Sunday, April 26, 2009

My Social Security Number is …

During the past year or so, I had worked at Abrevity on developing Information Management solutions. Among other things, our products enabled companies to better manage information containing sensitive data (be it credit card numbers, social security numbers, names, addresses, etc.). This has become even more critical due to the explosive growth of unstructured data.

As I mentioned in prior blog postings, the problem of unfettered information growth is huge.

Unfortunately, Abrevity ran into even bigger issues (think: economic tsunami) and was unable to raise the capital necessary to continue operations. So, while I am doing part-time consulting for Abrevity, I am actively pursuing other outside opportunities.

I started the process by creating a marketing plan – to better sell my unique set of skills and experiences to the market at large (I’ll write more about this in a future blog post).

One of the first things I did was post my resume on Dice. Almost immediately, I got contacted by four different recruiters for the same opportunity at a global communications company. Each recruiter had contacted me via email and had asked me for some personal information along with my social security number.

What? They wanted me to email them my social security number. Why? Well, apparently, the hiring company required that the recruiters provide this information for all submissions.

So, let’s see. My social number gets sent to the recruiter in clear-text via email. Then, the recruiter submits it to the hiring company’s HR department. I wonder how many people have access to this very private piece of information. Not only that, I wonder how many places my private information it is stored along the way. Certainly in an email system. Probably in a database. Perhaps, it is even stored in one or more unstructured documents (e.g. someone creates an XLS report containing all of the candidate names along with their social security numbers).

I have never worked with these recruiters before. How do I know that they are properly protecting my sensitive information? How do I know that they are ensuring that only people with a “need to know” have access to my sensitive information. The same could be said for the hiring company.

I realize that a lot of individuals have knocked the PCI DSS standard as being ineffective. They cite the Heartland Security Breach as proof. However…at least there is something (in terms of policy and procedures) to help ensure that my sensitive card information is being properly handled and protected.

But what about my social security number. Who is helping protect this? Without a doubt, a similar standard is needed. So, we can feel assured that our sensitive information is being properly handled.

So what happened to that opportunity? I passed. I refuse to provide my social security number unless the safeguards exist to ensure it is properly secured.



Post a Comment

0 comments: