Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« What Happens On The Internet Stays On The Internet...No Matter What A Judge Says! | Main | An Example of Google's Street View Crossing The Privacy Line...? »

How Do You Use Social Security Numbers?

Recently I got a call from a representative of one of the free IT magazines I subscribe to. The rep wanted to renew my subscription, and needed to ask me a few "qualifying" questions first. Fine.

When she asked, "What is your Social Security number?" I responded, "You don't need to know."

She replied, "Yes, I do. We must verify that you are, indeed, who you say you are, so we need your Social Security number to do that. It is our standard procedure."

"Well," I told her, "Don't you think it is poor business practice to make an unnannounced call to your subscribers and ask them for a Social Security number? After all, you made the contact with me, not the other way around. I answered my phone, didn't I? And besides, how do I know *YOU* are who you say you are? Can you please give me your Social Security number so I can verify that you are, indeed, who you say you are?"

After telling me she didn't have a Social Security number (SSN) because she was from, and still worked from, India, we talked for just a bit more before I ended the call, satisfied in knowing that now my discontinued subscription may save a little paper.

Think about how many times you are asked to provide your SSN; on the phone, on forms you fill out, in person...why do you really need to provide them? Do you ever ask?

Look at all the places you use SSNs within your business. Where are you asking your customers, employees, and even non-employees (such as job applicants) to provide their SSN? Do you really need to get their SSNs in each of these situations?

Too many businesses are still collecting SSNs and using them for purposes for which other types of information could just as easily and/or effectively be used.

Here is the first part of the first article, "(Mis)Using Social Security Numbers in Business," within my August issue of IT Compliance in Realtime Journal, which discusses the use of SSNs (get the nicest version of the full journal here)...
_______________________________

Over the years, I've worked with many organizations to help them understand what they can, and cannot, do with regard to Social Security numbers (SSNs). I've also helped them explore the laws and regulations that cover some type of SSN use. It's been awhile since I have written about this, so it seems like a good time to provide a few points about the use of SSNs within organizations.


How Do You Use SSNs?

The first thing you need to do before diving right into the regulatory and legal requirements for SSNs is to determine how your organization currently uses SSNs. You should then identify the existing laws, regulations, and contractual requirements that cover the use of SSNs in your organization. You also need to review your posted privacy policy and note how you promise you will handle SSNs. After you know 1) how you use SSNs and 2) what legal requirements cover the use of SSNs within your organizations, you are then able to 3) determine where you have compliance gaps and then 4) discuss the next steps with your legal counsel.

Organizations MUST consider using something other than SSNs for identification, authentication, and passwords.

When considering SSN use in your organization, ask yourself and your business leaders the following types of questions:

  • How does your organization use SSNs? Document all uses.
  • Do you use SSNs as identifiers? As identity authenticators? As passwords? Using SSNs as passwords and/or identifiers is against the laws of some states and is frowned upon by the FTC.
  • Do you use portions of SSNs for any purposes? Many organizations are using the last four digits or the first five digits as identifiers or passwords, but you must consider the risks involved with doing so, including possibly being against the laws where the associated individuals are located.
  • Who within your organization has access to your databases containing SSNs? Make sure everyone with access has a business need to fulfill their job responsibilities.
  • Who outside your organization has access to your SSN databases? Make sure the access is necessary as a part of contractual requirements or some other justified business need.
  • Do you request or require SSNs to open new accounts? Determine whether SSNs really are necessary to create a new account.
  • Are there other identifiers you can use besides SSNs? Why or why not? Many organizations use SSNs as identifiers simply because they are the easiest data items already available to them.
  • What procedures do you follow when customers ask to use something other than SSNs? Most organizations are not well-prepared for these types of requests.
  • What procedures do you use for removing SSNs when they are no longer needed? You need to have documented procedures that are consistently followed.
  • What procedures do you use for correcting erroneous SSNs and associated information? Make sure you follow sound procedures to ensure SSN correction and change requests are legitimate.
  • How do you use employee SSNs? Many states govern how employee SSNs can and cannot be used.
  • How do you deliver, transport, or mail documents (hard copy and electronic) containing SSNs? Huge numbers of privacy breaches have occurred as a result of using unsecured methods of printed papers that contain SSNs.
  • Do you store SSNs in Internet locations such as Web servers, ftp servers, and so on? If so, determine WHY this is necessary, and if it is not, stop the practice. If it is necessary for a business reason, be sure you safeguard the SSNs using strong encryption and effective access controls.
_______________________________
Tags:                    
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on August 13, 2008 7:15 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/785

Comments

Thank you for covering SSN security like this! I can't tell you how much it frustrates me to fill out job applications on the web that require a SSN to be completed in order to submit it. I flinch when I have to give my SSN for "identity verification" when my Driver's License number can do the same thing. That brings me to a question - what is the difference between the type of information you can glean from a DL# and a SSN? Is a DL# any safer?

Posted by: Suzanne Wheeler | August 14, 2008 10:15 AM

Suzanne, thanks for your comment and great questions!

The answer...as most answers...depends upon the situation. Some states use SSNs as the driver's license number, so if you're from one of those states it would not be any safer.

In addition, misuse of driver's license numbers also pose threats...of identity theft, physical harm from someone then being able to track you down, etc.

This is a good topic; I'll address it in an upcoming post! In the meantime, consider all the businesses that use driver's licenses, and driver's license numbers, to verify your identity. This could lead to many bad things happening if someone gets your driver's license number and uses to create his/her own drivers license, which is very easy to do as the following links should demonstrate:

http://www.photoidcards.com/
http://newidcards.com/fake-drivers-license.htm
http://www.theidshop.com/holograms.htm

Rebecca

Posted by: Rebecca | August 14, 2008 12:34 PM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.