From Charles Montaldo,
Your Guide to Crime / Punishment.
FREE Newsletter. Sign Up Now!

SSN = Social Security Number

ITRC = Identity Theft Resource Center

Q: My health insurance provider insists on using my SSN as my subscriber ID number. Is there a law that prohibits this?

A: Given the number of lost and stolen wallets, this practice places many of us at higher risk for identity theft. Unfortunately, at this time, there are no laws that prohibit this poor business practice. California’s SB 168 (2002 legislative session) does address this issue but does not become fully implemented until 7/1/05.

One thing you can do is to photocopy your card, front and back, cut off the last 4 numbers of the SSN from the copy and carry the copy with you on a daily basis. Employers can also request that their health providers use alternate subscriber numbers. By the way, Kaiser Permanente has never used the SSN as a subscriber number.

Q: My employer posts our SSN on our timecards. They can be seen by everyone who works there and are by the public restrooms. Could this put me in danger?

A: Anytime an employer places your SSN on a timecard, document, report, purchase receipt or ID badge it adds to your risk factor. Another poor practice is the use of the SSN as a password/computer login. You should request a change in policy. This could be considered negligent behavior and opens companies up for a potential lawsuit.

Again, some states are passing laws that prohibit the public display of SSN (in CA- SB 168)

Q: The enrollment form our new school district uses requests my SSN. Why would they need that? Do I have to give it to them?

A: It is always a good idea to ask why information is needed before providing it. The answer – it’s on the form – is not a valid answer. You need to find out the reason behind the request. If the child’s health insurance number is your SSN then they might need it for emergency purposes. Otherwise, it doesn’t seem reasonable.

ITRC has found several school districts that asked for that information. After questioning the practice, the parents were told that it was an optional field.

Q: I am a new victim of identity theft. I think the imposter works for the same company that I do. What do I do?

A: Since sensitive information including the SSN and even bank account numbers are so accessible in the workplace, security breaches at work are a common way for identity thieves to gather information.

ITRC advises companies to write a policy regarding workplace identity theft reporting and post it in a conspicuous spot. The policy should provide a way for any victim of identity theft, company-related or not, to confidentially report the crime.

Since HR is where the most information is stored, and therefore an attractive spot for an identity thief, reports should be redirected to the Security, Operations or the Chief Privacy Officer. Since most victims don’t know how the thief got the information, this gives the company a chance to evaluate whether the crimes seem similar. If so, they need to notify the appropriate law enforcement authorities, and unless told otherwise by the authorities, to contact affected employees and members of the public.

Q: What is the best way to convince the company that I work for that some of the things they do are placing employees and customers in danger of identity theft?

A: Many companies are reluctant to change old practices due to the cost involved but also because it might be construed as admitting they were negligent in some way. ITRC has found the best approach is to acknowledge that the world has changed, and therefore security measures must be updated accordingly.

Your company must be shown that the problem of identity theft has forced ALL of us to reconsider our information handling practices – consumer and corporations alike. A good PR person can "spin" this reformation to show that they are a responsible, caring business with the best interests of employees and the public at heart.

Q: The company that I work for tosses out old mortgage application forms in the trash. Is that safe or legal?

A: In several other states including Georgia and California it would be illegal. In CA, businesses must make sure any document is unreadable prior to disposing of it, even in electronic form. Encourage your state representatives to pass similar laws. This is a dangerous practice.

Companies that require you provide information need to be held accountable for safeguarding it, forever, or return it to the consumer/employee when they no longer need it. ITRC recommends that should you find documents sitting out in the trash or near a dumpster in the alley you should contact the county or city attorney to see if they will take action. Dumpster diving and document disposal are also favorite topics of television investigative reporters.