Re: [WEB SECURITY] what are the rules for SSNs?

[Mat Caughron <mat@xxxxxxxxxxxxxxxxx>]

Hi Licky:

I realize that your question was specific for the United States, but many 
times when opening a web application up to accept public input, you may 
find that you wind up with foreign submitted data.

My standard joke about this is that the "North American Firewall" is a 
mythical entity.  These days a public facing service is effectively a 
global service.

Various countries have personal information such as gender or 
birthdaye included directly in their national ID numbers.  The wikipedia 
page for national identification numbers is eye-opening.

    http://en.wikipedia.org/wiki/National_identification_number

The Italian Codice Fiscale, for instance, includes family name letters and 
location data.  Iceland's kennitala does something similar with location. 
France's INSEE encodes gender as does the Chinese ID card number.    etc.

If I am interpreting your question correctly to be asking for 
relevant law covering social security number handling and retention, you 
would be well advised to consult with an attorney in your state.
California has had Senate Bill 1386 since 2002.   Connecticut has some 
legislation set to go into effect later this year.

Again, talk to your lawyer.



Mat Caughron, CISSP
(408) 910-1266



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA