• Credit
• Data Breach
• Fraud
• Identity Theft
• Other News
• Privacy
• Reviews
• Scams
• Tips
• Truston

« Previous Post | Blog Home | Next Post »

Followup to FDIC Story

Posted on Nov 4, 2006 by Tom Fragala

This is a followup to my report on the FDIC web site I outed as being a security hole for users (see previous posts here and here).

I heard back from the Chief Web Officer of the FDIC. Essentially, the FDIC punted. Their response is pretty much that employer ID numbers (EIN) are public information and don't warrant any protection, and that all the laws and rules regarding privacy only apply to individuals.

I do appreciate the thorough response (twice) from the FDIC. They could have just ignored me.

However, I do have one niggling complaint and a philosophy difference. What happens if a non-corporation (i.e., sole proprietor) uses the page in question? They would put in their SSN, since they don't have an EIN. The philosphy issue for me is that the FDIC, while probably technically correct in their response, is splitting hairs. They should not have any web page that even smells a little bad--they should be totally obsessed with privacy and security and projecting that image to the world.

Here's the email I got from the FDIC:

Hi Tom. Sorry for the delay in getting back to you.

The regulations you are discuss in your email refer to transmission/collection of private information. Employer Identification Numbers (EIN) are public information, and appear on most public filings of businesses and organizations. Our Legal Division staff have recently confirmed for us that receiving this public information over the Internet does not constitute a violation of any privacy regulations.

The request for an EIN, again which is public information, for Business Accounts is important to ensuring an accurate deposit insurance report. One of the most common reasons businesses and organizations find themselves uninsured is that they think that changing the title of the account (e.g. "First Church of Goodness--Operating Account" and "First Church of Goodness--Building Fund") provides separate insurance coverage, when in fact, the funds are aggregated because they are owned by the same organization, as evidenced by a common EIN . While EDIE asks for both an account name and a business name, the EIN is also requested as an extra safeguard to ensure an accurate deposit insurance report.

To help ensure that no other users misinterpret what data we are requesting, we are making some text edits to EDIE to further clarify that we are only requesting EIN and not Social Security Numbers or any other private information.

As with all data entry systems, the information reported out is only as accurate as the information entered into the system by the user. As such, we are also adding text to the program specifying that if a user wants to use a substitute EIN (for whatever reason), they must consistently use the substitute number for the corresponding EIN on all business accounts, and that failure to do so may result in an inaccurate deposit insurance report.

I hope this answers all your questions. Please place this response on your blog – the current information may be misleading to those who wish to use EDIE.

Alan W. Levy
Chief Web Officer
FDIC, Office of Public Affairs