[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] what are the rules for SSNs?

From: "Schmidt, Albert E" <AES@xxxxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] what are the rules for SSNs?
Date: Fri, 11 Jul 2008 12:30:11 -0400

There do not appear to be laws regarding the encryption of SSNs; however, there are valid business reasons to encrypt the SSNs.
 
Social Security Numbers by their self are public.  The Social Security Administration publishes a list of Social Security Numbers Issued every quarter; however, Social Security Numbers combined with information that would tie the number to an individual is not public information (and should be protected).  The laws currently only address the discloser of the SSNs and do not address the encryption; however, a point could be made that the information should be encrypted to prevent unauthorized access or to safeguard SSNs in the event of a compromise.  There are several cases where companies had to disclose that they had lost backups that contained unencrypted SSNs and notify individual's whose SSNs may have been disclosed.  
 

Relevant Laws


There are many laws that protect an individual's privacy, some of which deal specifically with Social Security numbers, and others that deal with protected health information or other personal or financial information. A summary of key provisions of some of the laws appears below. More detailed information about these laws and other privacy laws will be provided at the departmental level as needed for an employee's job duties. 

The following laws are summarized in this section:

*	Federal Privacy Act of 1974 <https://mail.ola.state.md.us/exchange/aschmidt/Drafts/RE:%20[WEB%20SECURITY]%20what%20are%20the%20rules%20for%20SSNs_x003F_.EML/1_text.htm#fedprivact>  
*	Social Security Act <https://mail.ola.state.md.us/exchange/aschmidt/Drafts/RE:%20[WEB%20SECURITY]%20what%20are%20the%20rules%20for%20SSNs_x003F_.EML/1_text.htm#socsecact>  
*	Family Educational Rights and Privacy Act (FERPA) <https://mail.ola.state.md.us/exchange/aschmidt/Drafts/RE:%20[WEB%20SECURITY]%20what%20are%20the%20rules%20for%20SSNs_x003F_.EML/1_text.htm#ferpa>  


Federal Privacy Act of 1974:


*	A government agency cannot deny to any individual any right, benefit, or privilege provided by law because the individual refuses to disclose his SSN, unless Federal law requires its disclosure. (Section 7 of Pub. L. 93-579 in Historical Note, 5 U.S.C. § 552a) 
*	A government agency must provide a disclosure notice each time the agency requests an individual's social security number. The notice must state (1) whether the disclosure is mandatory or voluntary, (2) by what authority the SSN is required, and (3) what use will be made of the SSN. (Section 7 of Pub. L. 93-579 in Historical Note, 5 U.S.C. § 552a)


Social Security Act:


*	Anyone who discloses, uses or compels disclosure of an SSN in violation of the laws of the United States is guilty of a felony punishable by a fine or imprisonment up to five years or both. (42 U.S.C. § 408(a)(8)) 
*	An SSN obtained or maintained by a governmental entity pursuant to any provision of law enacted on or after October 1, 1990, is confidential and may not be disclosed. (42 U.S.C. § 405(c)(2)(C)(viii)(I))


Family Educational Rights and Privacy Act (FERPA):


*	Disclosure of a student's confidential information, including the SSN, without written consent, is prohibited, unless the disclosure falls within a specified exception. (20 U.S.C. § 1232g)


________________________________

From: Licky Lindsay [mailto:noontar@xxxxxxxxx]
Sent: Fri 7/11/2008 9:49 AM
To: WASC Forum
Subject: [WEB SECURITY] what are the rules for SSNs?



In the U.S., what laws, regulations, standards, etc control how handle
social security numbers?

For example, is it acceptable to store mass numbers of them
unencrypted in database?

Not asking if it's a good idea to do so.. asking if it's legal and in
compliance with standard practices. Realize those are not the same.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA




----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] what are the rules for SSNs?
  - From: Licky Lindsay

Prev by Date: [WEB SECURITY] what are the rules for SSNs?
Next by Date: Re: [WEB SECURITY] what are the rules for SSNs?
Previous by thread: [WEB SECURITY] what are the rules for SSNs?
Next by thread: Re: [WEB SECURITY] what are the rules for SSNs?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site