|Received:||8/7/2007 7:48:05 PM|
|Agency:||Federal Trade Commission|
|Rule:||Private Sector Use of SSNs|
Comments:I work for a financial institution (in the Fortune 500). Politics in the organization do not facilitate protecting users data from identity theft. The driver pushing protective security measures is regulations with the fear of regulatory punishment. The FTC should consider regulations similar to PCI DSS 1.1 in data protection of SSN and other personally identifiable sensitive data. PCI is specific in controls, many of which follow NIST recommendations. Given the regulation companies would be forced to ignore their bad politics and take effective measures to protect employees and consumers.