Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Potential legal issues with storing Social Security/Insurance Numbers (SSNs/SINs)? [closed]

Tags:

security

A client using our system has requested that we store the SSNs/SINs of the end users in our database. Currently, we store minimal information about users (name, email address, and optionally, country), so I'm not overly concerned about a security breach - however, I have a suspicion there could be legal issues about storing SSNs and not taking "appropriate" measures to secure them (coming from Australia, this is my first encounter with them). Is this a valid concern?

I also read on the Wikipedia page about SINs (Canada's equivalent to SSNs) that it should ONLY be used when absolutely necessary and definitely shouldn't be used as a general identifier, or similar.

So, are there any potential legal issues about this sort of thing? Do you have any recommendations?

like image 918
nickf Avatar asked Sep 22 '08 06:09

nickf

People also ask

Can I store Social Security numbers?

Do not store any document that contains social security number (SSN) or other confidential information unless it is critical to your business process. 2. Confidential data should be stored in an area that has physical access controls in place. Filing cabinets or computers that store SSN should be in a locked room.

What are the problems with using the Social Security number as an identification number?

An organization's collection and use of SSNs can increase the risk of identity theft and fraud. Each time an individual divulges his or her SSN, the potential for a thief to illegitimately gain access to bank accounts, credit cards, driving records, tax and employment histories and other private information increases.

What information can be obtained with a Social Security number?

Many businesses ask for your SSN because it is a convenient way to identify you in their system. As a result, your social security number can now reveal all kinds of information about you, including places you've lived, your credit history, and maybe even medical conditions.

How sensitive is Social Security number?

But because the SSN is so commonly used as an individual account number, this nine-digit code ends up being a virtual pass key to a vast amount of private, and often sensitive, information about you -- your address, medical history, shopping preferences, household income, and use of prescription drugs, to name just a ...

1 Answers

The baseline recommendation would be to:

  • Inform the user that you are storing their SSN before they use your site/application. Since the request appears to be to collect the information after the fact, the users should have a way to opt out of your system before they log in or before they put in their SSN
  • Issue a legal guarantee that you will not provide, sell, or otherwise distribute the above information (along with their other personal information of course)
  • Have them check a checkbox stating that they understand that you really are storing their SSNs

but the most important part would probably be:

  • Hire a lawyer well-versed with legal matters over the web
like image 106
Jon Limjap Avatar answered Oct 03 '22 10:10

Jon Limjap
Sign in to Comment

Related questions

API for retrieving/send data from/to a database
Are XSS attacks possible through email addresses?
Transparent SSL/TLS proxy for non-HTTP(S) connections (tool suggestions)
Best way to allow users access to your app using their Google credentials
What security privileges does Jython need, to successfully run untrusted Python code?
What exactly does the phantomjs option "--web-security=false" turn off?
How can I hide userid/password in a SQL Server connection string?
AndroidKeyStore wiped out after device password change
Is the Access-Control-Allow-Origin CORS header required when doing a preflight request?
Sql injection can someone explain this code to me
How to check png file if it's a decompression bomb
Rails image and tracking protection
Is preventing open redirects attack in nodejs secure?
What is the benefit of blocking cookie for clicked link? (SameSite=strict)
Spring Security - whitelist IP range
How/why cygwin breaks windows permissions?
Where store password / login-path in MariaDB (equivalent for mysql-config-editor)?
How to secure store password in a JCL FTP?
How to deploy software builds from Azure DevOps to internal servers?
Are Intel's PTT and TPM equivalent

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!