Non-Photo Related Legal Question

IANAL, but I think that your employer must know (and update) your SSN, if for no other reason because it is also your Tax ID.

Can you verify that the email address really belongs to your company (and its finance department): perhaps you have a company-wide directory listing of all valid emails and you can cross-reference it against it?

Also, the web site address they gave you to update your information may not be encrypted (although it's odd for it not to be), but if it is located inside your company's intranet (i.e. there is no top-level domain at the end of the first term, such as .com, .net, etc...), it doesn't matter, as the information won't leave your company network, even if it spreads multiple locations. Communication between multiple location is probably already encrypted, otherwise your IT and finance department are... well let not say it here! :wink:

 

Call the finance dept:>)))

 

In some instances, SSN are required. Employers and banks (if paying interest on funds) are the first two which come to mind. Here, if someone wants the deposit on their home purchase to be put into an interest bearing certificate, they have to provide their SSN. No number, no interest.
Tenants can also refuse to give their SSN on an application but they do have to provide a valid up to date credit check if requested/required.

I wouldn't send any information, esp SSN, over the internet. No need, and too much to lose. Identity theft is rampant.

 

I would NOT give up that information at all as this appears to be a scam. call the company and check.

 

I would follow Raul's suggestion. Call your HR Department and tell them that you are concerned about the Finance Dept. asking employees submitting info over insecure internet means. They probably should reign in the finance dept. if they are indeed behind this request. The company you work for has had your SSN already for a long time, so to me it looks like Phishing. Let's know how it works out.

 

FYI: intranet site also have top-level domains all the time. In fact, I don't think I've ever worked on a company intranet that didn't have a top-level domain. Actually, an intranet differs only in the fact that it is behind a firewall and inaccessible from the public internet, except via a VPN or a direct connection to the company network.

 

It depends. Some companies set up their DHCP servers to provide an automatic top-level domain which gets appended automatically, and also code their intranet site so it does not use the top-level domain. It makes it easier to visually distinguish in a URL what is private from what is public. Otherwise, you are of course correct: the main difference between an intranet and internet site is that the former is not publicly accessible...

 

Does the URL begin with "http" or "https" ("s" added on second one)? If it is https, then it is a secure site. Our company contracts out lots of things - online employee surveys, benefits management, etc. All of them are secure connections (https). Depending on the size of your company, they may just be outsourcing some in-house processes.

 

Strange - why isn't the email from your HR dept ? Surely they pay your salary,call your next of kin if there is an accident at work etc. and would need your personal details ?

 

it's possible the page which contains the form is http (not ssl) but that the data when you hit 'send' (or whatever) does go over https,. though not commonly done I have seen it occasionally

Sil