Hey Folks,

So, I'm working for a company that does car dealership software. Without getting into too much detail, the software stores SS numbers for credit reporting by the car dealerships. Thats all great and good, except for the fact that the SS numbers can be read in a plain text file along with the person's full name, address, phone, etc. Now that right there should make you say "what companies are using this software so I can avoid them". Most of the time the information is also available in the program just by clicking a couple of buttons. To make it even better, the company requires you to share the folder publicly from the computer so that the program can be used at multiple locations (over unencrypted connections of course!). Dealership data is backed up on multiple servers with multiple companies in what is basically a zip file, again completely unencrypted and on a shared web host. So, the question is, what to do? I've already discussed the matter with 'the boss' and have so far gotten nowhere. Basically he doesn't feel that its that big of a deal and brushes it off (along with the idea of switching to Java from Clarion ). So what do you all think of this?

*Edit* I forgot to mention he's got around 4,500 dealerships using this, and when we do development we have to use "live" data, so there are people's numbers all over the computers here at work. There's got to be a law against this?!

Stephen

Sadly, there is no strong legislation in the US protecting private individuals from wreckless disclosure of their private data -- at least criminally. The notion of private data is vague at best. There are, however, state laws that address this issue. So, you'll need to check on your state. There is now federal legislation in committee that will cover this issue, but it's just in committee, and we know what happens to the majority of that legislation

What I would do is either a) attempt to address the issue by providing a solution or b) quit. Either way you cannot be held liable, but who wants to work for such idiots anyway.

/not a lawyer

In addition to jcookeman's pts a), b), also do c) email the boss (politely) about this and cc yourself.
If the info gets out, they will be looking for a fall guy...
It might also be good to cc the Legal dept and/or Corp Governance dept (if you have one)

Stuff like this makes me want to vomit.

The steps I would take (and it looks like you are already on the path).

1) Attempt to educate. This might need to go further then the boss. Does this company have a compliance department?!?
2) Dust off resume, find new job.
3) Blow whistle. Consumers have a right to know when information is being handled poorly.

While I'm not a massively huge fan of large government, the US desperately needs strict laws regarding the handling of sensitive information in the private sector. It is outrageous the cavalier attitude some companies/people take towards customer data.

Thanks for the replies folks, its nice to know that I'm not insane in being irritated about this. I've done what I can to 'educate' and it hasn't worked, so now I'm looking for a new job (haven't quit yet - still need to pay the ol' bills!). Once I have a nice, new shiny job I'll be letting the cat out of the bag.