Hal Berghel and Bob Aalberts
(c) 2009- Hal Berghel and Bob Aalberts - all rights reserved
Some federal agencies - e.g., the Social Security Administration and the IRS. The use of the SSN was a byproduct of the Social Security Act of 1935. This was extended to federal agencies other than the SSA by Executive Order 9397 in 1943. These restrictions were further relaxed in the Federal Privacy Act of 1974 to include state and local agencies. This let the toothpaste out of the tube. Now state governments are attempting to get the toothpaste back in the tube with what are called "Breach Notification Laws."
State breach notification laws are becoming increasingly common. Generally these laws require companies, and in some cases state agencies, to report to consumers if their computers have experienced a security breach resulting in important personal information being released to unauthorized parties. As of March 2009, 44 states and the District of Columbia had passed such laws. Although the laws differ somewhat, they generally replicate California’s breach protection law passed in 2003. The only states presently without such a law are Alabama, Kentucky, Mississippi, Missouri (law is pending), New Mexico and South Dakota.
Presently there are at least 39 states which have passed laws protecting the privacy of social security numbers (SSNs). According to the Kennedy source (below): “these statutes prohibit a person or entity from (i) publically posting, displaying or disclosing an individual's SSN; (ii) printing an individual's SSN on any card or tag required for the individual to access products or services; (iii) requiring an individual to transmit his or her SSN over the Internet without encryption or a secure connection; (iv) requiring an individual to use his or her SSN to access a website (unless a password is also required); (v) printing an individual's SSN on any mailed materials; (vi) selling, leasing, trading or otherwise disclosing an SSN to a third party without consent of the individual; or (vii) encoding or embedding an SSN in a card or document in lieu of removing the SSN as required by law.”
In addition, at least two states, Michigan and Massachusetts, require businesses that collect SSNs to have an “information security program that specifically addresses SSN protection.”
In 2008, the FTC released a white paper urging Congress to adopt a federal law similar to those that exist at the state level.
(See John B. Kennedy, “U.S. Information Security Law Update 2009: The Patchwork Quilt of Regulations Continues to Grow,” Tenth Annual Institute on Privacy and Data Security Law, June, 22-23, 2009).
We know of no law that authorizes health care professionals to use SSNs in patient records or for purposes of filing insurance claims. At this writing many physicians still ask patients for their SSNs, but so far as we can determine they have no more legal right to this information than the clerk at the local convenience store.
Doctors and hospitals handle many kinds of sensitive personal information. However, their exposure to liability and damages is limited. Under HIPAA (Health Insurance Portability and Accountability Act) federal courts have generally ruled that, although HIPAA provides a patient with some privacy rights, the Act does not contain a personal right to sue the disclosing party for damages. Government agencies, however, can sue to collect criminal and civil penalties, but this does not remedy the victim's personal loss. An aggrieved party's main remedy at this point would lie under state common law and statutory law, which is presently evolving. For example, a plaintiff may argue that HIPAA provides a standard of care for how a doctor handles sensitive information. If he breaches that standard of care and it causes a foreseeable outcome that causes the plaintiff to suffer a physical, mental or monetary loss, then the doctor may be liable for damages. Still, as mentioned, at this point there are not many cases to draw upon for guidance.
We would be remiss if we failed to mention that there's a strong disincentive for responsible health care professionals to request information that is not directly related to treatment of the patient. The HIPAA Privacy Rule that provides some safeguards of patient's personal information. The more information collected, the more that has to be protected. Since SSNs are targets of identity thieves, health care professionals would be wise to reflect on whether they want their office files to be a target of identity thieves lest they incur potential deferred liability.
It depends, but probably not.
The Office of Foreign Assets Control, or OFAC, "...administers and enforces economic sanctions programs primarily against countries and groups of individuals, such as terrorists and narcotics traffickers." (http://www.treas.gov/offices/enforcement/ofac/faq/answer.shtml) It is not in the business of monitoring new car sales unless such sales fall under the rubric, above. We have not been able to confirm that OFAC has any horse in the new car race. What may be more likely is that the particular dealership is under investigation for some reason, and they require the customer's signature as a CYA tactic.
The government does require that a merchant exercise due diligence on transactions suspected of falling under the OFAC umbrella. That is, if you walk into the dealership looking like a gang banger and flash rolls of $100 bills, you might fall under this umbrella - but even this might be a stretch as this could lead to civil proscecution for civil rights violations.. However, if the dealership genuinely feels you are a terrorist or narcotics trafficker, or deriving economic benefit from illegal activities (how they could justify concluding such things is another issue altogether), they may have to report it. But even then, we can find no mention of any requirement of merchants that they record customer's Social Security Numbers. Neither have we found mention of a $10,000 threshold that would trigger such monitoring. You can look this up yourself at http://law.justia.com/us/cfr/title31/31-3.1.1.1.2.5.1.1.html.
Supplying automobile dealers with your SSN may be at your own peril since we are not aware of any legal reason for them to require it. You might ask them specifically why they request this information, ask them for references to the applicable state or federal laws, and insist that they document their request and reasons for the request in writing. We suspect that they will be unwilling to put anything in writing. Caveat emptor!
Legitimate? If by "legitimate" you mean lawful, perhaps. If by "legitimate" you mean conforming to accepted rules and standards, probably not. If you mean by "legitimate" conducting business with the interests of the customer in mind, absolutely not.
We have seen these forms before. . From our experience they're prepared by companies who sell services to automobile retailers to increase their profits. One such form (Reynolds and Reynolds Law Form No 750S-PNNA) that we've seen in use in Las Vegas has two operative parts that read as follows:
"Collection of Private Information - We may collect the following kinds of Private Information about you from the following sources:
Disclosure of Private Information - We may disclose some or all of the Private Information (described above) under the following circumstances:
One doesn't have to be a Harvard Law grad to figure out that this is not in the interest of the customer because it's too open-ended. In the case of a cash sale, this is simply irresponsible on the part of the dealership. They have no reason to expect the customer to sign such a release. Industry insiders have suggested to us that there are two main reasons for the use of this form: (1) the dealership is under investigation of has been the subject of complaints regarding their business practices, and they require this signed form so that the customers cannot sue them for unauthorized use of personal information, and (2) the dealership relies on the income from the sale of personal information to 3rd parties. In either case, this works against the interest of the customer. We would go so far as to recommend that you avoid doing business with any company that uses general privacy waivers like this.
Laziness and convenience are two contributors. SSNs had become a crutch by the 1960s- universities, state and local governments, banks, health care providers, merchants of sundry shapes and sizes, all came to view the SSN as a primary ID number. For many years, DMVs actually put the SSNs on driver's licenses. To this day, some law enforcement agencies still broadcast names, addresses and SSNs over police radios for all to hear. The misuse of SSNs became self-fulfilling - everyone did it because everyone did it.
Misuse of SSNs was never a good idea because SSNs and Social Security Cards are not reliable as identifiers (duh, just look at the simplicity of card and ease with which they are obtained from the SSA), but by the time the identity thieves and fraudsters of every stripe began to depend on SSNs in their crime, it became clear that misuse and over-reliance on SSNs was a really bad idea. When you are asked for your SSN by an agency, organization, or individual that isn't legally authorized to have it, you should probably assume that this request is not in your interest.
Here are two quotes to remember from the Better Business Bureau Website (www.bbbonline.org/consumers/tips.html):
So far as we can determine, you can accomplish the same thing yourself for free. The three major credit reporting services, Experion, TransUnion, and Equifax will provide free credit reports on request at least annually. This is reported in a Federal Trade Commission "Facts for Consumers" online brochure. To quote from the brochure:
"To order, visit annualcreditreport.com, call 1-877-322-8228, or complete the Annual Credit Report Request Form and mail it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. The form is on the back of this brochure; or you can print it from ftc.gov/credit. Do not contact the three nationwide consumer reporting companies individually. They are providing free annual credit reports only through annualcreditreport.com, 1-877-322-8228, and Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281."
Incidentally, Life Lock agreed to pay $12,000,000 to settle charges of misleading advertising iu March, 2010. For further information, see:
Yes. You should not let anyone photocopy personal documents if you can avoid it. As a general rule, don't allow anyone to photocopy any personal information that you wouldn't send to them in email or send them in a fax or letter. The reason for this is twofold: (1) any breach of security that affects the merchant/landlord/office, etc., may effect you. To get some appreciation of the dangers, visit the ITFF/ROC reading room. Hundreds of millions of customers, patients, etc. become victims of identity theft and financial fraud each year because of ineffective security procedures of businesses, organizations and agencies whom they have trusted with personal information. (2), Understand that modern photocopiers work by initially saving the scanned image on a hard disk and then send the image to the print engine from the stored copy. The reason for this is efficiency. If you think back to the jurassic period of copiers (i.e., pre-2000), you'll remember that the old copiers had to scan the image every time that a copy was made - you could actually see the moving light leaking out from under the scanning bed each time a copy was made.. This involved a lot of extra mechanical work, resulting in slower copy speeds and less reliability. Todays' copiers scan once to print multiple copies.
Well, as you might suspect, these stored documents (aka files) don't just go away after the copying is completed. File management on a copier works much like the file manager on your desktop computer: the files stay around until the file manager needs the space. For example, when you delete a file in Windows, the file doesn't go away - it's space is simply re-allocated to the file manager for later use as needed. If the need for the space isn't great (it usually isn't because modern hard drives are so large that there's usually unused space available), the file just hangs around on the disk. Modern digital forensics tools like Encase and FTK can recover them with ease. But there's one important difference between a copier file manager and that of a computer - the computer gives you the option of encrypting the files so that even if the file is subsequently recovered by a third party, they can't view it without the encryption key. This option (called, Encrypted File System or EFS) has been built into Windows since Windows 2000. Encryption is not offered by default in the modern copiers that we know of, although it is offered as an relatively expensive option so cost-concious organizations typically to not order it. As a result, there are millions of old copiers out there, and thousands more joining them each day, that have a wealth of sensitive information on them. There are identity theft and fraud rings out there searching for personal information for criminal exploits as you read this because of the ease with which this data may be recovered. Eventually, professional offices and merchants will either be pressured by litigation or embarrassed by the media to migrate to encrypted copiers, but this may take years (this should have been a standard 10 year ago!). For the moment, we're all vulnerable.
Here are some suggestions on how you can minimize your risk:
Additional information on is vulnerability may be found on the Internet - see, e.g., CBS News report "Digital Photocopiers Loaded with Secrets" (video): ; or thestar.com's report "High-tech copy machines a gold mine for data thieves".
For a general overview of the art and practice of recovering data from hard drives, see our "Diak Wiping by any Other Name".
By the way, the same thing applies to digital cameras!
There are at least two answers to this. Let's refer to them as "politically correct, vendor and merchant-neutral, and privacy insensitive" and "politically incorrect, citizen-friendly, and privacy sensitive. The received view (endorsed by the FTC, FBI, BBB, etc.) goes something like this:
The more aggressive, not-so-merchant-friendly, privacy zealot approach is more like this:
DO NOT look for any silver bullets when it comes to protecting your identity - there are none. The only defense is eternal vigilance.