lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: exibar at thelair.com (Exibar)
Subject: Emailing SSN info

Not knowing what vendor they want to ship these SSN's off to makes it hard
to answer, although I am NOT an attorney I believe they are opening up
themselves for trouble giving ANY third party the SSN's of their employees.
Unless it's a gov agency that is requesting this info, or a payroll company
that is printing payroll checks (like ADP), they should not even entertain
the thought of giving SSN's out.

  If it is an "authorized" agency, I would send the info on CD-Rom,
certified mail.  The CD-Rom would be encrypted, and the encryption key would
be sent under separate cover, also certified mail.

  Ex


----- Original Message ----- 
From: "Tony Gettig" <GettigAM@...amazoo.k12.mi.us>
To: <full-disclosure@...ts.netsys.com>
Sent: Thursday, March 18, 2004 3:44 PM
Subject: [Full-Disclosure] Emailing SSN info


> Hi all,
>
> I work for a school district in the USA. Higher management wants to
> email a zipped data export (presumbably password protected) to a vendor
> that includes the Social Security Number for employees. I have advised
> them against this. Shipping a CDROM overnight would be more secure, IMO.
>
>
> Now they want to know if there are any laws pertaining to the emailing
> of SSN info. (Why they are asking me and not an attorney, I am not
> sure...though I AM going to tell them to speak to an attorney too.)
>
> Can any one point me to a website or cite specific US (or even state)
> laws regarding this? Even a reply telling me why this is a bad idea
> would be great. If I am wrong, I am glad to hear that too. Thanks in
> advance!
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ