Because a person's SSN is so widely used as an identifier, identity
thieves are always trolling for SSNs.
The recent growth in identity theft underscores the importance
of making sure that we reduce our reliance on SSNs and that we
guard with vigilance those that we must, by law, collect.
The root of the problem is that SSNs have been traditionally used
by public and private institutions in ways never intended when
Congress passed the Social Security Act in 1935. Institutions
use SSNs
- To help verify identity ("You forgot your account number? What's
your SSN?").
- To authenticate ("Your password is the last four digits of your
SSN.").
- To link data from several sources about any one person (Credit reports,
bank accounts, credit cards, medical records, etc.).
The amount of information collected and retained about each person and the
number of connections between databases filled with personal information
make it more important than ever that SSNs be used properly and stored
wisely. Because an SSN is used to link so much data about a person,
its use for verifying identity or authenticating an account needs to
be eliminated. SSNs should not be collected or used except in cases
where their use is mandated by law.
Many University departments may be using SSNs
to identify people
because
"that's what we've always done."
For example, does a department really need
its student employees to list their SSNs on their bi-weekly time cards?
Or do the faculty in your department know that posting grades with even partial SSN
information is a violation of FERPA?
It is in the interest of the entire University community that
we
eliminate uses of people's SSNs as
identifiers and that we do not collect and store SSNs
except as
required by law.
