|Received:||8/7/2007 4:26:45 PM|
|Agency:||Federal Trade Commission|
|Rule:||Private Sector Use of SSNs|
Comments:1. Decreasing the public use of SSNs: introduce penalties for governmental entity misuse of SSNs, applicable to state, federal, and local agencies. At this point, a city owned water company can lose a shoebox full of customer cards with SSNs on them and get away with a "so sorry" for their incompetence. Dubious uses of SSNs for non-approved activities (BATFE forms stored for a duration of time functionally at the pleasure of the BATFE come to mind) must be curtailed. The implementation of REAL ID is completely at odds with this purpose. My SSN is now linked with driver's licenses in multiple states. Local police are not permitted by many entities to enforce immigration law, so what law enforcement use does creating more instances of my SSN serve except to increase my exposure? Unless an exposure hits the press, governments are not bound to disclose the loss of control over PII, to include the SSN, as commercial entities regulated by GLBA or industry codes like PCI DSS are. Government entities are a black hole of our information, its use and our protection. At the very least, impose third party audit requirements around SSN controls to be imposed first on states, then down to the local level. Hopefully, this will curtail "convenience use" because of the expense. 2. Data Security in the private sector: the use of SSNs for any private purpose must be banned by federal mandate. It is wholly possible to check the credit record of a rental prospect without providing a social security number. However, without an explicit ban on requesting the information, many consumers simply fill in the information. Also, without an explicit ban on the collection of SSNs in secondary financial transactions, such as property rentals, consumers are left with no choice but to sleep in a box or agree to provide their SSN to an entity with no verifiable security procedures or precautions other than a locked door. Financial institutions that make use of SSNs require background checks for employees that have exposure to this information, yet the secondary services (rental agencies, etc) have no such statutory requirement in an environment where there will be fewer compensating controls protecting the consumer. Responding to breaches in the private sector: Notice is not required when technological "protections" prevent fraudsters from accessing data. This has been interpreted to mean that an aged piece of tape reading equipment readily available on eBay was, by its sheer age, a technological protection. Unacceptable. National Standardization: Any national standards surrounding data protection safeguards and notification must NOT preempt state legislation. The sum of 50 parts is greater than the watered down coverage of one bill that can be attacked by not only industry lobbyists but by federal "excuses." To educate small businesses, simply sue them out of existence. Public Awareness Campaign: This is a nice sentiment, but ineffective. I and those close to me are sufficiently paranoid about guarding the key to the kingdom, our SSNs. And yet the tools available to us are insufficient to provide us the capability to protect it ourselves: a) I can still be functionally forced into providing my SSN for use by an essentially invisible unregulated entity (rental agency) b) I am forced to tie my SSN to a driver's license c) I cannot freeze my own credit file in most states d) Certain private and government entities (Sallie Mae) report SSNs as account numbers to the credit bureaus, meaning that even a credit request made without my SSN will result in the user seeing my SSN. There is no recourse for removal, and there are thousands in this situation that received loans prior to 2001.