They should absolutely not be stored in a GSuite document. SSNs should be treated more securely than credit card numbers.
You need it for tax forms, background checks, citizenship queries, sometimes bank information, etc.
So your options are:
1. Store them locally on a computer. Typically on some old windows 7 machine in the corner that hasn't been updated in some time.
2. Store documents physically. Which will either be scanned onto random computers belonging to whoever needs them to be sent through probably insecure mail servers.
Or worse, your boss taking a picture of your form and sending it to people that way, leaving the form on their phone.
3. Some other online storage like whatever M$ is offering
4. Use google and somehow store SS#'s somewhere less secure, or obfuscate them in a way no one but a few people will understand and hope they don't block any other files you upload.
Businesses have been deciding how to manage these things since the start that work best for them. Having google force you into procedures that might not work for your use case is annoying at best. And they obviously don't know best if they have issues like in OP's post.
It's like they take away your gun so you can't shoot yourself in the foot, then fires it at things it thinks are problems hoping not to hit your feet.
And what's a few toes to a company the size of google?
Secure usernames that have no corresponding password is already an oxymoron; that's what credit card numbers used to be, hence the introduction of the CVV, 3DSecure and so on; but at least a credit card can be blocked with relative ease. But SSNs are secure unchangeable usernames, which makes even less sense.
Do any countries other than the US have such an abomination, where you can figure out the SSN of someone and ruin their life?
https://faq.ssa.gov/en-us/Topic/article/KA-02220
It's a huge pain, obviously. Especially when you get to all the systems which blindly assume it isn't possible. But you can do it.
They ought to just open it up and let anyone who requests to change it once a year no questions asked.
For US viewers, enter 'stati uniti' as 'comune di nascita'.
Use deepl.com for the bit at the bottom.
Most countries do have some kind of id number like that, but they always have a "password" too. In Italy authentication is done by the SPID providers[1] or with an electronic id card (or physically with an id card, driving license or passport).
You can't get a credit card and spend as much as you want in their name. You need at least a stolen or counterfeit physical document to open a bank account, or a stolen password and a SPID second factor to file a fraudulent tax return. In the US the SSN is often enough unless you opt into freezing credit.
[1] for non Italians, that's the acronym for public digital identity system; it's a SAML-based authentication mechanism used by most public websites including tax returns, pension/welfare, and healthcare
As someone who dealt with identity theft, SSN should only be collected if contact with the SSA is needed. I.E. payment of social security benefits.
Any and ALL other "ID", nope. Use some other number.
You wanna tell that to phone carriers, internet service providers, electricity providers, and even water providers?
So unfortunately... they will decline to do business with you if you decline to provide your SSN.
The only logical solution: Government needs to mandate a no SSN requirement and make it illegal to refuse service even if no SSN is provided.
I disagree. Both SSNs and credit card numbers should be treated with equal consideration.
Establishing arbitrary classes of PII protection based upon perceived severity of compromise is a bad strategy. In the market we work in, you either get this 100% right or you don't get it right at all. There is no happy middle-ground when you are selling software to banks or other such organizations. No one is interested in "mostly" correct when it comes to PII they are responsible for protecting.
