Security Issues Regarding Customer Identification
Wednesday, July 29, 2009 7:20
I have another life story today to make a point about the use of Social Security Numbers as personal identifiers. Over the past two weeks, my wife and I have had the need to talk to our mortgage company, a dentist, a doctor for one of our kids, our phone company and, of course, our health insurance company. When talking to each one of them, they either asked for my social security number or wanted to have the last four digits of my social security number. Some asked to verify my identity, and others asked because they said it was necessary for insurance purposes. These situations got me thinking about why businesses are using social security numbers as personal identifiers. Then, it got me thinking about why all these different types of business have or want my social security number.
If I have an account number with a company or can identify myself through other means, why does that business feel the need to also have a customer’s social security number? I know some businesses such as banks are heavily regulated and require some personal information, and there is nothing the business can do about it. In most instances, however, this is not the case so it appears that some businesses collect it out of habit when in reality they do not really need the information. From my experience, health care-related businesses such as doctors, dentists and other similar type of businesses try to collect this information from a customer more frequently then other types of businesses.
Are you one of those businesses that collect and store customers’ social security numbers? Why do you? Is there a specific requirement in your industry? I would be interested to know. If you have read any of my previous posts, such as the one on PCI compliance, you know my thoughts on collecting and storing personal information such as social security numbers from customers. For those that have not read my previous posts, my thought is simple–if you do not need the information, do not collect it. Basically, it is unnecessary and puts customers at risk. If you must collect personal information such as credit card information or any other sensitive information, keep it only as long as is necessary, then purge it from your system. Do not keep any sensitive customer information longer than you need for business purposes.
Too many times we collect information that we really don’t need out of habit or because it is on a form, etc. Take a look at what sensitive customer information you are collecting and see if you really need it. Make changes to stop the collection of the information and purge the old information from your systems. This will help protect your customers from identity theft, and I know they will appreciate it that you are looking out for their welfare. It will also protect your business from liability-related issues. Remember, if you don’t have sensitive customer information, you will not have to spend time and effort protecting it. I would love to hear what conclusions you come to as you examine this issue.
Related posts: