Know Your Rights

It seems like there is a startlingly high number of organizations that, for one reason or another, request Social Security Numbers (SSNs) on a regular basis. Many people are hesitant to give this information out. Rightfully so. The implications of identity theft should this information land in the wrong hands is terrifyingly high. But did you know that there are a number of strict laws in place to protect people’s information, and force organizations to handle this information properly? Not only does the Federal Government enforce these laws, but most states do as well, expanding upon the national regulation. Massachusetts, for example, protects its citizen’s information extensively. No Massachusetts resident can be required to give their social security number to any organization, unless that organization encrypts all sensitive information, has user authentication and access controls, monitors unauthorized use, uses firewall and malware protection, has operating system security patches in place, and the ability to provide proof of this written information security program (WISP) to the individuals requesting the information. This is just a portion of the requirements. Organizations must also take additional measures to maintain the integrity of their system constantly, through security assessments and other steps. Even if the requesting entity is from California, unless these requirements can be met, the Massachusetts resident does not have to provide their information. And they are supported and protected in withholding that data by the Commonwealth. These laws are put in place for very good reason. But they don’t do any good unless citizens know the law, and know how they are protected. If you are a consumer, spread the word. And if you are an organization who uses SSNs, it may be time to conduct an assessment and review your WISP to ensure compliance.