Recently I got a call from a representative of one of the free IT magazines I subscribe to. The rep wanted to renew my subscription, and needed to ask me a few “qualifying” questions first. Fine.
When she asked, “What is your Social Security number?” I responded, “You don’t need to know.”
She replied, “Yes, I do. We must verify that you are, indeed, who you say you are, so we need your Social Security number to do that. It is our standard procedure.”
“Well,” I told her, “Don’t you think it is poor business practice to make an unnannounced call to your subscribers and ask them for a Social Security number? After all, you made the contact with me, not the other way around. I answered my phone, didn’t I? And besides, how do I know *YOU* are who you say you are? Can you please give me your Social Security number so I can verify that you are, indeed, who you say you are?”
After telling me she didn’t have a Social Security number (SSN) because she was from, and still worked from, India, we talked for just a bit more before I ended the call, satisfied in knowing that now my discontinued subscription may save a little paper.
Think about how many times you are asked to provide your SSN; on the phone, on forms you fill out, in person…why do you really need to provide them? Do you ever ask?
Look at all the places you use SSNs within your business. Where are you asking your customers, employees, and even non-employees (such as job applicants) to provide their SSN? Do you really need to get their SSNs in each of these situations?
Too many businesses are still collecting SSNs and using them for purposes for which other types of information could just as easily and/or effectively be used.
Here is the first part of the first article, “(Mis)Using Social Security Numbers in Business,” within my August issue of IT Compliance in Realtime Journal, which discusses the use of SSNs (get the nicest version of the full journal here)…
_______________________________
Over the years, I’ve worked with many organizations to help them understand what they can, and cannot, do with regard to Social Security numbers (SSNs). I’ve also helped them explore the laws and regulations that cover some type of SSN use. It’s been awhile since I have written about this, so it seems like a good time to provide a few points about the use of SSNs within organizations.
How Do You Use SSNs?
The first thing you need to do before diving right into the regulatory and legal requirements for SSNs is to determine how your organization currently uses SSNs. You should then identify the existing laws, regulations, and contractual requirements that cover the use of SSNs in your organization. You also need to review your posted privacy policy and note how you promise you will handle SSNs. After you know 1) how you use SSNs and 2) what legal requirements cover the use of SSNs within your organizations, you are then able to 3) determine where you have compliance gaps and then 4) discuss the next steps with your legal counsel.
Organizations MUST consider using something other than SSNs for identification, authentication, and passwords.
When considering SSN use in your organization, ask yourself and your business leaders the following types of questions:
- How does your organization use SSNs? Document all uses.
- Do you use SSNs as identifiers? As identity authenticators? As passwords? Using SSNs as passwords and/or identifiers is against the laws of some states and is frowned upon by the FTC.
- Do you use portions of SSNs for any purposes? Many organizations are using the last four digits or the first five digits as identifiers or passwords, but you must consider the risks involved with doing so, including possibly being against the laws where the associated individuals are located.
- Who within your organization has access to your databases containing SSNs? Make sure everyone with access has a business need to fulfill their job responsibilities.
- Who outside your organization has access to your SSN databases? Make sure the access is necessary as a part of contractual requirements or some other justified business need.
- Do you request or require SSNs to open new accounts? Determine whether SSNs really are necessary to create a new account.
- Are there other identifiers you can use besides SSNs? Why or why not? Many organizations use SSNs as identifiers simply because they are the easiest data items already available to them.
- What procedures do you follow when customers ask to use something other than SSNs? Most organizations are not well-prepared for these types of requests.
- What procedures do you use for removing SSNs when they are no longer needed? You need to have documented procedures that are consistently followed.
- What procedures do you use for correcting erroneous SSNs and associated information? Make sure you follow sound procedures to ensure SSN correction and change requests are legitimate.
- How do you use employee SSNs? Many states govern how employee SSNs can and cannot be used.
- How do you deliver, transport, or mail documents (hard copy and electronic) containing SSNs? Huge numbers of privacy breaches have occurred as a result of using unsecured methods of printed papers that contain SSNs.
- Do you store SSNs in Internet locations such as Web servers, ftp servers, and so on? If so, determine WHY this is necessary, and if it is not, stop the practice. If it is necessary for a business reason, be sure you safeguard the SSNs using strong encryption and effective access controls.
_______________________________
Tags: awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social security number, SSN