Many businesses can’t function without collecting and storing essential information about their users, which often includes highly personal information tied to their identity – i.e., PII (personally identifiable information). In the event of a breach, PII can be used for fraud, identity theft, violating users’ privacy and putting them at risk, and holding companies for ransom.
In the USA, according to an AARP cosponsored report, nearly 42 million Americans were victims of identity fraud in 2021, costing consumers $52 billion in total losses. Despite these concerns, users are still willing to entrust organizations with their most sensitive data, believing it will be protected. In this article, we will focus on SSN (social security number) protection.
What Is SSN?
SSN (social security number) is a unique 9-digit numerical identifier assigned to eligible residents and citizens in the United States. SSN is directly tied to an individual identity, which can enable a thief to gain illegitimate access to bank accounts, credit cards, driving records, tax and employment histories, and other private information. It was created for the government and other official bodies to track lifetime earnings and the number of years worked, and determine benefits quickly, but it is now used for various additional purposes such as identity confirmation.
In addition to their official use, SSNs have a variety of non-government applications. In the U.S., residents need to provide their SSN to qualify for credit, open bank accounts, and confirm their identity when making large purchases. Although SSNs are unique to the US, similar identifiers such as driver’s license numbers, passports, and national IDs exist around the world, and the same rules apply to them.
Why Companies Collect User SSN
Organizations often collect and store SSNs for a variety of uses:
State authorities require SSNs to verify people’s identities. Unlike first and last names, a person’s SSN is not public knowledge and is unique, making it harder for others to impersonate the user and making it the ideal identifier for official bodies. Companies, primarily in the FinTech industry, use SSN for similar purposes; its uniqueness makes it an easy way to identify users in their system.
- Risk Assessment
SSNs can be used for risk assessment purposes. Financial and insurance institutions use SSNs to run credit checks and assess risks before providing insurance coverage, loans, or other financial services.
When you run any type of FinTech operation, as a financial institution or FinTech app, you need to perform identity verification for AML (anti-money laundering) compliance. In the United States, Know Your Customer (KYC) is part of AML regulatory compliance under the Bank Secrecy Act and the Patriot Act of 2001. Collecting SSNs is mandatory under this law in certain cases.
Why It’s Important to Protect SSNs
The consequences of a leaked SSN can be massive, both for the individual the SSN belongs to and the organization responsible for protecting it. This is because SSNs can be used to identify individuals directly, and often an SSN alone is enough to obtain more of a user’s sensitive information or even impersonate them directly. For example, SSNs can be used to steal users’ identities and impersonate them when applying for jobs, receiving medical care, getting government benefits, accessing or opening bank accounts, and issuing credit cards.
The effects of losing an SSN can affect victims for years. For example, the state of Massachusetts used SSNs as residents’ driver’s license IDs and many residents had their numbers stolen and used against them. This created problems with identification, insurance, and even mortgages, and although the state has abandoned this practice, the effects of the SSN thefts are still being felt years later.
The consequences of identity theft as a result of a breach don’t only affect the victim, but also the organization responsible for securing the SSN. More than 25 states have adopted laws restricting or prohibiting the collection, use, or disclosure of an individual’s SSN, and violating these regulations and applicable privacy laws can result in hefty fines and severe legal consequences.
How to Protect SSNs
There are a number of methods that can be implemented to protect SSN and other types of PII:
Encryption is the process of coding information in which you transform the original representation of the information (plaintext) into an alternative form known as ciphertext using a key. Ideally, only authorized personnel have the key and can convert ciphertext back to plaintext and access the original information. This process ensures that even if hackers access the encrypted data, there are no risks involved since they don’t have the key.
Unlike encryption, tokenization simply replaces the data with a random string of characters (called a token) that takes its place. This makes the data meaningless to outsiders. The token is a reference that maps back to the sensitive data through a tokenization system. Proper tokenization can be leveraged to pseudonymize a data set by replacing all sensitive information with non-sensitive tokens.
- Access Control
Another way of protecting SSNs is by limiting who has access to them, even within your own organization. Implementing access control methods means that only authorized users that have been authenticated can access the data.
- Data masking:
Unless it is explicitly required to view the full SSN number, data masking should, at least, take place in the presentation layer and analytics, presenting only the last 4 digits of the SSN and masking the rest of the digits.
- Data transformation:
Data transformation refers to the anonymization process, in which the data is no longer PII. For example, instead of providing a street address, the city or country would be provided for analytics and presentation purposes.
- Data masking:
- Anomaly Detection
Anomaly detection is used to identify rare or significant events that deviate from normal access patterns (baseline). For example, if a specific user usually accesses SSN numbers X times a day and suddenly begins to attempt to access the numbers twice as often, that would be an anomaly. When these incidents are detected in real-time, they can be investigated and if they appear to be the result of a breach, the access can be blocked and the source of the breach identified.
- Audit Logs
Audit logs maintain a record containing information about the operation of your system. The log includes valuable information such as timestamps and what resources were accessed and by whom. Audit logs don’t protect the data, but they help companies monitor data and keep track of potential security breaches or internal misuses of information. An audit trail is required to meet certain privacy regulations.
Piiano’s data privacy vault aggregates many of the benefits of the above methods into one holistic solution. PII vaults allow you to store all sensitive data in a central, secure location, supporting: encryption at rest and in transit, audit requirements, masking, and much more to protect SSN data. Data privacy vaults are one of the most reliable protection methods for PII in general and SSN in particular.
Protect Yourself and Your Customers
While having access to sensitive information, such as SSNs, may seem like a heavy burden, ensuring all parties remain protected by securing personal information should be part of your risk assessment and privacy impact assessment processes. Implementing proper protection methods will mitigate risks and keep your customers’ identities safe.
Collecting and storing customer SSNs should not be taken lightly; nevertheless, if it is a business need, adequate and effective privacy and security measures should be taken in order to protect the data and your customers’ identities. Failing to do so can have a severe brand and financial implications and loss of trust by your customers.
Piiano’s Vault is the ideal solution to help you cover all of your bases when it comes to SSN protection.