LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 07-15-2008, 03:58 PM   #1
avatardeviva
Member
 
Registered: Jan 2004
Location: Almost Canada :-p
Posts: 34

Rep: Reputation: 15
Thumbs down Storage of private (namely SSN) information


Hey Folks,

So, I'm working for a company that does car dealership software. Without getting into too much detail, the software stores SS numbers for credit reporting by the car dealerships. Thats all great and good, except for the fact that the SS numbers can be read in a plain text file along with the person's full name, address, phone, etc. Now that right there should make you say "what companies are using this software so I can avoid them". Most of the time the information is also available in the program just by clicking a couple of buttons. To make it even better, the company requires you to share the folder publicly from the computer so that the program can be used at multiple locations (over unencrypted connections of course!). Dealership data is backed up on multiple servers with multiple companies in what is basically a zip file, again completely unencrypted and on a shared web host. So, the question is, what to do? I've already discussed the matter with 'the boss' and have so far gotten nowhere. Basically he doesn't feel that its that big of a deal and brushes it off (along with the idea of switching to Java from Clarion ). So what do you all think of this?

*Edit* I forgot to mention he's got around 4,500 dealerships using this, and when we do development we have to use "live" data, so there are people's numbers all over the computers here at work. There's got to be a law against this?!

Stephen

Last edited by avatardeviva; 07-15-2008 at 04:01 PM.
 
Old 07-15-2008, 04:57 PM   #2
jcookeman
Member
 
Registered: Jul 2003
Location: London, UK
Distribution: FreeBSD, OpenSuse, Ubuntu, RHEL
Posts: 417

Rep: Reputation: 33
Sadly, there is no strong legislation in the US protecting private individuals from wreckless disclosure of their private data -- at least criminally. The notion of private data is vague at best. There are, however, state laws that address this issue. So, you'll need to check on your state. There is now federal legislation in committee that will cover this issue, but it's just in committee, and we know what happens to the majority of that legislation

What I would do is either a) attempt to address the issue by providing a solution or b) quit. Either way you cannot be held liable, but who wants to work for such idiots anyway.

/not a lawyer
 
Old 07-15-2008, 09:19 PM   #3
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,311

Rep: Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040
In addition to jcookeman's pts a), b), also do c) email the boss (politely) about this and cc yourself.
If the info gets out, they will be looking for a fall guy...
It might also be good to cc the Legal dept and/or Corp Governance dept (if you have one)
 
Old 07-16-2008, 03:06 PM   #4
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 66
Stuff like this makes me want to vomit.

The steps I would take (and it looks like you are already on the path).

1) Attempt to educate. This might need to go further then the boss. Does this company have a compliance department?!?
2) Dust off resume, find new job.
3) Blow whistle. Consumers have a right to know when information is being handled poorly.

While I'm not a massively huge fan of large government, the US desperately needs strict laws regarding the handling of sensitive information in the private sector. It is outrageous the cavalier attitude some companies/people take towards customer data.
 
Old 07-16-2008, 04:27 PM   #5
avatardeviva
Member
 
Registered: Jan 2004
Location: Almost Canada :-p
Posts: 34

Original Poster
Rep: Reputation: 15
Thanks for the replies folks, its nice to know that I'm not insane in being irritated about this. I've done what I can to 'educate' and it hasn't worked, so now I'm looking for a new job (haven't quit yet - still need to pay the ol' bills!). Once I have a nice, new shiny job I'll be letting the cat out of the bag.
 
  


Reply

Tags
data, protection


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FreeBSD7: More information, in better detail, of attached storage drives, than fdisk rautamiekka *BSD 1 07-05-2008 11:24 AM
I Want to know storage spce regarding information of a any PC in my LAN payal_shah Programming 1 11-22-2005 07:04 PM
NSlookup reports private information soulstace Linux - Security 6 03-25-2005 08:52 AM
netbios-ssn 139 port?? yenonn Linux - Security 5 09-20-2003 12:24 AM
netbios-ssn KevStA Linux - Newbie 1 06-16-2002 07:49 PM


All times are GMT -5. The time now is 12:21 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration