX Starter
LX Starter seems to be bringing over and storing most of the personal data from a patron's record whenever it sends them an email. (See screenshot attached.) Even though much of it is hashed, it raises 2 major concerns:
why is LX Starter NOT treating all of this information, such as patron barcode and last 4 of phone number, as PII, since in many libraries this combo can be used to access patron records through the online catalog?
why is it bringing over this additional information at all (address, phone, birthdate, etc.) when the only PII LX Starter should need is the patron's name and email address (plus titles and fines and library data to populate individual notices)?
Many libraries use the last 4 digits of the patron phone number or even their zip code as the default account PIN, and many patrons never change from the default. When combined with the complete barcode, library users can log into their library account online to access all their account information-- including full access to view and change the PII LX Starter is showing as hashed-- plus current checkouts, fines, and potentially reading history.
That means if a staff member with a weak password had even read-only access to LX starter, all of the PII for every patron who has ever received an LX Starter notification can potentially be accessed by using unhashed data to log into that library's online catalog. It would be a convoluted way to get personal data, but a vulnerability, regardless.
I'm not a data security expert but I'm guessing any of these steps would resolve the problem or at least reduce risk:
Modify LX Starter so it does not fetch or store any patron PII-- hashed or not-- from the ILS besides patron name, email address, maybe barcode, and the checkout/fine information needed for the notice OR if that's not possible, at least fully hash the entire address, phone number, and birthdate shown in the notice activity logs.
Do not show the full library barcode. Ideally, let libraries set how many digits to display. In our library, for example, the last 6 are unique, so we might choose to only show the last 3 or 4.
Offer 2 factor LX Starter login for any libraries who share concern about the security of patron information stored in LX Starter
Just one of these steps would be an improvement, though all 3 of them would be even better. Perhaps there are other solutions I'm unaware of that would be more effective.
We appreciate you raising these concerns with PII and security and will continue to review them as we work to improve the product.
Carl Ratz commented
Could LX Starter just not store information and retrieve it as needed from the ILS?
Bravismore Mumanyi commented
I do support bringing or caching the bare minimum - patron attributes that are absolutely necessary for dispatch of notices. Even consider not having the profile resident in the cloud - use on demand, with the profile staying on source system (Sierra).
Correction to my original post: I previously overlooked the EDIT button which unveils all the patron PII, unhashed. So I was mistaken-- LX Starter actually DOES give direct access to all patron PII in our database, even for patrons who do not get email notices or have an email address on file. LX Starter was described only as a tool for email communication and we had no reason to assume it would provide access to patron information having nothing to do with email communications. At minimum, this fact needs to be made explicitly clear to libraries as they are adding staff users and selecting LX Starter sign-in credentials.
Emma Olmstead-Rumsey commented
I'd love to know what fraction of LX Starter users are using the whole Vega suite. I know part of the reason III has offered LX Starter at no charge to all existing customers it to showcase Vega. Maybe customers that use the whole suite require so much patron data to be present on the platform, but the large number of us who are using LX Starter only get no benefit from this information being present, only risk.
AdminTaylor Fisher (Admin, Innovative) commented
Thank you for your productive and respectful feedback.
First, we must emphasize that we take security and privacy matters very seriously. We are SOC2 (security operations center) certified and perform continuous and automated vulnerability scans with quick resolution times to ensure the safety and security of our systems and the data stored within them. This is in addition to the standard cross-company security protocols. A further measure we take is encryption at rest, which means that all incoming data is stored encrypted and cannot be accessed.
Second, we would like to address your two main concerns about treating all information as Personal Identifiable Information (PII) and the decision to import additional information into LX Starter. Our development partners and early adopters requested for information be there and editable, and our goal in building LX Starter is to create a single tool for library staff to view and manage all patron activities throughout their lifecycle. This is still in progress as we continue to build up these products.
We have not considered barcode as PII and will take it internally to consider as something that should be masked. Thank you for your input in that regard.
We greatly appreciate your thoughtful suggestions, and we have it on our roadmap to incorporate two-factor authentication login in the future, and timing on that is still being determined.
Please let us know if you have any further questions.
Eric Young commented
I completely agree with your concerns about data privacy in LX Starter. It is critical that LX Starter treats all personal information as PII and only brings over the necessary information for sending emails.
Your suggestions to modify LX Starter to not fetch or store any unnecessary patron PII, not show the full library barcode, and offer 2-factor LX Starter login are all excellent steps towards reducing risk and improving data security. It is important that these steps are taken as soon as possible to ensure the protection of patrons’ personal information.
There is absolutely no need for a mailing address and birthday to be stored and accessible in LX Starter. If a library needs an age group for targeted emails the group should be determine prior data being send to and stored in LX Starter or Promote.