![[SJF Logo]](/images/unixwiz-logo-140x80.gif){kind=logo}
« A Proposal for Secure Storage of Credit Card Data | Main | Understanding Microsoft's PostScript print driver "PSINJECT" »
May 25, 2005
SBC and Privacy - Huh?
I recently called SBC (née Pac*Bell) to convert my ISDN line into just a regular POTS line. I've not made an ISDN call in years, and I only needed one phone line anyway; no need to be dependent on my trusty Motorola Bitsurfr Pro ISDN TA.
Putting aside the fact that it took hours to find the right person to take the order (and to fix it several days later), I received a confirmation of the service change via US Mail. I was shocked to see my Social Security Number in the address line in the envelope's window (click the thumbnail).
I can't see how the SSN should appear anywhere in a service confirmation order, especially since they ask me for the last four digits when I'm talking to them about it, but maybe there is actually some good reason. It doesn't appear on my monthly bill.
But there is no conceivable reason why it should appear in "cleartext" in a postal address, as if it's somehow contributing to routing through the US Mail. Because it appears inside the address, it's not just a case of private data inadvertently appearing in a window after the page shifted.
Checking the SBC Privacy Policy, they talk generally about how securely they keep my private data, but I don't see how this practice could possibly square with it. I'm going to contact SBC and see what they say about this, but I'm skeptical that I'll find anybody who even understands what this is about. Has anyone else seen this?
Update - It seems that California law explicitly forbids doing what they're doing. Thanks to Kasia for her peerless research skills, Section 1798.85(a)(5) of the Civil Code generally forbids mailing of Social Security numbers, but provides some exceptions that seem generally reasonable. But in any case:
"A social security number that is permitted to be mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened."
It's hard to see how they might talk their way out of this one. From what I can tell, this is a self-contained "Steal Steve's Identity Kit".
Update #2 - I called SBC and got a really helpful agent; he found that some previous agent had typed my SSN in the wrong field, which he removed immediately after apologizing and agreeing that it was a bad thing. I don't think I could have asked for a better response, and this suggests a one-time screwup rather than a systemic programming issue and/or sloppy data security practice. Not sure there's really anywhere to go with this.
As an aside, why is ISDN still handled out of the Emerging Products Center? I wonder if Touch Tone is "Emerging" too?
Posted by steve at May 25, 2005 05:14 PM
Trackback Pings
TrackBack URL for this entry:
http://www.unixwiz.net/mt/trackback/37