California SSN and Encryption

Roland Perry roland at linx.net
Fri, 12 Jul 2002 09:06:28 +0100 

In message <3.0.2.32.20020712064827.012e3d00@pop3.norton.antivirus>,
Donald ramsbottom <donald@ramsbottom.co.uk> writes
>The problem of identity theft is via Social Security Numbers is getting so
>bad new laws mandating encryption of transmission of neumbers.
>
>"California Law Curbs Release of Social Security Numbers, Mandates Encryption
>Aiming to curb the fast-rising rate of identity theft, a new California
>law, effective July 1, requires Internet transmission of Social Security
>numbers (SSNs) to be encrypted and bans private companies from disclosing
>SSNs.   The law does not apply to state or local agencies.  Under the new
>law, an individual may not be asked to transmit his or her SSN over the
>Internet unless the connection is secure or the SSN is encrypted.
>Moreover, individuals cannot be required to use their SSNs to access
>Internet Web sites unless additional authentication (e.g., a password or
>unique personal identification number) is also required for access.  The
>California law also (i) bans the public posting or display of an
>individual's SSN in any manner; (ii) bans printing an individual's SSN on
>any identification card required to access products or services; and (iii)
>bans printing an individual's SSN on any materials that are mailed to the
>individual, unless otherwise required by law.

Makes you wonder why anyone would ever think that just a SSN was an
adequate proxy for a username and password, in the first place!

UK DPA law would prevent companies from disclosing NI numbers [and it's
bizarre that US State and local agencies are absolved from any duty of
care in this respect].

There's a strong impression amongst many UK institutions that it's
illegal under UK law to use the NI numbers for any purpose other than
gathering NI. For example, as a way to identify employees for more
general (including IT related) purposes. Does anyone know if this is an
urban myth?
-- 
             Roland Perry | tel: +44 20 7645 3505 | roland@linx.org
Director of Public Policy | fax: +44 20 7645 3529 | http://www.linx.net
 London Internet Exchange | mbl: +44 7909 68 0005 |       /contact/roland