Social Security Numbers, Public Records and Privacy

   
Unaturhorized access to social security numbers is a hot issue in Wisconsin, as it is all over the country. Over the last few years, state agencies in Wisconsin have inadvertantly disclosed citizens’ social security numbers ina number of high profile cases, including:

2006 – A Wisconsin Department of Revenue contractor mailed Wisconsin tax booklets to 170,000 residents with their social security numbers printed on the address label;

2007 – The University of Wisconsin-Madison published the names, e-mail addresses, and social security numbers for two hundred faculty and staff of the UW-Madison’s Division of Information Technology in an online database; and,

2008 – The Wisconsin Department of Health and Family Services sent a mailing to 260,000 Medicaid participants with their social security numbers printed above their names on the address labels.

Appallingly, some individual’s social security numbers were released not once, but twice during this time.

 

Social Security Numbers and Public Property Records

Unauthorized access to social security numbers also is an issue for the geospatial community as public property records are published over the Internet, often in combination with searchable online mapping applications. In 2006, the Public Records Industry Association (PRIA) developed model legislation and a set of best practices for the handling of social security numbers on property records.

 

Will Proposed Wisconsin Legislation “Fix” the Problem of Unwanted Disclosure of SSNs?

In Data Privacy Fix Broader Than Social Security Number,  published in Wiscconsin Technology Network (WTN) on May 3, 2008, attorney Mark Foley provides an important critique of proposed Wisconsin Assembly bill AB 771, which is intended to protect our privacy against unauthorized disclosure of our social security numbers by the government; a quick snapshot of his article follows:

 On March 5, the Wisconsin Assembly passed Bill AB 771, which prohibits any state agency from using a Social Security number as an identifier unless such use is required by state or federal laws or regulations, or is otherwise authorized by law. If enacted by the Senate and signed by the Governor, this bill will join many other laws in Wisconsin and elsewhere that limit the use of SSNs, but the issue involved is broader than SSNs alone. The passage of this bill should remind everyone of the need to apply the “Use Limitation Principle” to all information technology activities. …  If the purpose of AB 771 is to prevent similar disclosures of SSNs in the future, it is not likely to succeed. This is because both state agencies involved are authorized or required by law to collect and use SSNs for their activities. These agencies will still have the SSNs and the data will still be at risk. The problem, and the solution, lie elsewhere.

Useful limitations

Unauthorized uses or disclosures of SSNs often result from violation of the “Use Limitation Principle.” That is, to best protect privacy interests, data should be collected only for a specified limited purpose and not used for any other purposes. … The “Use Limitation Principle” would bar the use of a SSN for anything but its original purpose. Although you might still need the SSN somewhere in your payroll database to report earnings and tax withholding to the government, you would not use the SSN as your primary employee ID and would not use it to link various subcategories of data. Rather, you would develop one or more unique employee identifiers that do not include and are not based on the SSNs. Then, if data containing your identifiers are lost or stolen, the risks of data compromise are limited to your own database, and the risks of identify theft or other misuse are much reduced. And you would not allow, much less encourage, use of a SSN as a user ID or password. …

Source: Wisconsin Technology Network

For the full text of the article, visit: http://wistechnology.com/articles/4730/
For the full text of Wisconsin bill AB 711, visit: http://www.legis.state.wi.us/2007/data/AB-771.pdf

Tags: , , , , , , , , , , ,

One response to “Social Security Numbers, Public Records and Privacy”

  1. L. A. Shanley says :

    See also, “Judge lets privacy advocate keep Social Security numbers on Web site” from Computer World Security, August 27, 2008: http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9113642

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: