We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


SS#'s and all other personal info available for all to see.  Seeking legal advice on what a business legalities are.

carchibald asked
Medium Priority
Last Modified: 2010-04-11
I'm seeking any information or information on where I need to look to get my answers regarding the legality of a company who has all of their employees personal info including SS#'s available to any employee of the company that has an email account.   I am concerned about this issue and the fact that anyone from the head boss to some janitoriol staff have the capabililty of accessing this information.  (approximately 900 people have the capablity of accessing this information)  I am fighting a political battle here as far reveiling the lack of knowledge of the IT person in charge of this server.   I have addressed the issue.  The one responsible for this system does not know how to use security in a Windows 2000 server environment and has all users set to full control of the entire file system.  I have addressed this issue for approx. the past 6 years to no success.  When I questioned who would be responsible if identity theft occured they point the fingers to me but it has been made clear that I am not the one responsible for this particular system.   I'm in a rather small town and no one here local would know the legalities regarding this situaion.  Any help or advice on how to address this issue or direction to lookin would be greatly appreciated.

Thanks in advance,
Fall Guy
Watch Question

There is no "the law". Laws vary, from country to country, state to state, county to county, municipality to municipality. What is legal where I'm sitting and typing this may be illegal where you are sitting reading it, and vice-versa.

When it comes to the duty of care a data custodian has regarding the data they handle, that is a relatively new area of law, and there are a lot of different laws at both the federal and state levels. While I'm neither a lawyer nor an expert in this area, I daresay that what is legal regarding this in, say, California is different than in, say, Florida.

I'll also point out that unless an actual lawyer who is versed in data protection liability issues, with specific knowledge of the Federal and other-applicable-to-your-specific-jurisdiction laws on the subjects of data custodianship, duty of care and improper disclosure liability; happens across your posting here on EE and decides to forgo their usual US$200+/hr billing rate and answer such a broad Question, any advice you get is going to be worth what you paid for it. My guess is that you've paid little or nothing for the points to ask your Question, so I think that clarifies just how valuable any legal advice you get here is going to be.

This is NOT a slam on EE. Your Question deals with complex and evolving legal issues requiring considerable legal knowledge and experience to properly answer, and even then, this communication format is not really a good one to address such issues. EE is much better at dealing with technical topics.

If you want answers on which you can rely, consult a lawyer who has knowledge of these legal areas and experience with data protection issues in YOUR jurisdictional situation. Anything short of that is likely to be a waste of time.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


I understand where you are coming from which is the reason why I am only seeking help or advice on where to turn.

Finding a lawyer that is versed in data protection liability issues is not found easily.


"a lawyer that is versed in data protection liability issues is not found easily"

Perhaps, but they're the only ones who can give you an answer worth getting.

You describe a company with 900+ people - a corp that size ought to have a corporate counsel. Have they not been engaged on this issue?


I agree with PsiCop.  Also check with Social Security Services they will definetly have an answer for you.

"check with Social Security Services they will definetly have an answer for you"

Actually, they won't. Because there is no single answer. Also, most people you can reach at the SSA are not lawyers.

They could point you in the right direction instead of you pulling the info out of the "yellow pages"
You are unlikely to find the answer you are looking for here as quickly as you will on consumer/privacy advocate sites. One place you can look that has information regarding tech professionals and the issues of privacy (this page is specific to ss#) is http://www.cpsr.org/prevsite/cpsr/privacy/ssn/ssn.faq.html

Good luck,


I agree with PsiCop's advice that if you want a definitive answer ask a legal expert who know's the law that applies in your area.

However if you are just looking for guidance / more knowledge on the issue then read these articles one relating to New York,



 particularly the section under State Personal Information Protection Statutes.  If you are in one of the states which has a specific law in place there may be a contact which you could report this to.

Leaving the legal avenue aside I am suprised that no one in an organisation of this size is interested in ensuring that this server is correctly configured if it holds this data.  Perhaps if you could get an external IT party to perform a security audit on your network and ask them to focus on file security this would have greater weight with management.  Alternatively could you get the person who is in charge of these permissions to take part in an internal security review potentially sponsored by a high level manager.  Make the case for this as a benefit to the business which may have sensitive commercial data on the server rather than an employee issue.

well if he is that big of an idiot delete some random data including the SS#s, just play stupid.

gesh, i thought it was rediculous that management wanted all of our users to never change their passwords....i couldnt imagine if my users had full rights to all data.

I can tell you....I wouldn't be working there (purging my data before leaving ofcourse)


Welcome to the world of educuation and politics!
Rich RumbleSecurity Samurai
Top Expert 2006
Can my employer use my SSN as an employee identification number?
Yes. However, the Social Security Administration discourages employers from displaying Social Security numbers on documents that are viewed by other people such as badges, parking permits, or on lists distributed to employees. Employers do, however, need each employees' Social Security number to report earnings and payroll taxes.
California has a law that prohibits employers from publicly posting or displaying an employee's Social Security number (SSN). The California Office of Privacy Protection has a comprehensive guide that outlines this law in more detail at www.privacy.ca.gov/recommendations/ssnrecommendations.pdf. Another law, effective January 1, 2008, requires employers to print no more than the last four digits of an employee's SSN, or to use an employee ID number other than the SSN, on employee pay stubs or itemized statements.

If this is a publicly traded company, or even a subsidiary of one, they may be bound to SOX (sarbanes oxley) compliance which does have rules about employee information, it's mostly about finances but SSN security is vital to that audit also.

Michigan, and Cali have laws about SSN's, you may consult the local library about where to find the laws in your state.
If your in either one of those states, each employee at your company could sue, and former employees could possibly throw in a class action...

North Carolina has also recently passed a law restricting use of SSNs. But we don't even know if the Asker is located in the USA.


Located in TEXAS
Rich RumbleSecurity Samurai
Top Expert 2006

Maybe try emailing one of the folks on that site to see if they have any insight to the situation?
It's a bit of a grey area... it's mostly (all over) about disclosure of SSN's, and your question seems to teeter on possible disclosure...
It might also be worth making contact with the labor commissioner's office ... for referral to agencies or entities that might assist you with other workplace concerns.


Maybe you could check with the CFO of the company or the payroll person for direction.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.