Re: [Full-Disclosure] Emailing SSN info
From: Exibar (exibar_at_thelair.com)
To: "Tony Gettig" <GettigAM@kalamazoo.k12.mi.us>, <firstname.lastname@example.org> Date: Thu, 18 Mar 2004 17:36:10 -0500
Not knowing what vendor they want to ship these SSN's off to makes it hard
to answer, although I am NOT an attorney I believe they are opening up
themselves for trouble giving ANY third party the SSN's of their employees.
Unless it's a gov agency that is requesting this info, or a payroll company
that is printing payroll checks (like ADP), they should not even entertain
the thought of giving SSN's out.
If it is an "authorized" agency, I would send the info on CD-Rom,
certified mail. The CD-Rom would be encrypted, and the encryption key would
be sent under separate cover, also certified mail.
----- Original Message -----
From: "Tony Gettig" <GettigAM@kalamazoo.k12.mi.us>
Sent: Thursday, March 18, 2004 3:44 PM
Subject: [Full-Disclosure] Emailing SSN info
> Hi all,
> I work for a school district in the USA. Higher management wants to
> email a zipped data export (presumbably password protected) to a vendor
> that includes the Social Security Number for employees. I have advised
> them against this. Shipping a CDROM overnight would be more secure, IMO.
> Now they want to know if there are any laws pertaining to the emailing
> of SSN info. (Why they are asking me and not an attorney, I am not
> sure...though I AM going to tell them to speak to an attorney too.)
> Can any one point me to a website or cite specific US (or even state)
> laws regarding this? Even a reply telling me why this is a bad idea
> would be great. If I am wrong, I am glad to hear that too. Thanks in
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Full-Disclosure - We believe in it.