Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bare Social Social Security Numbers

From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Mon, 27 Mar 2006 11:58:40 -0500
I don't believe according to most privacy legislation that it would
be considered
a privacy breach.  It probably depends on the conditions.

If the file defined a group or class of individuals (those with AIDS
or another medical condition, those attending a college class, etc)
then a small file could possibly be used to identify the SSN.

And there are likely several other ways to identify an SSN #.

But there are systems where the SSN is both identification and
authentication (and possibly authorization) providing access.

These are poorly designed (from a privacy and security POV) systems.

- H. Morrow Long, CISSP, CISM, CEH
  University Information Security Officer
  Director -- Information Security Office
  Yale University, ITS



On Mar 27, 2006, at 11:39 AM, Geoffrey S. Nathan wrote:


Quick poll (apologies for cross-posting..)

Suppose a file was stolen/accessed containing only social security
numbers with no names attached.  Would this constitute a security
breach
necessitating notification of those whose numbers were compromised?
(Leaving aside the question of whether the theft/access itself is a
breach).

Geoff
Previous By Date Next
Previous By Thread Next

Current thread: