Social Security Numbers in your DB: Must-Know Info

Almost all states have security breach laws that require notification (at least) of individuals when a data holder suffers unauthorized disclosure of certain personally identifiable information.

The important facts to know are the definitions of personally identifiable information and what it takes to achieve “safe harbor” in the event of disclosure.

The usual definition of personally identifiable information is the combination of social security number or financial account information along with a name and/or other individual data. If the disclosure lacks one or the other items (e.g. just a list of SS numbers or account numbers without names) than it will not be subject to the notification requirement.

A critical thing to know is that if the data is encrypted (e.g. scrambled/hashed/masked or otherwise electronically obscured) when the unauthorized disclosure occurs, safe harbor is established. There have been proposed federal laws that do away with the safe harbor for encryption, but as of now, none of been enacted into law.

Another critical thing to know is that some states prohibit the transmission of unencrypted personal information. There are few available guidelines as to the kind and sufficiency of any particular encryption methods. The NIS (National Institute of Standards) does provide a standard securing sensitive (but unclassified) material by U.S. Government agencies and, as a likely consequence, it may eventually become the de facto encryption standard for commercial transactions in the private sector.

If you are storing or working with Social Security numbers or other legally protected information and you have not cleared the entire process with your legal resource, you may be subjecting yourself to extreme risk of major notification (and perhaps credit-monitoring and other indirect damages) expense, and a very harmful hit to your business reputation.

When it comes to this type of information, finding ways to collect and transact it with fewer touchpoints is an excellent way to decrease information systems risk exposure. If you are using an ATS or Recruitment Software system, make sure you check with your vendor to ensure that those pertinent data are in fact encrypted, and be sure that all required configurations are in place and tested to ensure compliance.

Comment by Clifford S. Yurman on January 20, 2011 at 10:47am: As a temporary agency in New York, we have completely eliminated the correspondence of Social Security numbers in our correspondences with clients, such as on letters regarding certain of our temporary placements, timesheets for temporary placements, as well as temp-to-perm and permanent candidates. Should we be required to communicate a candidate's SS number, we always receive permission in writing from the candidate. Excellent!

Comment by Aaron Lintz on January 20, 2011 at 12:54pm: How does this apply to pre-employment background checks that require SSN?

Comment by Martin H.Snyder on January 20, 2011 at 3:26pm: Thats a good question Aaron- the answer (of course): it depends. If you access the BG company portal directly, they will store and encrypt the data. If you access your BG vendor via your ATS, the integration technology will determine which database and system will transact the data. In some cases, the SS number will be held in memory only until the BG vendor sends the accepted message, or in other cases, the ATS will hold and encrypt as well as the BG vendor. Liability may flow to the customer even if the BG vendor suffers the disclosure, so it may be wise to check your contracts with your BG vendor to make sure if they suffer an unencrypted breach, they bear the notifcation costs.

Comment by Aaron Lintz on January 20, 2011 at 3:32pm: Get information Martin. So it sounds like the more partners the ATS company has, the greater the potential for information loss. These systems that seem that want to be all things to all businesses could be putting you at risk.

Comment by Martin H.Snyder on January 20, 2011 at 3:47pm: Yup- when it comes to personally identifiable, legally protected information, the entity first collecting it from individuals is the one on the hook, so that entity MUST understand how the information is being handled from start to finish, including any partnerships and integrations. Because in some cases, the ATS is the master record system, yes, the more partners, the more risk. The whole ball of wax comes under the heading of SOA (Service Oriented
Architecture) Governance, which is a dicipline unto itself that more and more organizations are going to have to address.

Comment