RE: Risk of using SS#s (last 4 digits) for authentication

["Jason Coombs" <jasonc () science org>]

> That prohibits government agencies from requiring that a person give
his/her
> SSN as a condition of receiving the agency's services

The U.S. Supreme Court rejected this assertion in BOWEN v. ROY, 476 U.S. 693
(1986)

-----Original Message-----
From: Griff Palmer [mailto:gpalmer () palmermania com]
Sent: Saturday, November 09, 2002 8:31 AM
To: security-basics () security-focus com
Subject: Re: Risk of using SS#s (last 4 digits) for authentication


Computer Professionals for Social Responsiblity has a good FAQ on Social
Security numbers at:

http://www.cpsr.org/cpsr/privacy/ssn/SSN-History.html

CPSR says the Privacy Act of 1974 is the principal federal statutory
authority governing solicitation and use of Social Security numbers. That
prohibits government agencies from requiring that a person give his/her SSN
as a condition of receiving the agency's services, and from taking punitive
action against people who refuse to divulge their SSNs.

The 1974 Privacy Act doesn't place any such restrictions on private
companies.

For tax-reporting purposes, the IRS requires employers to gather employees'
Social Security numbers.  I'm sure there's a complex web of state statutes,
case law, contract law, etc. that speak to what employers may and may not do
with employees' SSNs.

As a practical matter, using only the last 4 digits of an employee's SSN
gives some measure of protection to the employee. It's important to
remember,
though, that a variety of personal financial services companies use the last
4 digits of a person's SSN as part of the identifying information that gives
access to that person's account information, so there is a potential for
harm
from accidental release of even the last 4 digits of an employee's SSN.

                                                            Griff Palmer