Beyond Complying: The Social Security Hot Potato

It's clear that customers will demand more than the law requires of companies that hold customer data. What's unclear is just what customers expect of those companies. -- Sidebar to: Rules Of The Road

Chris Murphy, Editor, InformationWeek

October 3, 2003

2 Min Read

Any company that touches a Social Security number needs to stay ahead of two fast-moving trains: legislation and public suspicion.

Consider Hewitt Associates LLC. The human-resources outsourcing and consulting company is steeped in both legal and privacy expectations, since it manages insurance, retirement, and payroll plans for more than 16 million people. Yet, until a California law came along last year restricting the use of Social Security numbers, Hewitt often sent out forms and served Web pages that had the numbers on them, even when it wasn't absolutely necessary.

To comply with California's law, Hewitt changed many of its forms so only those that absolutely require Social Security numbers carry them. Same with Web pages. The legislation is designed to keep identity thieves from pilfering Social Security numbers from mail or trash bins or from someone seeing a number while it's up on a Web screen.

Now Hewitt is planning in December to roll out a log-in system to its self-serve benefits Web site, replacing a Social-plus-PIN system with one that lets people pick their own account names. The company already encrypts Social Security numbers when they're transmitted outside a Hewitt system, and it's looking into encrypting stored Social Security data.

"You'll see more and more encryption of Social Security numbers in the coming years when they're stored, not just when they're in transmission," says Dan Josephites, Hewitt's global information security officer.

The recent dustup over JetBlue Airways' disclosure of customer records for use in a government test shows how companies with any personal information need to stay ahead of public opinion as well as legislation. That's why Hewitt is creating a training program that every employee will go through, an initiative being sponsored by CEO Dale Gifford and chief operating officer Dan Holland. In the past, privacy training fo- cused on individuals' roles and the information they managed. Now, Hewitt is trying to create a single companywide way of thinking about customer data.

It's clear that customers will demand much more than the law requires of companies that hold customer data. What's unclear is just what customers expect. "Our clients know to ask certain hard questions," says data privacy officer Amy Yates. "A lot of attorneys are raising red flags, but not a lot know how to come up with the solutions."

Illustration By Craig LaRotonda

Return to main story: Rules Of The Road

About the Author(s)

Chris Murphy

Editor, InformationWeek

Chris Murphy is editor of InformationWeek and co-chair of the InformationWeek Conference. He has been covering technology leadership and CIO strategy issues for InformationWeek since 1999. Before that, he was editor of the Budapest Business Journal, a business newspaper in Hungary; and a daily newspaper reporter in Michigan, where he covered everything from crime to the car industry. Murphy studied economics and journalism at Michigan State University, has an M.B.A. from the University of Virginia, and has passed the Chartered Financial Analyst (CFA) exams.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights