10

I'm working for a client that keeps records of social security numbers in their databases, numbers pulled from screenings and automatically captured from companies and other financial data. A few million SSNs attached to names, addresses, work history, pay history...etc

As I'm working through their codebase, I keep wondering if there are any regulations that they need to be compliant of. Right now SSNs are encrypted in the DB, but anyone can log into their public-facing web app as an admin with an insecure password (Something as simple as admin@company.com, pw: admin) and view them in plain text, and existing employees can search for SSNs and view information on the numbers holders.

Is there any sort of compliance (similar to PCI for payment info) that needs to be followed/adhered to for SSNs and personal information?

David
  • 15,814
  • 3
  • 48
  • 73
Douglas Gaskell
  • 1,209
  • 3
  • 10
  • 15
  • 1
    https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf Classifies SSN as PII (duh), and then states that all PII should be protected by "reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data." – Artog Jul 15 '19 at 12:10
  • 3
    Hi @Douglas Gaskell, I recommend you not to mention particular types of security vulnerability your employer or customer may have. A person may be able to put 2+2 together and use the info to attack your customer. This could also come back to embarrass you if your customer recognizes themself here. – Douglas Held Jan 20 '20 at 15:19
  • "What regulations am I subject to?" is more of a legal question than a security one. – schroeder May 12 '21 at 22:18
  • @schroeder In that case are questions & answers that touch on PCI-DSS (Or anything related) off topic now if that's how you are interpreting this? Seems pretty odd to close this *checks date* 3 years later. If something like PCI-DSS is created that provides guidelines & enforcement around SSN's, how will this question be answered now that you, a single individual, have decided you dislike it and have walled it off from further contribution? – Douglas Gaskell May 13 '21 at 23:57
  • Because then it would be answered on law.stackexchange.com. There are *many* regulations about protecting SSNs. They are all legal regulations. GDPR being the most famous. The question asked is more of a legal question than a security one. – schroeder May 14 '21 at 06:43
  • And do simmer down. Every hour the system randomly selects posts that do not have any upvoted answers and bumps them to the top of the queue for review and attention. Since this should have been closed then, there is nothing special about it being closed now. – schroeder May 14 '21 at 07:12

2 Answers2

1

This is one of those times that there may not be a clear and specific answer, but I assure you, there is an answer.

Part of that answer is found in one of the comments here made by Artog. There IS a NIST publication on the subject. The bigger concern is this...

In every Security class we discuss the prudent person rule. The question is “what would a prudent person do with this situation?”

If this company is using insecure methods to protect data that can potentially harm people (SSN, name, address, phone number, employer, etc) they CAN open themselves to huge liability. They could be responsible for any financial problems they cause.

There are several problems with what you have posted:

  1. Is someone already exploiting their database?
  2. It is likely the problem will only be discovered after damage is done.
  3. Then, the question is, do they notify anyone in the database of the breach?

The reality is, that unless whatever this database is falls under some form of regulation/control, it is unlikely that a change will happen. Because change costs money, and the business is likely already making money off the database with the vulnerabilities you described in place.

Everett
  • 1,506
  • 1
  • 12
  • 20
  • This is not an answer to "are there regulations?" This is an answer to "is the company liable?" That's a very different question. – schroeder May 12 '21 at 22:23
  • The question “are there regulations” is a narrower version of “what is expected?” If there isn’t a regulation and you get taken to court, you still risk losing (ask me why I know). I was offering a “complete” answer showing how the question was too narrow in scope compared to what was being asked for. Obviously worth -1. – Everett May 13 '21 at 23:14
  • Not "more complete" but rather "exploring tangents". Since it does not actually answer what was asked at all (you don't touch on standards or regulations), it should have been a comment. – schroeder May 14 '21 at 06:45
-5

Yes, PCI-DSS. However they are not a federal mandate like NERC-CIP

jas-
  • 931
  • 5
  • 9
  • 5
    PCI only concerns itself with payment processing data, which includes: Primary account number, Cardholder name, service code, card expiration date, CVV, PIN, and card track data. It doesn't concern itself with SSN or other PIIs that a company may have collected. – Lie Ryan Jul 15 '19 at 11:59
  • @jas- it might be helpful if you explained or provided evidence to support your assertion that PCI-DSS extends to SSNs as part of the PII within its scope. I'm having trouble finding anything that supports your assertion. – schroeder Dec 13 '20 at 19:46
  • “PCI DSS covers PII when it is related to cardholder data, such as the PAN, cardholder name, service code, and card expiration date, according to InfoSec Institute. It also covers sensitive authentication data such as a card PIN.” Reference: https://info.cgcompliance.com/blog/protecting-pii-and-pci-compliance-where-the-two-intersect. Is that what you want? – jas- Dec 14 '20 at 03:37
  • Your answer is based on the idea that SSN is on the cards. But according to the standard (https://en.wikipedia.org/wiki/ISO/IEC_7813) there is no field for that. Can you please provide ***any*** evidence for your assertion that SSN "is most often encoded on the RFID or magnetic tape on credit cards" – schroeder May 12 '21 at 22:17
  • I misspoke, the CC would correlate to a SN – jas- May 13 '21 at 21:06