Kroll Fraud Solutions Blog – A Dialogue on Data Security

As we explained in yesterday’s post, the use of the so-called CPN that’s tied to a new SSN poses significant dangers to the victim, particularly if he or she is a minor. One of the reasons minor identity theft is so difficult to deal with is because it’s generally not caught until the child turns 18, which is usually the first point at which they apply for some type of credit. A thief can use the number for many years and pile up significant debt because of this. It’s also very difficult for lenders and other financial institutions to catch this type of crime, because there’s no existing credit file associated with the child’s SSN. In fact, there is no easy way to determine with certainty that any particular SSN actually belongs to a minor, although that may be changing.

Businesses often request a lot of personal identifying information (PII) from their customers. Quite often, these are legitimate requests intended to facilitate a business transaction. But there are many organizations that don’t practice sound data minimization tactics and gather all sorts of unnecessary information from customers. For instance, businesses often request Social Security numbers (SSN) as a matter of routine. The question is: does the business have a legitimate need for the SSN?  If so, what policies and procedures are employed to protect this customer data?