Please do not e-mail my social security number

Recently I had a very interesting incident. I wrote an article some time in 2008 and the publisher paid me a little bit of money for it. That means the publisher must send a report to the Internal Revenue Service (IRS - the U.S. tax department) reporting that they paid me, as well as send me a form called a 1099 form that I can use to report this money on my tax return.

A few days ago the comptroller for the publisher sent me an e-mail asking for my social security number (my national ID number for any non-Americans that are unfamiliar with the term). As is my custom, I responded that I really do not care to e-mail my social security number, but if he gives me a phone number I will gladly call him and let him know. This he did. I called, and within 15 minutes of the call I received a form California DE 542 in the mail. The DE 542 is required by the state of California when money is paid to a contractor, or a contract is entered into to pay money to a contractor. Its purpose is to permit the state to track payments to parents who do not pay their child support. Not only do I not need this form as I am not a resident of California; it also contains, you guessed it:

my social security number.

At this point I started wondering what part of "I do not wish to have my social security number transmitted by clear-text e-mail" was unclear. I sent a message to the sender that informed him that this could quite possibly be considered a data breach and require notification under Washington State SSB 6043, which requires formal breach notification. As of today, I am still awaiting a response. Any response.

Just because I felt like griping to someone, I forwarded the e-mail to my favorite accountant. Her response was "yeah, I know lots of CPA firms who e-mail around unencrypted 1040s." (A "1040" is the U.S. federal tax return form). I was absolutely floored. Last week credit card processor Heartland reported that they had experienced what may very well be the largest data breach in world history. Many banks are replacing every single one of their credit cards because of it. In fact, I took a call from a distressed bank manager just this morning asking whether it would be prudent to do so (the answer was "yes"). Yet, does that not pale in comparison to the number of unencrypted 1040s e-mailed around by tens of thousands of accountants every year, and the untold millions other tax-related forms that traverse unencrypted network channels?

If you steal my credit card number, I can call the bank and ask them to issue me a new number. A few days later, I have a new card. The bad guy can, at worst, incur a few hundred dollars in charges, maybe a few thousand if they are really lucky. Yet, credit card data is somehow seen as the primary piece of data that needs protection. How many news reports have you read that discuss a computer breach and include the words "no credit card numbers appear to have been compromised?" Have we completely lost sight of the fact that there may be other pieces of information that need protection?

Consider the corollary. If you steal my social security number, you can take over my house, get any number of credit cards in my name, give me a criminal record, get a driver's license in my name... And, how do I clean it up? If I call the Social Security Administration and ask for a new number because my existing number has been compromised they would simply laugh at me. Only in exceptionally rare circumstances do they issue new numbers. In some states I am permitted, if my social security number has been compromised, to put in a credit report freeze, but the burden is on me, as the victim, to prove that my information has been compromised before I can get a freeze. If I am deemed worthy of getting the barn door closed after the horses have fled, I get to pay $30-60, per freeze, per credit bureau, requested by certified mail. And each freeze may only be good for 90 days. That's only in some states. Other states prohibit credit freezes, and a few, more progressive ones, actually permit consumers to close the barn door before the horses run away. The freeze usually still costs money, and usually is still time-limited, and usually still requires that you use certified mail to each credit bureau to request it. Fortunately, you can "thaw" the freeze by making a single phone call and typing in a four-digit pin.

What is wrong with this picture? Why are accountants and comptrollers still e-mailing around the source data - social security numbers; while we as consumers only seem to care about the derived data - the credit card number? Why is there a Payment Card Industry (PCI) Data Security Standard that, while widely ignored, attempts to set data protection standards for cardholder data; but no Social Security Number security standard that establishes requirements for protection of social security numbers and liability for anyone who compromises someone else's Social Security Number?

Why do we not see any Attorney's General up in arms over that one? Who is going to help me protect the source data?

 

Published Tue, Jan 27 2009 9:38 PM by jesper
Filed under: ,

Comments

# Chris said on 28 January, 2009 01:46 AM

Nice article.  

Same sort of thing happens here in California when dealing with Title/Escrow Companies.  They ask for all sorts of information to "setup your account" that isn't relevant to their services.  And if you have ever been inside a title company you will notice that information security isn't high on their priority list.  Filing cabinets all over the place with all sorts of sensitive records.

# Pete said on 28 January, 2009 01:48 PM

There are likely about 150,000 - 250,000 people that get "legitimate" access to your SSN over its lifetime to begin with, so the incremental risk associated with this email is pretty small. I say publish all SSNs so we can eliminate the facade of secrecy and move on to a more secure solution for authentication. SSNs are still fine for identification.

# Michael Dickey said on 28 January, 2009 03:02 PM

The real question is: "Is your SSN supposed to be private/sensitive information?"

# jesper said on 28 January, 2009 03:16 PM

The SSN is certainly treated as an authenticator today. By extension, therefore, it is sensitive information. Whether that is a good idea or not is an interesting question.

# gbromage said on 28 January, 2009 04:48 PM

I guess it comes down to what Bruce Schneier has been saying for years - the need to keep Idetification and Authentication as separate things. SSN is good for Identity, but bad as an authenticator.

# Don said on 29 January, 2009 09:18 PM

A 1099 is not required for a payment less than $600.  There was mo reason to give them you SSN if the check was less than that.

# Jeff Martin said on 30 January, 2009 10:47 AM

I have to agree that all SSNs should be published to remove any value they might have as an authenticator. All this attention is being paid to a number that lives in thousands of places. Have you ever been to a doctor or hospital? Believe me, I work in health care IT and you have a lot more to worry about from their systems than from an email. It would be child's play to get into almost any hospital's network and steal SSNs, etc.

# ameyer said on 30 January, 2009 02:11 PM

I suspect that the reason the credit card breaches get far more media attention is because those breaches cause a direct and imediate cost to the credit card companies. Identity theft however tends to hit the little guy much harder, the person who's identity has been stolen tends to incure the greater cost.

The credit card companies tend to be less forgiving of debts incured in your name by a breach of your personal information then by a breach caused by a breach in the chain of a legitimate transaction, for which they hold the liabality.

When your identity has been stolen they can claim that they entered into the agreement in good faith based on what they believed to be legitimate information suposedly validated by the government.

# Don said on 30 January, 2009 03:42 PM

Publishing SSNs does not remove their value. It enhances it.

# Mike said on 10 February, 2009 11:29 AM

I work for the US Dept. of Defense. They don't use your SSN, they use your employee ID number. Anyone want to guess what that is?

# DmitryK said on 08 March, 2009 09:33 PM

in regards to not reporting payments of less than $600: surely this can be bypassed by spreading the whole sum in $599 chunks across multiple days (and/or multiple people)?

# steve said on 12 March, 2009 08:21 AM

hi, what if you already emailed your ss # to a lawyer who requested it. What can you do to see if your # has been comprimised?