On Fri, Jan 15, 2010 at 1:30 PM, Clay Shentrup <clay@zendesk.com> wrote:
Dana,
Thanks for the feedback.
It is a misuse of the SSN to perform verification (using the SSN as an authenticator). Even using it as an identifier is a questionable practice aside from government agencies or agencies which interact with government (e.g. banks, Medicare supplement policies).
Here is an excellent explanation of this issue.
http://www.privacyrights.org/ar/FTC-SSNworkshop-Speech.htm
In short, here is what I surmise is happening. The insurance company just needs some "secret code" to use for verification, much like a password. They happen to like using the SSN because people tend not to forget it like they do with passwords, and because they think (but they are actually mistaken) it is unique. I do not believe that they need the SSN per se. I highly doubt they are doing any verification with the Social Security administration, since I'm not currently on Medicare or any other government insurance plan with which they would have to coordinate. They just need some authenticator -- just some arbitrary series of numbers and/or characters, but they say they need it to be "the employee's Social Security number" because very few users care enough about their privacy to question that policy, and makes their jobs easier (fewer cases of I.T. people having to reset forgotten passwords and such).
Again, that is just my theory, but whether or not it is correct, I'm quite certain that they don't need the SSN, and I certainly did not explicitly authorize Trinet to give them that private information. So I consider that to be a mishandling of my personal information to some extent.
In any case, thank you for your help. I will await a progress update.
Regards,
Clay Shentrup
San Francisco, CA
No comments:
Post a Comment