Re: Bare Social Social Security Numbers

["Christopher E. Cramer" <chris.cramer () DUKE EDU>]

Geoff,

No names?  or no identifying information? or no other information at all?

My take is that there are just less than a billion possible SSNs.  There
are roughly 300 million Americans.  If a file (like this email) contained
possible SSNs (completely made up example: 437-11-0011), then it's
probably not a security breach.

The problem comes in when there's other information, even circumstantial
information.  For example, if you knew this was the SSN for a person at
Duke, then it would probably constitute a security breach.  If you knew it
was a person at Duke with a $50,000/yr salary, it's even more of a breach
because there are fewer potential people.

To me it's something of an exercise in probability.  If I have a random
number that looks like an SSN (437-11-0111), but I know nothing about it,
then there's roughly a 1 in a billion chance that the number belongs to an
individual.  If I have an SSN and I know it belongs to someone at Duke,
there's a 1 in 36,000 chance of identifying to whom it belongs.  If I know
it's a student's SSN, it's 1 in 9,000 or so.  Worse than that, since the
1st three digits roughly indicate age and place where the person is born,
you could probably narrow it down quite a bit.

All of which is a long winded way of saying that a file of SSNs associated
with a known university should probably be considered a breach.  However,
any notice should reference the lack of identifiers in the file.

-chris


On Mon, 27 Mar 2006, Geoffrey S. Nathan wrote:

> Quick poll (apologies for cross-posting..)
>
> Suppose a file was stolen/accessed containing only social security
> numbers with no names attached.  Would this constitute a security breach
> necessitating notification of those whose numbers were compromised?
> (Leaving aside the question of whether the theft/access itself is a breach).
>
> Geoff