FC: Privacy villain of the week: Federal agencies lax with SSNs

[Declan McCullagh <declan () well com>]

---

Date: Fri, 14 Mar 2003 16:57:39 -0500
From: J Plummer <jplummer () consumeralert org>
Subject: NCP: Privacy Villain of the Week: Federal Agencies Lax with
  SSNs

Privacy Villain of the Week:
Federal Agencies Lax with SSNs

A report out this month reveals something shocking but sadly not altogether 
unexpected - federal agencies are incredibly lax when it comes to 
protecting the integrity of your Social Security 
numbers.  <http://govt-aff.senate.gov/031103prescouncilrpt.pdf>

The report was requested by the Senate Governmental Affairs Committee 
<http://govt-aff.senate.gov/031103presssc2.htm> and issued by the Social 
Security Administration Office of the Inspector General(OIG), after being 
compiled by the OIGs of 15 different federal agencies. The findings were 
shocking:

·	All but one of the 15 agencies participating in the study lacked adequate 
security controls over private contractors' access to and use of SSNs.
·	One agency had allowed contractor employees access to its database, 
including SSNs, before their background checks were completed.
·	Another didn't ensure contractors couldn't access databases after they 
stopped working for the agency.
·	Private contractors keeping personal identification information in 
unlocked cabinets, in storage rooms, and on desktops after working hours.
·       One agency didn't even know exactly which contractors had access to SSNs.
·       Nine agencies had inadequate controls over SSNs stored on computers.
·	Two federal agencies even had poor controls over non-Government and/or 
non-contractor access to SSNs.

The lessons to be drawn from this debacle are eveident. Federal agencies 
have no financial incentive to respect the privacy of citizens -- their 
continued existence and growing budgets are virtually assured. At least 
when a business treats sensitive consumer data so shoddily, they face the 
prospect of consumer backlash and attendant financial hurt or ruin. Efforts 
should be made to bar the federal government from using the SSN as an 
identifier for anything but Social Security accounts. (At least one such 
effort is underway in the Congress right now. 
<http://thomas.loc.gov/cgi-bin/bdquery/z?d108:h.r.00220:";> )

And perhaps even more importantly, efforts such as those by the American 
Association of Motor Vehicle Administrators to create mandatory government 
databases of fingerprints or other biometric identifiers should be 
resisted.  <http://www.nccprivacy.org/handv/011206villain.htm> Such 
databases would retain all the problems we see now with loss of privacy and 
identity fraud, with the potential for even more ruinous consequences, such 
as faked fingerprints planted at a crime scene.

The revealing report of the IG shows that trusting the government to 
protect your privacy is a fool's game. And the negligent agencies have 
revealed themselves as Privacy Villains.

By James Plummer

The Privacy Villain of the Week and Privacy Hero of the Month are projects 
of the National Consumer Coalition's Privacy Group. Privacy Villain audio 
features now available from FCF News on Demand. For more information on the 
NCC Privacy Group, see www.nccprivacy.org or contact James Plummer at 
202-467-5809 or via email. 




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------