A colleague of mine is taking his son to Washington D.C. with him on business and they decided they wanted to tour the White House. To get approval, he sent a note to his Senator's office. They asked him to send his and his son's Social Security Numbers via email so that they could do a security clearance. He objected and said he'd prefer to fax them the information. They responded that this was OK, but that they'd be sending the SSNs to the offices of other Senators and Representatives to coordinate their tour with other groups. Of course, they'll be sending these via unencrypted email.

Does it strike anyone else as odd that an organization that is supposedly concerned about security is passing around SSNs via email, storing them on who knows who's hard drives and is otherwise as clueless as this? Presumably they want the SSN because there's some feeling that they can gather information about the person that can be used in triage. But by making them less secure and by using them insecurely, they expose themselves to being fooled.

A better solution would be to have a secured Web site where potential visitors enter their SSN so that it can be managed in a secure way--SSL protection in transit, encrypted field in the database, one record, etc. You'd still need governance to ensure the information was handled securely, but at least you'd have a chance.


Please leave comments using the Hypothes.is sidebar.

Last modified: Thu Oct 10 12:47:18 2019.