RE: [WEB SECURITY] what are the rules for SSNs?

[<Glenn.Everhart@xxxxxxxxx>]

Encryption is just a form of access control, and often not the best. Remember, the key is a secret
and as the adage goes, a secret known to 3 people is no secret...

If lots of folks need to use SSN to identify people (and it makes sense, really, only as an
identifier, not as an authenticator), the key is apt to be rather accessible. Lose the key,
and nobody will miss it: it can walk out the door on a piece of paper in someone's pocket.

Then lose the ciphertext you think of as protected, and thus haven't been watching too carefully,
and the information is gone.

If that is the way of it, you are better off doing access control conventionally and knowing
that losing the data means losing the data.

You would be better off still if everyone just used SSN as at most an identifier (i.e., this is
who you say you are) and not an authenticator (SSN doesn't prove you ARE that person, and knowing
a SSN should not be taken as evidence you are that person).

As it is, we often use knowing a few numbers as proof of identity, where the numbers or
names in question are all widely available. Remember many whole states have used SSN for driver
license numbers and then sold the whole list to anyone with a couple hundred dollars who asked
for it. Ditto many other organizations. Unless you were born after perhaps 1995, that horse
is well and truly out of the barn, the county, the state...

A few of the ways to deal with this can actually work, though on the whole the free ones and
almost free ones look to me like snake oil (and are gradually getting proven to be such).

I might add that proving who you are has no solid evidentiary trail available in the US at
least. Look at your birth certificate (if it still exists). It has a few names on it, not all
of whom are still even alive, and if you steal or forge a birth certificate, and your gender
and approximate age are right, there is basically nothing available to determine whether
you are that person or not. It is an easier problem to arrange that someone might prove he/she
is the same person who has been a customer somewhere for X years etc., though still not trivial.
But this is digressing...
Glenn Everhart


-----Original Message-----
From: Schmidt, Albert E [mailto:AES@xxxxxxxxxxxxxxx]
Sent: Friday, July 11, 2008 12:30 PM
To: Licky Lindsay; WASC Forum
Subject: RE: [WEB SECURITY] what are the rules for SSNs?


There do not appear to be laws regarding the encryption of SSNs; however, there are valid business reasons to encrypt the SSNs.
 
Social Security Numbers by their self are public.  The Social Security Administration publishes a list of Social Security Numbers Issued every quarter; however, Social Security Numbers combined with information that would tie the number to an individual is not public information (and should be protected).  The laws currently only address the discloser of the SSNs and do not address the encryption; however, a point could be made that the information should be encrypted to prevent unauthorized access or to safeguard SSNs in the event of a compromise.  There are several cases where companies had to disclose that they had lost backups that contained unencrypted SSNs and notify individual's whose SSNs may have been disclosed.  
 

Relevant Laws


There are many laws that protect an individual's privacy, some of which deal specifically with Social Security numbers, and others that deal with protected health information or other personal or financial information. A summary of key provisions of some of the laws appears below. More detailed information about these laws and other privacy laws will be provided at the departmental level as needed for an employee's job duties. 

The following laws are summarized in this section:

*	Federal Privacy Act of 1974 <https://mail.ola.state.md.us/exchange/aschmidt/Drafts/RE:%20[WEB%20SECURITY]%20what%20are%20the%20rules%20for%20SSNs_x003F_.EML/1_text.htm#fedprivact>  
*	Social Security Act <https://mail.ola.state.md.us/exchange/aschmidt/Drafts/RE:%20[WEB%20SECURITY]%20what%20are%20the%20rules%20for%20SSNs_x003F_.EML/1_text.htm#socsecact>  
*	Family Educational Rights and Privacy Act (FERPA) <https://mail.ola.state.md.us/exchange/aschmidt/Drafts/RE:%20[WEB%20SECURITY]%20what%20are%20the%20rules%20for%20SSNs_x003F_.EML/1_text.htm#ferpa>  


Federal Privacy Act of 1974:


*	A government agency cannot deny to any individual any right, benefit, or privilege provided by law because the individual refuses to disclose his SSN, unless Federal law requires its disclosure. (Section 7 of Pub. L. 93-579 in Historical Note, 5 U.S.C. § 552a) 
*	A government agency must provide a disclosure notice each time the agency requests an individual's social security number. The notice must state (1) whether the disclosure is mandatory or voluntary, (2) by what authority the SSN is required, and (3) what use will be made of the SSN. (Section 7 of Pub. L. 93-579 in Historical Note, 5 U.S.C. § 552a)


Social Security Act:


*	Anyone who discloses, uses or compels disclosure of an SSN in violation of the laws of the United States is guilty of a felony punishable by a fine or imprisonment up to five years or both. (42 U.S.C. § 408(a)(8)) 
*	An SSN obtained or maintained by a governmental entity pursuant to any provision of law enacted on or after October 1, 1990, is confidential and may not be disclosed. (42 U.S.C. § 405(c)(2)(C)(viii)(I))


Family Educational Rights and Privacy Act (FERPA):


*	Disclosure of a student's confidential information, including the SSN, without written consent, is prohibited, unless the disclosure falls within a specified exception. (20 U.S.C. § 1232g)


________________________________

From: Licky Lindsay [mailto:noontar@xxxxxxxxx]
Sent: Fri 7/11/2008 9:49 AM
To: WASC Forum
Subject: [WEB SECURITY] what are the rules for SSNs?



In the U.S., what laws, regulations, standards, etc control how handle
social security numbers?

For example, is it acceptable to store mass numbers of them
unencrypted in database?

Not asking if it's a good idea to do so.. asking if it's legal and in
compliance with standard practices. Realize those are not the same.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA




----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



-----------------------------------------
This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law.  If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED.  Although this transmission and
any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is
received and opened, it is the responsibility of the recipient to
ensure that it is virus free and no responsibility is accepted by
JPMorgan Chase & Co., its subsidiaries and affiliates, as
applicable, for any loss or damage arising in any way from its use.
 If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format. Thank you.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA