Search Articles
Reproduction permitted for personal use only. For reprints and reprint permission, contact reprints@wistechnology.com.
Data privacy fix broader than Social Security numbers
May 3, 2008
Editor's note: Gov. Jim Doyle has called for state agencies to replace Social Security numbers with random identifiers for the administration of state programs.
On March 5, the Wisconsin Assembly passed Bill AB 771, which prohibits any state agency from using a Social Security number as an identifier unless such use is required by state or federal laws or regulations, or is otherwise authorized by law. If enacted by the Senate and signed by the Governor, this bill will join many other laws in Wisconsin and elsewhere that limit the use of SSNs, but the issue involved is broader than SSNs alone. The passage of this bill should remind everyone of the need to apply the “Use Limitation Principle” to all information technology activities.
The bill responds to several high profile, unauthorized disclosures of SSNs by state agencies. In late 2006, a contractor mailed 170,000 residents Wisconsin tax forms with SSNs printed on the label. In November 2007, the names, e-mail addresses, and SSNs for 200 faculty and staff of the University of Wisconsin-Madison's Division of Information Technology were published in a web database created for “statistical analysis.” In January 2008, the Wisconsin Department of Health and Family Services mailed information to 260,000 elderly, disabled, and low-income individuals with their SSNs visible.
The main concern about such disclosures, whether by government or businesses, is that SSNs can be used for identity theft. Criminals can use SSNs with correct, incorrect, or made-up names to create new identities and open credit accounts. Credit agencies are not required to, and generally do not, give notice to an account holder when his SSN is used to open an account in a different name. As a result, SSN-based fraud can go undetected for years until a lender denies the real SSN owner credit or tries to collect from the real owner a debt she did not create.
If the purpose of AB 771 is to prevent similar disclosures of SSNs in the future, it is not likely to succeed. This is because both state agencies involved are authorized or required by law to collect and use SSNs for their activities. These agencies will still have the SSNs and the data will still be at risk. The problem, and the solution, lies elsewhere.
Useful limitations
Unauthorized uses or disclosures of SSNs often result from violation of the “Use Limitation Principle.” That is, to best protect privacy interests, data should be collected only for a specified limited purpose and not used for any other purposes. The federal government created SSNs in 1935 to track individual taxpayer's eligibility for Social Security benefits. Since these benefits are based on income earned, the Internal Revenue Service also adopted SSNs to identify individual taxpayers.
SSN cards state on their face: “Not to be used for identification.” Nevertheless, many agencies and companies have created databases unrelated to Social Security or payroll using the SSN as the primary key to identify a record or data subject, and then tie all their data to that field. This was an easy shortcut for database design since there are no duplicate SSNs and alternative strategies would require the database designer to devise a system for generating identification numbers and assuring that they remained unique.
But use of the SSN as the recurring key identifier in credit, education, financial, and other databases has led to much of the identity theft risk we face today. When that number is publicly disclosed from any source, it can be used, or abused, in connection with every other database using that same identification number. The broader the use of SSNs, the greater the risk to the individual.
The “Use Limitation Principle” would bar the use of a SSN for anything but its original purpose. Although you might still need the SSN somewhere in your payroll database to report earnings and tax withholding to the government, you would not use the SSN as your primary employee ID and would not use it to link various subcategories of data. Rather, you would develop one or more unique employee identifiers that do not include and are not based on the SSNs. Then, if data containing your identifiers are lost or stolen, the risks of data compromise are limited to your own database, and the risks of identify theft or other misuse are much reduced. And you would not allow, much less encourage, use of a SSN as a user ID or password.
Implementing the Use Limitation Principle requires security in the form of access control. Only those persons with a need to use specific fields of information should have access to those fields. Only information relevant to a specific task should be provided to data processors. For example, the vendor that mailed forms for the Department of Revenue needed a list of names and addresses; it didn't need SSNs to do its job. If the vendor had not received the unneeded SSN data, it could not have inadvertently disclosed it.
Both the process of providing information to the mail fulfillment vendor and the individuals involved in sending and receiving the data, should have been better attuned to the Use Limitation Principle. Similarly, in a typical “lost laptop” case, a user downloads large amounts of information from a general company database to an Excel spreadsheet so that the user can work at home. When the laptop is lost or stolen, all these data are compromised. Often the facts emerge that the data were downloaded en masse because it was easy, not because the user actually needed all the data fields or records available.
What to do?
What does your organization do? When designing databases, do you instruct the developers to use key fields that do not involve SSNs or other sensitive identifiers? When designing access controls, reports, data export scripts, etcetera, do you require an analysis of what data fields are actually necessary for the person receiving access or a data subset? Do you conduct privacy and security assessments of the requested data downloads? Do you insist upon business processes that incorporate best privacy and security practices, such as automatic encryption of all data saved to a laptop or removable media? Do you have sufficient granularity in the levels of access control in your IT systems? Do you train employees always to use the most limited subset of data suitable to the task at hand?
The best practices are not hard to identify, although they can be difficult to implement. All databases, reports, scripts, and data access rules should be designed with the Use Limitation Principle in mind. Collect only the information that is needed for the task at hand, not everything you might someday think about using. Organize the data around key fields that do not lend themselves to reuse or misuse, especially SSNs and other official identification numbers. Use technological, physical, and organizational means to limit each user to access only the data necessary for a particular task. Automatically encrypt all sensitive data when it is first exported, downloaded, or saved. Train. Audit. Repeat.
Other columns by Mark Foley
• Looking for the nuance in software vendor agreements
• Mark Foley: Beware vendor's line in software licensing
• A cost-effective way to protect global HR data
• Mark Foley: Developing global data privacy policies for HR data (part 1)
• Mark Foley: Expert testimony may be needed for e-discovery keyword searches
The bill responds to several high profile, unauthorized disclosures of SSNs by state agencies. In late 2006, a contractor mailed 170,000 residents Wisconsin tax forms with SSNs printed on the label. In November 2007, the names, e-mail addresses, and SSNs for 200 faculty and staff of the University of Wisconsin-Madison's Division of Information Technology were published in a web database created for “statistical analysis.” In January 2008, the Wisconsin Department of Health and Family Services mailed information to 260,000 elderly, disabled, and low-income individuals with their SSNs visible.
The main concern about such disclosures, whether by government or businesses, is that SSNs can be used for identity theft. Criminals can use SSNs with correct, incorrect, or made-up names to create new identities and open credit accounts. Credit agencies are not required to, and generally do not, give notice to an account holder when his SSN is used to open an account in a different name. As a result, SSN-based fraud can go undetected for years until a lender denies the real SSN owner credit or tries to collect from the real owner a debt she did not create.
If the purpose of AB 771 is to prevent similar disclosures of SSNs in the future, it is not likely to succeed. This is because both state agencies involved are authorized or required by law to collect and use SSNs for their activities. These agencies will still have the SSNs and the data will still be at risk. The problem, and the solution, lies elsewhere.
Advertisement
Unauthorized uses or disclosures of SSNs often result from violation of the “Use Limitation Principle.” That is, to best protect privacy interests, data should be collected only for a specified limited purpose and not used for any other purposes. The federal government created SSNs in 1935 to track individual taxpayer's eligibility for Social Security benefits. Since these benefits are based on income earned, the Internal Revenue Service also adopted SSNs to identify individual taxpayers.
SSN cards state on their face: “Not to be used for identification.” Nevertheless, many agencies and companies have created databases unrelated to Social Security or payroll using the SSN as the primary key to identify a record or data subject, and then tie all their data to that field. This was an easy shortcut for database design since there are no duplicate SSNs and alternative strategies would require the database designer to devise a system for generating identification numbers and assuring that they remained unique.
But use of the SSN as the recurring key identifier in credit, education, financial, and other databases has led to much of the identity theft risk we face today. When that number is publicly disclosed from any source, it can be used, or abused, in connection with every other database using that same identification number. The broader the use of SSNs, the greater the risk to the individual.
The “Use Limitation Principle” would bar the use of a SSN for anything but its original purpose. Although you might still need the SSN somewhere in your payroll database to report earnings and tax withholding to the government, you would not use the SSN as your primary employee ID and would not use it to link various subcategories of data. Rather, you would develop one or more unique employee identifiers that do not include and are not based on the SSNs. Then, if data containing your identifiers are lost or stolen, the risks of data compromise are limited to your own database, and the risks of identify theft or other misuse are much reduced. And you would not allow, much less encourage, use of a SSN as a user ID or password.
Implementing the Use Limitation Principle requires security in the form of access control. Only those persons with a need to use specific fields of information should have access to those fields. Only information relevant to a specific task should be provided to data processors. For example, the vendor that mailed forms for the Department of Revenue needed a list of names and addresses; it didn't need SSNs to do its job. If the vendor had not received the unneeded SSN data, it could not have inadvertently disclosed it.
Both the process of providing information to the mail fulfillment vendor and the individuals involved in sending and receiving the data, should have been better attuned to the Use Limitation Principle. Similarly, in a typical “lost laptop” case, a user downloads large amounts of information from a general company database to an Excel spreadsheet so that the user can work at home. When the laptop is lost or stolen, all these data are compromised. Often the facts emerge that the data were downloaded en masse because it was easy, not because the user actually needed all the data fields or records available.
What to do?
What does your organization do? When designing databases, do you instruct the developers to use key fields that do not involve SSNs or other sensitive identifiers? When designing access controls, reports, data export scripts, etcetera, do you require an analysis of what data fields are actually necessary for the person receiving access or a data subset? Do you conduct privacy and security assessments of the requested data downloads? Do you insist upon business processes that incorporate best privacy and security practices, such as automatic encryption of all data saved to a laptop or removable media? Do you have sufficient granularity in the levels of access control in your IT systems? Do you train employees always to use the most limited subset of data suitable to the task at hand?
The best practices are not hard to identify, although they can be difficult to implement. All databases, reports, scripts, and data access rules should be designed with the Use Limitation Principle in mind. Collect only the information that is needed for the task at hand, not everything you might someday think about using. Organize the data around key fields that do not lend themselves to reuse or misuse, especially SSNs and other official identification numbers. Use technological, physical, and organizational means to limit each user to access only the data necessary for a particular task. Automatically encrypt all sensitive data when it is first exported, downloaded, or saved. Train. Audit. Repeat.
Other columns by Mark Foley
• Looking for the nuance in software vendor agreements
• Mark Foley: Beware vendor's line in software licensing
• A cost-effective way to protect global HR data
• Mark Foley: Developing global data privacy policies for HR data (part 1)
• Mark Foley: Expert testimony may be needed for e-discovery keyword searches
Mark F. Foley is a partner with Foley & Lardner LLP, practicing primarily in the general litigation and information technology & outsourcing practices. Digital Lex: Exploring the intersection of law and information technology is his column for WTN News.
The opinions expressed herein or statements made in the above column are solely those of the author, and do not necessarily reflect the views of Wisconsin Technology Network, LLC. WTN accepts no legal liability or responsibility for any claims made or opinions expressed herein.
The opinions expressed herein or statements made in the above column are solely those of the author, and do not necessarily reflect the views of Wisconsin Technology Network, LLC. WTN accepts no legal liability or responsibility for any claims made or opinions expressed herein.
Comments
Metasteward LLC responded 1 year ago: #1
Mark Foley's articles should be required reading for all Department of Health and Family Services staff. Nearly four months ago, I requested the Bureau of Aging and Disability Resources (BADR) to cite the authority that they are using to require all Wisconsin Nutrition Sites to enter information from self scoring assessments and reassessments of participants into 25 fields of an electronic record in the Social Assistance Management System (SAMS). The participants have no indication that the information they are providing will be entered into their permanent electronic record as it appears to be a form that that they would share with their Doctor or some other health care professional.
The site that BADR uses to publish mandates and data entry instructions is a "spoof" site that looks like an official State site but in fact is registered to and run by one of the BADR staff. The nutrition mandates and forms are publicly accessable at: http://dhfsbadr.org/docs/sams/nutritioncheck/
I have made an open records request to DHFS for the agendas and minutes of the meetings of the Nutrition Check Committee who authorized the questionnaire and the fields in the SAMS' electronic records. I have not received a reply to my original request nor to my open records request.
Please go to: http://dhfsbadr.org/docs/sams/nutritioncheck/ and see for yourselves the most disturbing ethical breakdown and breach of privacy that I have ever seen.
Metasteward LLC
Fred Buhr, Registered Agent
The site that BADR uses to publish mandates and data entry instructions is a "spoof" site that looks like an official State site but in fact is registered to and run by one of the BADR staff. The nutrition mandates and forms are publicly accessable at: http://dhfsbadr.org/docs/sams/nutritioncheck/
I have made an open records request to DHFS for the agendas and minutes of the meetings of the Nutrition Check Committee who authorized the questionnaire and the fields in the SAMS' electronic records. I have not received a reply to my original request nor to my open records request.
Please go to: http://dhfsbadr.org/docs/sams/nutritioncheck/ and see for yourselves the most disturbing ethical breakdown and breach of privacy that I have ever seen.
Metasteward LLC
Fred Buhr, Registered Agent
OnceAgain responded 1 year ago: #2
State Government should hold both, public and private, organizations to the same standard. How many times are we asked to give SSN and other personal information to organizations without a legitimate need for the data? Way too often. These businesses have become accustomed to asking and I, for one, am learning to just say "No, you have no legal right to have that information".
IRS says that SSN were created soley for income tax purposes. Unless someone is paying you a salary (i.e. you have accepted the job offer) or reporting tax information to the IRS (i.e. banks and brokerage), don't give them this information.
Way too many companies are lazy and do not want to create their own database numbers. You need to cut down on the number of people with the information in order to cut back on the risks.
Let's hope the State legislature takes the next step to restrict inappropriate use of SSN by all organizations, public and private. And, to further insure our data integrity by making it illegal to release (a right which cannot be waived) SSN to third parties either inside USA or overseas. It should be illegal to store SSN on laptop computers or other portable devices. And, complete database access (to SSN) should never be given to third party organizations. And SSNs should never be transmitted over the internet.
It was the potential for this very abuse of Social Security numbers (use as an identity) that caused so many of our grandparents and great grandparents to oppose the creation of SSNs in the first place.
The EMR industry and medicare are another source of SSN abuse that needs to be examined closely. Our elderly should not be required to carry SSN on medicare cards in their wallets. Our healthcare providers (using Epiq systems products) should not be using SSN as internet-based identity to create login IDs.
Make organizations liable for providing security services to victims and specific monetary damages for loss, misuse or inappropriate stewardship of SSN, credit card, and other personal information. Follow California's lead in making the reporting of all such incidents to consumers/citizens mandatory.
In other words, the State needs to broaden its examination of the use and misuse of social security numbers. And then, tighten the rules for all organizations, public and private.
Remember: principles are not enough! You need penalties for violations or the laws are toothless. Then follow-up it up with a public information campaign to make sure that all the citizens are aware of their rights, and the right to say "NO" to inappropriate information requests from business organizations, social clubs, healthcare providers, utilities, etc.
As recently as 1999, Weight Watchers was incidious enough to ask for social security numbers for database purposes! Even back then, I knew it was not appropriate and gave them bogus data. SSN was not created to make computer databases easier to manage -- PERIOD.
We have a clear need to better train IT professionals about the inappropriate use of SSNs, database security protocols, and to provide them with other tools for managing their databases.
We even have call center, telemarketing and inside sales center employers in this state demanding that employees give them permission to release their SSNs (as a condition of employment) to their customers so that their cutomers can uniquely identify their workers. This is wrong. And again, it is an inappropriate use of SSNs. This practice should be stopped.
We have debt collection services demanding SSNs on consumers from client companies (such as hospitals, medical, dental, credit card, etc) in order to populate their databases. Again, this is wrong and it should be stopped.
These are all examples of people using SSNs as identifiers for their databases, with or without, the public's knowledge. This proliferation of data is wrong.
We have tax preparers, medical claims processing and other services that are outsourcing work to foreign countries and they are shipping our personal data, including SSNs, along with all the other information. This is wrong. And it should be stopped. Our data is not protected overseas. Our data is not protected here either, but it should be.
This is a huge area that needs much work and stronger regulation with pentalites, even criminal penalties. Again, this is an issue with both, public and private, organizations.
IRS says that SSN were created soley for income tax purposes. Unless someone is paying you a salary (i.e. you have accepted the job offer) or reporting tax information to the IRS (i.e. banks and brokerage), don't give them this information.
Way too many companies are lazy and do not want to create their own database numbers. You need to cut down on the number of people with the information in order to cut back on the risks.
Let's hope the State legislature takes the next step to restrict inappropriate use of SSN by all organizations, public and private. And, to further insure our data integrity by making it illegal to release (a right which cannot be waived) SSN to third parties either inside USA or overseas. It should be illegal to store SSN on laptop computers or other portable devices. And, complete database access (to SSN) should never be given to third party organizations. And SSNs should never be transmitted over the internet.
It was the potential for this very abuse of Social Security numbers (use as an identity) that caused so many of our grandparents and great grandparents to oppose the creation of SSNs in the first place.
The EMR industry and medicare are another source of SSN abuse that needs to be examined closely. Our elderly should not be required to carry SSN on medicare cards in their wallets. Our healthcare providers (using Epiq systems products) should not be using SSN as internet-based identity to create login IDs.
Make organizations liable for providing security services to victims and specific monetary damages for loss, misuse or inappropriate stewardship of SSN, credit card, and other personal information. Follow California's lead in making the reporting of all such incidents to consumers/citizens mandatory.
In other words, the State needs to broaden its examination of the use and misuse of social security numbers. And then, tighten the rules for all organizations, public and private.
Remember: principles are not enough! You need penalties for violations or the laws are toothless. Then follow-up it up with a public information campaign to make sure that all the citizens are aware of their rights, and the right to say "NO" to inappropriate information requests from business organizations, social clubs, healthcare providers, utilities, etc.
As recently as 1999, Weight Watchers was incidious enough to ask for social security numbers for database purposes! Even back then, I knew it was not appropriate and gave them bogus data. SSN was not created to make computer databases easier to manage -- PERIOD.
We have a clear need to better train IT professionals about the inappropriate use of SSNs, database security protocols, and to provide them with other tools for managing their databases.
We even have call center, telemarketing and inside sales center employers in this state demanding that employees give them permission to release their SSNs (as a condition of employment) to their customers so that their cutomers can uniquely identify their workers. This is wrong. And again, it is an inappropriate use of SSNs. This practice should be stopped.
We have debt collection services demanding SSNs on consumers from client companies (such as hospitals, medical, dental, credit card, etc) in order to populate their databases. Again, this is wrong and it should be stopped.
These are all examples of people using SSNs as identifiers for their databases, with or without, the public's knowledge. This proliferation of data is wrong.
We have tax preparers, medical claims processing and other services that are outsourcing work to foreign countries and they are shipping our personal data, including SSNs, along with all the other information. This is wrong. And it should be stopped. Our data is not protected overseas. Our data is not protected here either, but it should be.
This is a huge area that needs much work and stronger regulation with pentalites, even criminal penalties. Again, this is an issue with both, public and private, organizations.
Fred Buhr responded 1 year ago: #3
The Department of Health and Family Services (DHFS) has acknowledged that the "dhfsbadr" sites were established without following protocol for official web postings. The sites now contain the following message and a link to the official DHFS web site:
"May 9, 2008:
The web domains named "dhfsbadr.org" and "dhfsbadr.com" are privately owned and contain no affiliation with the State of Wisconsin. Most content contained herein was originally disseminated via other official means; this small collection of web pages simply acted as a personal repository. This site was NEVER represented to anyone as being affiliated with the State of Wisconsin in any official capacity, nor was it represented as a means of officially distributing any type of state policy.
Unfortunately, the two domain names do contain the letters "dhfs" in them and thus present some potential for confusion. Because of this fact, DHFS personnel have requested that I remove all content from this web site.
To visit the official web site for the Department of Health and Family Services, State of Wisconsin, please click here:
http://dhfs.wi.gov"
Metasteward LLC
Fred Buhr, Registered Agent
"May 9, 2008:
The web domains named "dhfsbadr.org" and "dhfsbadr.com" are privately owned and contain no affiliation with the State of Wisconsin. Most content contained herein was originally disseminated via other official means; this small collection of web pages simply acted as a personal repository. This site was NEVER represented to anyone as being affiliated with the State of Wisconsin in any official capacity, nor was it represented as a means of officially distributing any type of state policy.
Unfortunately, the two domain names do contain the letters "dhfs" in them and thus present some potential for confusion. Because of this fact, DHFS personnel have requested that I remove all content from this web site.
To visit the official web site for the Department of Health and Family Services, State of Wisconsin, please click here:
http://dhfs.wi.gov"
Metasteward LLC
Fred Buhr, Registered Agent
Add Your Comment
Comment Policy: WTN News accepts comments that are on-topic and do not contain advertisements, profanity or personal attacks. Comments represent the views of the individuals who post them and do not necessarily represent the views of WTN Media or our partners, advertisers, or sources. Comments are moderated and not immediately posted. Your email address will not be posted.
WTN Media cannot accept liability for the content of comments posted here or verify their accuracy. If you believe this comment section is being abused, contact edit@wistechnology.com.
Advertisement
Most Popular Stories
- Madoff computer programmers arrested; could face 30 years in $60B fraud
- HIPAA - Past, Present, and Future
- Seven secrets of a Steve Jobs presentation
- Myth busters: Why some things you hear about venture capital are wrong.
- Alice.com closes $6 million in new funding, raises total investment to $10.4M for online household goods shopping site
Advertisement
Featured EventsMore…
More Stories
- Stem cells may improve heart bypass results
- The future of ERP
- UW-Madison receives $9.5 million Gates Foundation grant
- Health insurance costs more in Wisconsin
- A freakonomic view of climate change
- C.O.R.E Jobs Act targets state’s economic strengths
- Online identity widget conceals email and shares social profiles
- API Healthcare introduces new generation of Navigator
- NanoRite board sets strategic direction for the center, elects officers
- HIPAA - Past, Present, and Future
- Clouds in IT future
- Anti-Gravity treadmill developed from NASA technology
- IBM moves closer to emulating human brain
- Top IT turkeys of 2009
- Wisconsin Rapids uses technology to keep residents informed
- Nuclear breakthrough has Wisconsin fingerprints
- Your organization chart and what it tells others
- Promega Corporation and SwitchGear Genomics announce a novel method for characterizing DNA-protein interactions
- The argument for free classes via iTunes
- The great cloud debate's unsatisfying but true answer
- Myth busters: Why some things you hear about venture capital are wrong.
- EraGen announces licensing agreement with San Diego biotech
- Shuttle Atlantis on pick up, delivery and installation mission
- Thousands of web sites compromised, redirect to scareware
- File-sharing software ban sought in House
- The virtual doctor visit
- Good Morning Houston, "We're having a baby, seriously! Shuttle Atlantis launches without a hitch. Simply AWESOME!
- FluGen fighting flaws in flu vaccine industry
- Madoff computer programmers arrested; could face 30 years in $60B fraud
- Priceless! The 25 funniest vintage tech ads
- Grants available to Wisconsin manufacturers
- Top 20 tech underdogs
- Contemplating an IT-less recovery
- Little benefit seen, so far, in electronic patient records
- 'The moon is alive,' NASA says after water discovery
- Tips on pitching a business plan part of Global Entrepreneurship Week
- Dell’s out-of-town tryout for smartphones
- Merge Healthcare sells additional 9 million shares
- Debbie Crave receives Honorary Recognition award from UW Madison
- The CIO and social media: Social police?
- Why Oracle's Larry Ellison will tell the EU to pound sand
- Out-of-state firms win elevator contest
WTN Media Presents
