How To Stop Businesses Storing SSNs Indefinitely?

The Angry Mick writes "My wife and I recently moved, and during the course of providing change-of-address information to the many companies we do business with, I asked each if they were storing a full Social Security number in their databases, and if so, could they remove it or replace it with an alternate identifier. Neither the experience nor the results were particularly enjoyable. On the positive end of the spectrum, some companies were more than willing to make a change, even offering suggestions for a suitable alternate such as a driver's license number. In the middle were companies that made things a little more difficult, requiring several steps up the management tree before speaking to someone with some actual authority to address the issue. Then there was DirectTV. This company not only flatly refused to consider the suggestion, but also informed me that even if I were to discontinue service with them, they still intended to keep my full SSN on file indefinitely. There is no logical reason for them to do this, and I'm not keen on the idea of being left vulnerable to identity theft should they have experience any security breaches at any future point in my life. So, my questions to the Slashdot community are: Has anyone else tried getting your SSN replaced or removed in corporate databases, and what were your experiences? And short of Armageddon, is there any way to force a company to erase your SSNs after you cease doing business with them, or is this a job for a lawyer or regulatory body?"

Bad news. XD

[BlueKitties]

Some (financial) Point Of Sale software I designed uses SSNs to tell the difference between customers with identical names. If I change the SSN... it thinks you're a new customer. Well... this is something to think about.

Re:Bad news. XD

[dintech]

I was wondering if there was anything equivalent to the Data Protection Act in the America:

• Data may only be used for the specific purposes for which it was collected.
• Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation.
• Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).
• Personal information may be kept for no longer than is necessary and must be kept up to date.
• Personal information may not be sent outside the European Economic Area unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
• Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner's Office.
• Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).
• Subjects have the right to have factually incorrect information corrected (note: this does not extend to matters of opinion).

Re:Bad news. XD

[Sun.Jedi]

There is not much. This excerpt, In general terms, in the U.S., whoever can be troubled to key in the data, is deemed to own the right to store and use it, even if the data were collected without permission, is particularly disturbing.

Data may only be used for the specific purposes for which it was collected.

While you may THINK the data was collected for either a sale, long term lease agreements (similar to cable service), or whatnot... the ACTUAL specific purpose was to track you and sell your information to "partners".

Data must not be disclosed to other parties without the consent of the individual whom it is about

This is where the "partners" come in ... See JCpenny and SBS for an example of 1 company using your information and giving it to a partner company.

Personal information may be kept for no longer than is necessary and must be kept up to date.

Too bad its not supposed to be deleted if it can't be confirmed in given period of time. Also, SSNs don't expire, so you get off thier list if you die. Yay.

Re:Bad news. XD

[NickGnome]

"There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent."--- Elliot Richardson 1973 summarizing _Records, Computers, & the Rights of Citizens_ (quoted in Legislative History PL 93-579, Privacy Act of 1974, _Congressional Record_ vol 120, Senate Report #93-1183 pg 6924)

In practice, as you say, even the weak constitutional and statutory protections of privacy are most often ignored.

http://www4.law.cornell.edu/uscode/42/408.html

http://www.usdoj.gov/04foia/privstat.htm

http://www.cavebear.com/nsf-dns/pa_history.htm

http://www.cavebear.com/nsf-dns/5usc552a.htm

http://www.cms.hhs.gov/privacyact/patraining.asp

http://www.cms.hhs.gov/privacyact/pa.pdf

http://www.so.doe.gov/documents/privactof1974.pdf

http://www.epic.org/privacy/laws/privacy_act.html

https://www.cnet.navy.mil/privacyact1974.pdf

http://library.lp.findlaw.com/articles/file/00007/004477/title/subject/topic/constitutional%20law_freedom%20of%20information/filename/constitutionallaw_1_88

http://library.lp.findlaw.com/articles/file/00007/004477/title/subject/topic/constitutional%20law_freedom%20of%20information/filename/constitutionallaw_1_88

http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html

http://www.cpsr.org/program/natlID/natlIDfaq.html

Re:Ugh, DirecTV should just go away

[Reece400]

If you provide your SSN to Comcast, they also store it indefinatly.
They use it for internal credit checks to make sure you don't owe them any money on previous accounts (and likely for other things as well).

That said you can usually setup an account without your SSN, but you'll need to set it up directly with your local office instead of by phone or internet.

Re:Broken by design.

[TheRealMindChild]

This isn't really in defense of the hospitals, but a WHOLE LOT of people use the hospital because they can't pay for medical attention and the hospital can't refuse. The SSN is likely there so they can track you down to the ends of the Earth to try and get their money.

Re:Something I've considered...

[jDeepbeep]

is it possible to do identity theft with only the SSN alone?

Unfortunately, yes. It provides enough of a building block (used both as an identifier and as an authenticator) to allow a moderately-clever person to build up the rest of the identity.

Re:Something I've considered...

[Daniel_Staal]

It's not. It's supposed to be unique (within certain criteria: they do get reused eventually) across everyone in the USA, so the Social Security Administration can identify everyone. That's all it was designed for.

It just happened that the SSN was the first major government number that everyone was required to have. So everyone else used the fact that it was there and unique to make their lives easier. Which means that now everybody tracks you by that number, and if you have that number you can impersonate anyone in any database that uses it.

It's not supposed to be secret. It's not supposed to be your full ID. It just became that.

Re:Something I've considered...

[MirthScout]

That's actually a good question. The answer is , no, it is not supposed to be secret. It is an identifier; identifiers are not secret.

The problem is that so many companies misuse SSNs. They treat them as if they were passwords.
What is your name? John Smith
What is your SSN? 123-45-6789
OK, you must be John Smith all right. What can I do for you?

It is this completely broken way that companies "verify" your identity that is the problem. People try to keep their SSN secret to reduce the chances an "identity thief" will get it and use a company's and/or bank's broken procedures to steal from you.

Re:Ugh, DirecTV should just go away

[Albanach]

Although is is actually illegal to use a SSN for identification

No, it's illegal for the Government to use it other than for its intended purpose. Companies can do what they like with it.

From the Social Security Website: http://ssa-custhelp.ssa.gov/cgi-bin/ssa.cfg/php/enduser/std_adp.php?p_faqid=78

If a business or other enterprise asks you for your number, you can refuse to give it. However, that may mean doing without the purchase or service for which your number was requested. For example, utility companies and other services ask for a Social Security number, but do not need it; they can do a credit check or identify the person in their records by alternative means.
[emphasis mine]

Re:Broken by design.

[FictionPimp]

I work at a college, when I started the main thing we were doing was changing our system to assign unique ID's to all students and remove all SSN numbers in places where it was used as ID's.

The whole project took about a year to do. Now there is only one place where you can still find the SSN number, and that is only because it is required for some financial aid things.