Under FACTA, what is the requirement regarding SSNs

Under FACTA, the requirement is to implement safeguards to minimize exposure and secure handling of SSNs. The Safeguards Rule requires covered entities to maintain a comprehensive information security program that protects consumer information, including social security numbers, from unauthorized access or disclosure. This means putting in place administrative, technical, and physical safeguards—such as access controls, ongoing risk assessments, encryption where appropriate, secure data disposal, employee training, and careful vendor management—to limit how SSNs are collected, stored, transmitted, and disposed of. Public posting or unfettered sharing of SSNs would undermine these safeguards, and while encryption is an important protective measure, the standard focuses on implementing proportionate safeguards rather than a blanket encryption requirement.