Turns out the call center rep, Youlanda Rochelle Wright, was collecting Social Security numbers as part of RadioShack's then deal with Dish Networks. Dish apparently required those numbers when giving new customers credit. Given the bad publicity coming from this 6.5-year prison sentence for a onetime RadioShack customer service rep accused of ripping off her customers, it might be time to call for strict IT rules on refusing to store ultra-sensitive data, such as Social Security numbers.
Why not borrow a tactic from payment security and use a token? Or perhaps require partners to collect such data themselves? Or send those customers to a site for capturing that data in a way customer service reps cannot access?
Wright's attorney, Catherine Dunnavant, argued that if chains like RadioShack want to avoid such problems, deciding to never collect this type of data is a good place to start. "This was really tempting. It's crazy easy," Dunnavant said about her client's ability to craft complete tax returns solely using what RadioShack gave to her. "I believe it was too easy."
Chains such as RadioShack would never consider storing payment-card data in the clear, lest they be hit by both PCI and the Federal Trade Commission (FTC). Heck, the courts have even forced retailers to give up on asking for ZIP codes at checkout. But the absence of PCI-like rules for privacy data has left a huge vacuum. IT must deal with this issue through policy. By the way, encryption wouldn't have helped in this case because the accused apparently wrote down the numbers as they were told to her. The only cure is to simply not accept the numbers.