I've just opened an e-mail from the finance dept at work requesting that I update all my personal information, including SSN. They have a web site address that we are supposed to go to do it. It is not secure, I there is no secure site icon anywhere. I replied to the sender that the site was not secure and was told to fill out the info on paper (I know they will just enter it themselves). Knowing this, I have a really queasy feeling right now. Does anyone here know what rights I have, if any, regarding me protecting my SSN??
IANAL, but I think that your employer must know (and update) your SSN, if for no other reason because it is also your Tax ID. Can you verify that the email address really belongs to your company (and its finance department): perhaps you have a company-wide directory listing of all valid emails and you can cross-reference it against it? Also, the web site address they gave you to update your information may not be encrypted (although it's odd for it not to be), but if it is located inside your company's intranet (i.e. there is no top-level domain at the end of the first term, such as .com, .net, etc...), it doesn't matter, as the information won't leave your company network, even if it spreads multiple locations. Communication between multiple location is probably already encrypted, otherwise your IT and finance department are... well let not say it here! :wink:
In some instances, SSN are required. Employers and banks (if paying interest on funds) are the first two which come to mind. Here, if someone wants the deposit on their home purchase to be put into an interest bearing certificate, they have to provide their SSN. No number, no interest. Tenants can also refuse to give their SSN on an application but they do have to provide a valid up to date credit check if requested/required. I wouldn't send any information, esp SSN, over the internet. No need, and too much to lose. Identity theft is rampant.
I would NOT give up that information at all as this appears to be a scam. call the company and check.
I would follow Raul's suggestion. Call your HR Department and tell them that you are concerned about the Finance Dept. asking employees submitting info over insecure internet means. They probably should reign in the finance dept. if they are indeed behind this request. The company you work for has had your SSN already for a long time, so to me it looks like Phishing. Let's know how it works out.
Thanks all, I have verified it is from work, but it concerns me that this site is available outside of the work computer system, thus, in my thinking, it should be encrypted. It is possible that it is, I'll have to check when I get home. I don't have an issue with giving work my SSN, (even though they already have the info, how many times does someone get a new or different SSN????) I just have a problem with them putting it on what appears to be a non-secure site. I also have little faith in our IT department, who supposedly set this all up, as they can't even seem to fix the day to day problems. The stuff that they told me couldn't be fixed was fixed by a temp summer help kid in 45 seconds. And yes, I think it is an internet site, www.********.org/*****
FYI: intranet site also have top-level domains all the time. In fact, I don't think I've ever worked on a company intranet that didn't have a top-level domain. Actually, an intranet differs only in the fact that it is behind a firewall and inaccessible from the public internet, except via a VPN or a direct connection to the company network.
It depends. Some companies set up their DHCP servers to provide an automatic top-level domain which gets appended automatically, and also code their intranet site so it does not use the top-level domain. It makes it easier to visually distinguish in a URL what is private from what is public. Otherwise, you are of course correct: the main difference between an intranet and internet site is that the former is not publicly accessible...
Does the URL begin with "http" or "https" ("s" added on second one)? If it is https, then it is a secure site. Our company contracts out lots of things - online employee surveys, benefits management, etc. All of them are secure connections (https). Depending on the size of your company, they may just be outsourcing some in-house processes.
Strange - why isn't the email from your HR dept ? Surely they pay your salary,call your next of kin if there is an accident at work etc. and would need your personal details ?
it's possible the page which contains the form is http (not ssl) but that the data when you hit 'send' (or whatever) does go over https,. though not commonly done I have seen it occasionally Sil
Well, it appears that isn't the case here, either. I watched as one employee hit the send button and saw no indication of security, neither the https or the encryption icon. I've e-mailed the IT guy for his explaination, doubt I'll get more than double talk.
