Responding To Customers Asking About Your Company’s Use of SSNs

For the past 10 years I have been driving the same, reliable, non-troublesome car. It still looks good enough (I don’t really worry about driving an “it” kind of car). However, it is getting a bit rattly, and my friends have been increasingly giving me a hard time about continuing to drive it past the 200,000 mile mark. I never really cared much until my starter went out a couple of months ago. I wondered, what if this had happened to me while I was in a neighboring state at a client site? Sure, I have AAA, but it would still be a hassle. So, I decided if I saw a car I really liked and that had all the features I wanted, I would splurge and get a new car.
Well…I just happened to find a car I absolutely loved after seeing and driving it. I was at the dealer paying for it yesterday, and the sales person asked for my Social Security Number (SSN).


Hmm…I don’t know of any reason why the car dealership needs my SSN; there was no financing involved.
“Why do you need my SSN?”
Sales dude, “It’s Iowa law that everyone purchasing a car must provide it.”
“Oh, really? Which law is that?”
Sales dude, “I don’t know; you’ll have to ask our accounting guy.”
I handed him my business card, “I try to stay on top of these types of laws, but I’m not aware of any such law.”
Sales dude…hearty laugh, “Well, then you *SHOULD KNOW* what the law is!” Hearty laugh continues…
“Yes, I should. But, I can’t think of any such law, or the need for such information to be collected for this purchase.”
Well, after talking to the accounting guy, he confirmed that he did *NOT* need my SSN and that there was no such law to his knowledge.
But think about how many people these types of sales dudes are collecting SSNs from without needing to collect them, and without even understanding the purpose for collecting SSNs.
And think about how these folks handle the paper they write the SSNs on…throwing them in the trash, or using them to write other information on, or leaving them out on their desktops, or…
It seems that stating “we’re required by law” has become the scapegoat catch-all phrase for all types of businesses when they either want to collect SSNs…or other types of personally identifiable information (PII)…or say they can’t divulge certain types of PII to the individuals about which the PII applies.
Doctors often use HIPAA incorrectly to collect unnecessary PII or to deny patients access to PII…
Accountants and financials often use GLBA incorrectly to collect unnecessary PII or to deny customers access to PII…
Schools often use FERPA incorrectly to collect unnecessary PII or to deny students and parents access to PII…
And the list goes on…
Do your personnel know how to respond to your customers’ questions about how your organization uses SSNs? Or how your organizations uses any type of PII?
All organizations should have a PII inventory, including SSNs, along with controls around that PII and training and awareness for protecting the PII.
However, most organizations are overwhelmed and never get around to creating such an inventory, and then implementing controls and providing training and awareness.
If tackling all PII is too big of a task for an organization, it should at least start with SSNs. An organization should be able to:
1) Identify and document all sources from where the organization collects or obtains SSNs
2) Identify all areas/personnel/persons/business partners who have access to the SSNs
3) Implement controls to remove access from those who don’t need it to perform job responsibilities
4) Provide training and awareness to everyone with access to SSNs to ensure they safeguard the SSNs effectively
5) Provide training and awareness to all personnel who communicate to customers and consumers so that they know how to respond accurately to inquiries about SSN use
SSNs continue to be misused on a large scale, allowing for growing numbers of identity theft incidents. Businesses need to become accountable for the collection and use of SSNs.
Consumers need to challenge organizations that ask them for their SSNs. Ask them for the law that requires such information.
BTW, upon checking Iowa state law, I found this at the Iowa State Attorney General (AG) site:
“18. Do not have your Social Security number printed on your checks. Don’t let merchants hand-write your Social Security number on your checks because of the risk of fraud. Currently, there is no law against a merchant requiring you to divulge your Social Security number before accepting a check, so you may need to be assertive. Offering an assigned driver’s license number is usually an adequate substitute.”
And upon looking throughout the AG site, there appears to be NO Iowa state law that would ever require any merchant to collect an SSN from customers when making a purchase.

Tags: , , , , , , , , , , , , , , , , ,

Leave a Reply