Should board member take social security numbers home with him on flash drive.

Of course he shouldn't take the social security numbers home, if he was smart he wouldnt even want to put his employees at risk of identity theft. If I was her, I would send an e-mail stating that I could not be held responsible for anything that left the office, and comply with his request. There really is nothing else she can do...

Cris,

As a member of the Board, they certainly have a right to the information. The question is, do they have a right to take it home and possibly place it on an unsecured network.

I also concur that the employee was proper in withholding the SSNs. As the Superintendent of the Golf Course what are you doing to protect your employee? Will you shoulder the responsibility and refuse the request or just leave it to the manager?

You stated that the President contacted a lawyer for legal advice. Has the Golf course contacted one as well?

I can't provide you with legalities as I am not a lawyer.

I'd print out all the info and give it to them in paperwork citing the need to maintain only one set of books. An argument can be made that having two electronic copies in two different locations could be seen as having two sets of books, therefore to protect the Association a paper copy is provided.

Tim

They say to make a point, tell them three times.

Not a good idea. Not a good idea. Not a good idea.

Several states have enacted laws that restrict the capturing and use of social security numbers by businesses AND INDIVIDUALS. Connecticut, for example, has "Sec. 42-471. Safeguarding of personal information. Social Security numbers. Privacy protection policy." This law requires that any "person" ("person" includes businesses and individuals) in posession of personal identifying data, including social security numbers, to prepare a privacy and data protection policy which must be made known to every individual whose personal data is to be kept. The law makes other requirements and provides for civil penalties for violations.

Unfortunately, as far as I can tell, Wisconsin is not one of those states. As I understand it, it was even possible for anyone to obtain certain individuals' social security numbers over the internet on Dane County's website.

But what about the personal liability? What if someone does suffer identity theft as a result of this board member having posession of social security numbers? Who will be held responsibe? The golf course? The golf course manager? The individual board member? The president? The entire board? The entire association? My guess is all of them.

I believe the board member believes he can protect the information, but no one can predict the future and I'll bet he's not an expert in computer and data security.

Ask these questions:

1. What happens if the flash drive is lost or stolen? Is the data stored on the flash drive encrypted?

2. Is the home computer connected to the internet? What guarantee can be provided that the computer can't be hacked? And don't tell me that he has some commercially available home network and computer protection software. As good as such software may be, it's not good enough when it comes to true security which requires both software and hardware protection (I used to work in computer and data security).

3. What about access to the computer itself? What if someone breaks into the board member's home and accesses or steals the computer? Will the computer be physically locked down? What about access by other family members? Will the data stored on the hard drive be encrypted? Is the computer password protected? If so, is the password memorized and not stored somewhere where someone else can access it?

Too risky. The fewer places where those social security numbers are, the less likely they are to be compromized.

Maybe the board member has some (harebrained) idea of doing a background investigation on everyone?

I just re-read the posting. Why not suggest that ALL the books stay at the office and the new director can view them there. Everywhere I have worked we were not allowed to bring work home with us and load it on a computer. We could bring home a document we were drafting but NO business information. We are even banned to use CD's or Flash Drives at work due to viruses those bring in/out.

This a business and business is conducted at the business location. You want to catch up to speed then do it at work not on vacation or at home. I don't find it that impressive this person wants to bring their work home with them. Which is what sounds like they are trying to make. This is a breach of privacy for the employees (which could sue) and a violation of what should be in the business practices handbook.

If this does happen, let them ultimately have it but trace all the paperwork and times. Make a copy of what is sent on that flash drive. Contact a lawyer who specializes in business/corporate laws and sue. The HOA's insurance may cover this officer but it may not supercede privacy laws. Either way, there should be rules adopted by the business to prevent such actions from happening in the future. A review of the company handbook may be in order....

JAmes C

please provide the federal law to back up what you claimed. I call BS to the statement "it is against federal law to provide your social security number to anyone."

I can give it to whomever I wish, and at times, am required to provide it to others at their request. And, there are cases where, by federal law, I am required to provide/give the social security number of other people to a third party.

Cris,

I assume the social security numbers in question are those belonging to employees of the golf course. The bookkeeper there would certainly need them to process payroll and withholding taxes, prepare W-2s, etc. However, unless the new board member intends to take over these duties, I see no need for him to have them. Even if that is the case, he should just do that work at the golf course, not at home.

If his objective is just to "play around" with the system to learn it, he should be able to do that with an employee database without social security numbers, or with dummy numbers in place of the real ones.

Sounds to me like the SSN are "in" the quickbooks files they use for payroll. And he is keeping a backup file off site incase the boo keeper computer crashes etc. Keeping backups is very important. Kinda hard to do payroll without a ssn#

If you do not want this board member keeping a backup, then who? You need to pick someone and you need to keep backups off site.

I agree with the board member backing up the files and bringing them off site.

If he never uses the flash drive, it will never be hacked. In fact the flash drive is more secure than the book keeper's computer. Its not hooked up to anything.

Steve,

Nope.

"Sounds to me like the SSN are "in" the quickbooks files they use for payroll."

I believe the data is used for payroll purposes, but the "files" of a data processing system like Quickbooks are stored separately from the program. Think of a file drawer with a separate file (record) for each individual. Each record contains "fields" in which data is stored. One field for name, one for address, one for SSN, etc. I once had to develop a data handling system for human resources of the company I worked for. I couldn't have access to actual personnel records but still I had to be able to troubleshoot the system when something went wrong. Solution? Load the system with a dummy database containing fictitious data.

Besides, hopefully the board member isn't thinking of making a copy of the quickbooks software (program) and transferring it to his personal computer. That's called copyright infringement and is illegal.

"If he never uses the flash drive, it will never be hacked. In fact the flash drive is more secure than the book keeper's computer. Its not hooked up to anything."

Absolutely not true. What if the flash drive is lost or stolen? The person who finds it (or who has stolen it) plugs it into another computer and voila - they have personal information including SSNs. If you're going to put the data on a flash drive it has to be encrypted. Also, what's to prevent the board member from transferring the data from the flash drive to the hard drive of another (insecure) computer? There's way to guarantee security here.

"What if the bookkeeper dies?"

Hire another bookkeeper. The files are likely stored on a computer owned by the golf course and kept in the office, not on the bookkeeper's personal computer.

"Off-site storage and backup."

OK. Good idea. But, there's no reason for the board member to do it. The data can be encrypted and transferred to a disk or a flash drive and stored in a safety deposit box at a bank. Much safer and more secure. Bookkeeper and golf course management have access to the box at the bank.

By the way - unless they're encrypted, most data files are stored as ASCII characters and can be read by any simple text editor. You don't need the program (like Quickbooks) that created the files to be able to read the data.

The problem I have with providing the board member with access to the SSNs is taking the information HOME. If he needs to look at where the money is going, then he can access the records on the computer at the golf course where they are stored. There is no justification for him taking the information home where the data can be more easily compromised. I see no operational need, it is merely to suit his convienence. If he just wants to learn how to use Quickbooks, he can do that just as well with fictitious data.

This is the reason so many companies are going to Cloud computing software, as did the software company we chose. Our decision to go to this company was because they were the only one with this technology and when members of the board change, their permissions are removed and they can never retain any information. However, while in their office, they have 24 / access to the data they need from any location they have an internet connection.

SS#s should never be released, or asked for in any HOA situation. We discussed this issue a few years back with our attorney and the software company. They, the software company, refused to store the information, due to liability issues. They also refused to store Credit card information. The attorney we used also agreed with this companies policy. The HOA should remove and refuse to retain certain information as CC and SS information. You Golf Club and HOA has assumed a large un-necessary liability!

That is one solution. Another is to have the accountant encrypt the data. So no one but the aoountant doing the payroll and Taxes is able to view it on that machine.

I know, wwhen we last discussed that problem with the software company we use, they said they were going to create a module for their software to handle this situation. However, I have not heard or seen that offered as of yet.

So what if the board member wanted to poke around and see where the money is going. I would love it if every board member had this level of interest. I wish everyone would take the time to look over expenses and income, offer suggestions and make plans to better the HOA.

This is what you do:

Step 1. Make a copy of the quickbook file
Step 2. Open the file, delete all the employees
Step 3. Save
Step 4. Copy to flash drive
Step 5. Delete the file

You people are making a mountain out of a mole hill. The problem can be solved in 3 minutes.