Solved

SS#'s and all other personal info available for all to see.  Seeking legal advice on what a business legalities are.

Posted on 2006-10-31
18
340 Views
Last Modified: 2010-04-11
I'm seeking any information or information on where I need to look to get my answers regarding the legality of a company who has all of their employees personal info including SS#'s available to any employee of the company that has an email account.   I am concerned about this issue and the fact that anyone from the head boss to some janitoriol staff have the capabililty of accessing this information.  (approximately 900 people have the capablity of accessing this information)  I am fighting a political battle here as far reveiling the lack of knowledge of the IT person in charge of this server.   I have addressed the issue.  The one responsible for this system does not know how to use security in a Windows 2000 server environment and has all users set to full control of the entire file system.  I have addressed this issue for approx. the past 6 years to no success.  When I questioned who would be responsible if identity theft occured they point the fingers to me but it has been made clear that I am not the one responsible for this particular system.   I'm in a rather small town and no one here local would know the legalities regarding this situaion.  Any help or advice on how to address this issue or direction to lookin would be greatly appreciated.

Thanks in advance,
Fall Guy
0
Comment
Question by:carchibald
  • 4
  • 3
  • 3
  • +4
18 Comments
 
LVL 34

Accepted Solution

by:
PsiCop earned 125 total points
ID: 17843414
There is no "the law". Laws vary, from country to country, state to state, county to county, municipality to municipality. What is legal where I'm sitting and typing this may be illegal where you are sitting reading it, and vice-versa.

When it comes to the duty of care a data custodian has regarding the data they handle, that is a relatively new area of law, and there are a lot of different laws at both the federal and state levels. While I'm neither a lawyer nor an expert in this area, I daresay that what is legal regarding this in, say, California is different than in, say, Florida.

I'll also point out that unless an actual lawyer who is versed in data protection liability issues, with specific knowledge of the Federal and other-applicable-to-your-specific-jurisdiction laws on the subjects of data custodianship, duty of care and improper disclosure liability; happens across your posting here on EE and decides to forgo their usual US$200+/hr billing rate and answer such a broad Question, any advice you get is going to be worth what you paid for it. My guess is that you've paid little or nothing for the points to ask your Question, so I think that clarifies just how valuable any legal advice you get here is going to be.

<aside>
This is NOT a slam on EE. Your Question deals with complex and evolving legal issues requiring considerable legal knowledge and experience to properly answer, and even then, this communication format is not really a good one to address such issues. EE is much better at dealing with technical topics.
</aside>

If you want answers on which you can rely, consult a lawyer who has knowledge of these legal areas and experience with data protection issues in YOUR jurisdictional situation. Anything short of that is likely to be a waste of time.
0
 

Author Comment

by:carchibald
ID: 17843580
I understand where you are coming from which is the reason why I am only seeking help or advice on where to turn.

Finding a lawyer that is versed in data protection liability issues is not found easily.

0
 
LVL 34

Expert Comment

by:PsiCop
ID: 17844017
"a lawyer that is versed in data protection liability issues is not found easily"

Perhaps, but they're the only ones who can give you an answer worth getting.

You describe a company with 900+ people - a corp that size ought to have a corporate counsel. Have they not been engaged on this issue?
0
 
LVL 11

Expert Comment

by:g000se
ID: 17844903
hello.

I agree with PsiCop.  Also check with Social Security Services they will definetly have an answer for you.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 17845317
"check with Social Security Services they will definetly have an answer for you"

Actually, they won't. Because there is no single answer. Also, most people you can reach at the SSA are not lawyers.
0
 
LVL 11

Expert Comment

by:g000se
ID: 17845778
They could point you in the right direction instead of you pulling the info out of the "yellow pages"
0
 
LVL 6

Assisted Solution

by:austinstace
austinstace earned 125 total points
ID: 17847356
You are unlikely to find the answer you are looking for here as quickly as you will on consumer/privacy advocate sites. One place you can look that has information regarding tech professionals and the issues of privacy (this page is specific to ss#) is http://www.cpsr.org/prevsite/cpsr/privacy/ssn/ssn.faq.html

Good luck,

Stace

0
 
LVL 8

Assisted Solution

by:Saineolai
Saineolai earned 125 total points
ID: 17847414
I agree with PsiCop's advice that if you want a definitive answer ask a legal expert who know's the law that applies in your area.

However if you are just looking for guidance / more knowledge on the issue then read these articles one relating to New York,

http://www.mondaq.com/i_article.asp_Q_articleid_E_43636_A_rss_E_0

also

http://www.faegre.com/articles/article_2001.aspx
 particularly the section under State Personal Information Protection Statutes.  If you are in one of the states which has a specific law in place there may be a contact which you could report this to.

Leaving the legal avenue aside I am suprised that no one in an organisation of this size is interested in ensuring that this server is correctly configured if it holds this data.  Perhaps if you could get an external IT party to perform a security audit on your network and ask them to focus on file security this would have greater weight with management.  Alternatively could you get the person who is in charge of these permissions to take part in an internal security review potentially sponsored by a high level manager.  Make the case for this as a benefit to the business which may have sensitive commercial data on the server rather than an employee issue.

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17847460
well if he is that big of an idiot delete some random data including the SS#s, just play stupid.

gesh, i thought it was rediculous that management wanted all of our users to never change their passwords....i couldnt imagine if my users had full rights to all data.

I can tell you....I wouldn't be working there (purging my data before leaving ofcourse)
0
 

Author Comment

by:carchibald
ID: 17849121
Welcome to the world of educuation and politics!
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
ID: 17849197
Can my employer use my SSN as an employee identification number?
Yes. However, the Social Security Administration discourages employers from displaying Social Security numbers on documents that are viewed by other people such as badges, parking permits, or on lists distributed to employees. Employers do, however, need each employees' Social Security number to report earnings and payroll taxes.
California has a law that prohibits employers from publicly posting or displaying an employee's Social Security number (SSN). The California Office of Privacy Protection has a comprehensive guide that outlines this law in more detail at www.privacy.ca.gov/recommendations/ssnrecommendations.pdf. Another law, effective January 1, 2008, requires employers to print no more than the last four digits of an employee's SSN, or to use an employee ID number other than the SSN, on employee pay stubs or itemized statements.
http://www.privacyrights.org/fs/fs10-ssn.htm

If this is a publicly traded company, or even a subsidiary of one, they may be bound to SOX (sarbanes oxley) compliance which does have rules about employee information, it's mostly about finances but SSN security is vital to that audit also.

Michigan, and Cali have laws about SSN's, you may consult the local library about where to find the laws in your state.
http://psedlaw.internetarchives.com/Press_Release_Detail.aspx?ContainerID=541&SectionNumber=1&AssetID=5844
If your in either one of those states, each employee at your company could sue, and former employees could possibly throw in a class action...
-rich
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 17851251
North Carolina has also recently passed a law restricting use of SSNs. But we don't even know if the Asker is located in the USA.
0
 

Author Comment

by:carchibald
ID: 17851269
Located in TEXAS
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17851329
http://law.onecle.com/texas/business/35.58.html
Maybe try emailing one of the folks on that site to see if they have any insight to the situation?
It's a bit of a grey area... it's mostly (all over) about disclosure of SSN's, and your question seems to teeter on possible disclosure...
-rich
0
 
LVL 8

Expert Comment

by:Saineolai
ID: 17851472
It might also be worth making contact with the labor commissioner's office ... for referral to agencies or entities that might assist you with other workplace concerns.

http://www.twc.state.tx.us/svcs/commrs/laborcommr.html
0
 
LVL 11

Expert Comment

by:g000se
ID: 17857902
Maybe you could check with the CFO of the company or the payroll person for direction.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now