Over at the Huffington Post this week, there have been a couple of posts about Google having collected partial Social Security Numbers of children as part of the entry requirements for the company’s “Doodle-4-Google” contest. (Helpful to start with Larry Magid’s post yesterday, “Why Google Stopped Collecting the Last 4 Digits of Kids’ Social Security Numbers” which is a follow-up to Bob Bowdon’s article, “Why Has Google Been Collecting Kids’ Social Security Numbers Under the Guise of an Art Contest?“).
As Bob Bowdon pointed out, collecting even partial SSNs can be a pretty big data security and privacy issue since the complete, accurate SSN can often be guessed based on other data such as the person’s city and year of birth (which, apparently, Google was also requesting). See this Datamation article, “Social Security Numbers Easy to Hack“, which talks about some really interesting research about predicting social security numbers from publicly-available data.
Apparently what the Google contest organizers were trying to do is use partial SSNs as a way of uniquely identifying contest entrants and “de-duplicating” duplicate/multiple entries. Yeah, probably a bad idea on several levels and I won’t belabor that point.
Of course, there are many organizations that do have to collect and ensure the security of private identity, healthcare and financial information about children. Recently, I had the chance to interview Matt Johnston,who is the senior security analyst for Children’s National Medical Center, a leading pediatric hospital based in the metro Washington DC area.
One of the most interesting things that he told me is that children are one of the top targets for identity theft. I hadn’t really thought about this before, but it makes sense.
As Matt told me, children have new or “clean” records. They don’t have established credit histories and outside of core identifiers like a social security number and birth record, there aren’t many other public records associated with a child’s identity. This makes that data easier to use in identity theft/fraud and, as a result, personal identity information about children fetches a premium on the black market.
So organizations like Children’s National Medical Center have to take privacy protection and data security extremely seriously. As a healthcare organization, CNMC has to comply with HIPAA healthcare privacy regulations, but as Matt explained to me, they go to great lengths to protect their patients’ data not just because its required by law but because its part of their core mission of protecting and caring for children.