[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] what are the rules for SSNs?

From: "Joe White" <joe@xxxxxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] what are the rules for SSNs?
Date: Mon, 14 Jul 2008 11:59:19 -0700

Mat,

Thanks for referencing California's SB1386 because a deeper look into
SB 1386 highlights a few points that are worth considering for Licky.

Licky, your original question seemed to ask for compliance issues
specific to SSNs but I would encourage you to take a wider view and
consider compliance concerns of SSNs as they apply to the larger
picture of Personally Identifiable Information (PII),
http://en.wikipedia.org/wiki/Personally_identifiable_information.

I think where the rubber hits the road here are the compliance
concerns for PII and how SSNs can influence these larger PII concerns.

Specifically, let's take SB 1386 as an example.  SB 1386 is a
California law regulating the privacy of personal information and
requires public disclosure of specific security breach events.  Any
agency that owns or licenses computerized data that includes personal
information shall disclose any breach of the security of the system
following discovery or notification of the breach in the security of
the data to any resident of California whose unencrypted personal
information was, or is reasonably believed to have been, acquired by
an unauthorized person.

I like this link as a reference for explaining the text of SB 1386
http://www.legalarchiver.org/sb1386.htm

It is clear from the text of SB 1386 that encryption of PII is the key
for proactively addressing compliance concerns.

It is also clear that the scope of SB 1386 extends beyond just SSN to
include an individual's first name or initial and last name, in
combination with one of the following:

(1) Social security number.
(2) Driver's license number or California Identification Card number.
(3) Account number, credit or debit card number, in combination with
any required security code, access code, or password that would permit
access to an individual's financial account.

Note:  I would add 'mother's maiden name' to the list above even
though it is not specifically referenced as it is common knowledge
within information security circles that the combination of SSN and
'mother's maiden name' offers and identity thief roughly the
equivalent of 'the keys to the kingdom' in terms of compromising a
person's identity.

The key point here is that SSN compliance concerns must be considered
from the larger context of how SSNs indirectly influence PII
compliance concerns.

The other issue related to SB 1386 that I was hoping to raise is that
the enforcement of SB 1386 appears to be lax to nonexistent at best.
Many companies seem to be rolling the dice that they will not be the
inevitable "poster child" for these larger PII compliance concerns
which unfortunately makes our jobs as security
professionals/evangelists *much* more difficult.

hope this helps.

joe

<<<>>>

On Sun, Jul 13, 2008 at 4:53 PM, Mat Caughron <mat@xxxxxxxxxxxxxxxxx> wrote:
>
> Hi Licky:
>
> I realize that your question was specific for the United States, but many
> times when opening a web application up to accept public input, you may find
> that you wind up with foreign submitted data.
>
> My standard joke about this is that the "North American Firewall" is a
> mythical entity.  These days a public facing service is effectively a global
> service.
>
> Various countries have personal information such as gender or birthdaye
> included directly in their national ID numbers.  The wikipedia page for
> national identification numbers is eye-opening.
>
>    http://en.wikipedia.org/wiki/National_identification_number
>
> The Italian Codice Fiscale, for instance, includes family name letters and
> location data.  Iceland's kennitala does something similar with location.
> France's INSEE encodes gender as does the Chinese ID card number.    etc.
>
> If I am interpreting your question correctly to be asking for relevant law
> covering social security number handling and retention, you would be well
> advised to consult with an attorney in your state.
> California has had Senate Bill 1386 since 2002.   Connecticut has some
> legislation set to go into effect later this year.
>
> Again, talk to your lawyer.
>
>
>
> Mat Caughron, CISSP
> (408) 910-1266
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] what are the rules for SSNs?
  - From: Licky Lindsay
- Re: [WEB SECURITY] what are the rules for SSNs?
  - From: Mat Caughron

Prev by Date: Re: [WEB SECURITY] Please review: XSS Defense HOWTO
Next by Date: RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Previous by thread: Re: [WEB SECURITY] what are the rules for SSNs?
Next by thread: Re: [WEB SECURITY] what are the rules for SSNs?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site