Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Supporting Compliance With ITIL | Main | Information Security Survey for Financials »

Responding To Customers Asking About Your Company's Use of SSNs

For the past 10 years I have been driving the same, reliable, non-troublesome car. It still looks good enough (I don't really worry about driving an "it" kind of car). However, it is getting a bit rattly, and my friends have been increasingly giving me a hard time about continuing to drive it past the 200,000 mile mark. I never really cared much until my starter went out a couple of months ago. I wondered, what if this had happened to me while I was in a neighboring state at a client site? Sure, I have AAA, but it would still be a hassle. So, I decided if I saw a car I really liked and that had all the features I wanted, I would splurge and get a new car.

Well...I just happened to find a car I absolutely loved after seeing and driving it. I was at the dealer paying for it yesterday, and the sales person asked for my Social Security Number (SSN).

Hmm...I don't know of any reason why the car dealership needs my SSN; there was no financing involved.

"Why do you need my SSN?"

Sales dude, "It's Iowa law that everyone purchasing a car must provide it."

"Oh, really? Which law is that?"

Sales dude, "I don't know; you'll have to ask our accounting guy."

I handed him my business card, "I try to stay on top of these types of laws, but I'm not aware of any such law."

Sales dude...hearty laugh, "Well, then you *SHOULD KNOW* what the law is!" Hearty laugh continues...

"Yes, I should. But, I can't think of any such law, or the need for such information to be collected for this purchase."

Well, after talking to the accounting guy, he confirmed that he did *NOT* need my SSN and that there was no such law to his knowledge.

But think about how many people these types of sales dudes are collecting SSNs from without needing to collect them, and without even understanding the purpose for collecting SSNs.

And think about how these folks handle the paper they write the SSNs on...throwing them in the trash, or using them to write other information on, or leaving them out on their desktops, or...

It seems that stating "we're required by law" has become the scapegoat catch-all phrase for all types of businesses when they either want to collect SSNs...or other types of personally identifiable information (PII)...or say they can't divulge certain types of PII to the individuals about which the PII applies.

Doctors often use HIPAA incorrectly to collect unnecessary PII or to deny patients access to PII...

Accountants and financials often use GLBA incorrectly to collect unnecessary PII or to deny customers access to PII...

Schools often use FERPA incorrectly to collect unnecessary PII or to deny students and parents access to PII...

And the list goes on...

Do your personnel know how to respond to your customers' questions about how your organization uses SSNs? Or how your organizations uses any type of PII?

All organizations should have a PII inventory, including SSNs, along with controls around that PII and training and awareness for protecting the PII.

However, most organizations are overwhelmed and never get around to creating such an inventory, and then implementing controls and providing training and awareness.

If tackling all PII is too big of a task for an organization, it should at least start with SSNs. An organization should be able to:

1) Identify and document all sources from where the organization collects or obtains SSNs

2) Identify all areas/personnel/persons/business partners who have access to the SSNs

3) Implement controls to remove access from those who don't need it to perform job responsibilities

4) Provide training and awareness to everyone with access to SSNs to ensure they safeguard the SSNs effectively

5) Provide training and awareness to all personnel who communicate to customers and consumers so that they know how to respond accurately to inquiries about SSN use

SSNs continue to be misused on a large scale, allowing for growing numbers of identity theft incidents. Businesses need to become accountable for the collection and use of SSNs.

Consumers need to challenge organizations that ask them for their SSNs. Ask them for the law that requires such information.

BTW, upon checking Iowa state law, I found this at the Iowa State Attorney General (AG) site:

"18. Do not have your Social Security number printed on your checks. Don't let merchants hand-write your Social Security number on your checks because of the risk of fraud. Currently, there is no law against a merchant requiring you to divulge your Social Security number before accepting a check, so you may need to be assertive. Offering an assigned driver's license number is usually an adequate substitute."

And upon looking throughout the AG site, there appears to be NO Iowa state law that would ever require any merchant to collect an SSN from customers when making a purchase.

Tags:                                    
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on December 19, 2007 11:38 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/606

Comments

Good for you for challenging the dealership's unwarranted request. Seems that such requests are driven by habit and bureaucracy rather than any valid need.

Recently, my car was the target of some low grade vandalism. When the police came to my home to make a report, the officers asked for my SSN. I asked why they needed my SSN when I was the victim not the perp. Their response: "Because the crime report form has a space for it." The officers admitted that they had no idea why the victim's SSN is required so I declined to provide it. They just shrugged, finished the report and bid me good day.

Posted by: S Weaver | January 2, 2008 1:40 PM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.