PDA

View Full Version : Handling Social Security Numbers



bbolte
11-01-2007, 08:22 AM
Can anyone clarify or point me in the direction for information on policies/laws/requirements concerning how to handle Social Security Numbers? Some of our clients are wanting/needing this information. Basically, we've told clients that we won't handle or store that info, but several are clamoring for it. So I need some official info so that we can determine what our next step is. thanks.

KLB
11-01-2007, 11:36 AM
Basically if they don't have a true legal need for it (e.g. to run credit checks, or for employees) they should not have it PERIOD!

I see it all the time when working on database projects for people. They'll give me a paper form that requests people to provide a social security number, and I'll ask them why they need it and they look at with a blank stare. Nobody really knows why the form requests the SSN, it just always has. I tell them to get rid of it because they probably don't really need this information and if their data ever got stolen they could face serious lawsuits for release of personal information. Most of the time they follow my advice and stop requesting SSNs. If they still insist, I ask what security measures they are going to take to protect this information. Pretty quickly I can normally convince them that the risk outweighs the benefit.

bbolte
11-01-2007, 12:25 PM
that's it though - some of these clients are doing credit checks. they've been slow to move this portion to the web. i've found some stuff, but man you have to sift through tons of gov-speak! i'm looking for straightforward stuff and that's difficult to find...

KLB
11-01-2007, 12:44 PM
You probably won't find straight forward answers other than screw up and your *** will be hung out to dry.

When it comes to SSN's and credit checks, the number should only be held as long as absolutely necessary to conduct the check and then deleted. It most certainly better not be transmitted across the Internet in an unsecured fashion (e.g. email) and the server it goes to had best have many layers of software and physical security.

bbolte
11-01-2007, 12:46 PM
You probably won't find straight forward answers other than screw up and your *** will be hung out to dry.
oh I know - especially California...