Everyone should have a windmill to tilt at, right? Mine is collection of SSNs by accounting departments that don’t need them, such as when they reimburse me for travel expenses.
Here’s my latest effort to work that issue, in an email sent to the American Institute of Certified Public Accountants:
Mr. [omitted] –
I pulled your email address off of the AICPA Web site. It seems like you’re well positioned in the organization to refer me to the right person with a question I have about accounting practices and privacy.
I’m Director of Information Policy Studies at The Cato Institute, a think-tank in Washington, D.C. My area of focus the last few years has been identification, particularly with reference to national identification cards and their relationship to surveillance. I’ve become very conscious of the overuse of the Social Security Number as a tracking tool (though I’m well aware of the efficiency gains from SSN use too).
I travel around the country quite a bit, speaking to various groups about privacy issues. When the time comes to settle up for travel expenses, more often than not the organization will ask me for my SSN in order to make that payment. My understanding is that there is no IRS reporting obligation on expense reimbursements, and that the IRS reporting obligation on income only kicks in at $600. Yet, time and time again, when I seek reimbursement of my travel expenses, I get a request for my SSN.
Pity the hapless conference organizer that must act as a go-between, with the persnickety privacy advocate on one side and the high-handed accounting department on the other. If I’m correct that I don’t need to submit an SSN, how do I communicate to accountants that they are over-collecting sensitive information and should not do this?
You may see this as a trivial complaint, and, in each individual instance, it is. But my job is to look over the horizon, and in the coming much-more-digital age, over-collection of uniform identifiers will be a greater and greater intrusion on privacy. Collecting SSN information adds to an organization’s liability should it suffer a data breach, so if it’s not needed it shouldn’t be collected.
Do you think there might be someone in your organization with an interest in this question? Perhaps your profession is already getting ahead of the ball on privacy issues like this. I’d love to discuss this with someone who could help communicate to accountants that collection of the SSN when it’s not needed is a mistake.
Thanks in advance for your help.
Director of Information Policy Studies
The Cato Institute