Topics:

RadioShack Rep Used Customer Data To File False Tax Returns. Why Is RadioShack Even Still Collecting SS Numbers?

Tools

When a Radio Shack call center representative was sentenced to prison on Monday (July 23), it was because she had pled guilty to filing false tax returns to collect refunds. The information she needed to create bogus tax returns, including valid Social Security numbers, came from Radio Shack customers with whom she had worked. But why was Radio Shack collecting and storing Social Security numbers in the first place?

Turns out the call center rep, Youlanda Rochelle Wright, was collecting Social Security numbers as part of RadioShack's then deal with Dish Networks. Dish apparently required those numbers when giving new customers credit. Given the bad publicity coming from this 6.5-year prison sentence for a onetime RadioShack customer service rep accused of ripping off her customers, it might be time to call for strict IT rules on refusing to store ultra-sensitive data, such as Social Security numbers.

Why not borrow a tactic from payment security and use a token? Or perhaps require partners to collect such data themselves? Or send those customers to a site for capturing that data in a way customer service reps cannot access?

Wright's attorney, Catherine Dunnavant, argued that if chains like RadioShack want to avoid such problems, deciding to never collect this type of data is a good place to start. "This was really tempting. It's crazy easy," Dunnavant said about her client's ability to craft complete tax returns solely using what RadioShack gave to her. "I believe it was too easy."

Chains such as RadioShack would never consider storing payment-card data in the clear, lest they be hit by both PCI and the Federal Trade Commission (FTC). Heck, the courts have even forced retailers to give up on asking for ZIP codes at checkout. But the absence of PCI-like rules for privacy data has left a huge vacuum. IT must deal with this issue through policy. By the way, encryption wouldn't have helped in this case because the accused apparently wrote down the numbers as they were told to her. The only cure is to simply not accept the numbers.