[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[S. 2915 Introduced in Senate (IS)]







110th CONGRESS
  2d Session
                                S. 2915

    To require the Commissioner of Social Security to issue uniform 
  standards for the method for truncation of Social Security account 
    numbers in order to protect such numbers from being used in the 
     perpetration of fraud or identity theft and to provide for a 
  prohibition on the display to the general public on the Internet of 
Social Security account numbers by State and local governments, and for 
                            other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 24, 2008

  Mr. Schumer introduced the following bill; which was read twice and 
               referred to the Committee on the Judiciary

_______________________________________________________________________

                                 A BILL


 
    To require the Commissioner of Social Security to issue uniform 
  standards for the method for truncation of Social Security account 
    numbers in order to protect such numbers from being used in the 
     perpetration of fraud or identity theft and to provide for a 
  prohibition on the display to the general public on the Internet of 
Social Security account numbers by State and local governments, and for 
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Safeguarding Social Security Numbers 
Act of 2008''.

SEC. 2. FINDINGS.

    Congress makes the following findings:
            (1) The Federal Government requires virtually every 
        individual in the United States to obtain and maintain a Social 
        Security account number in order to pay taxes or to qualify for 
        old-age, survivors, and disability insurance benefits under 
        title II of the Social Security Act.
            (2) Many Government agencies and private entities also use 
        Social Security account numbers as identifiers to track 
        individual records or as information that an individual must 
        present to verify his or her identity. Thus, Social Security 
        account numbers are routinely collected, recorded, and 
        transferred by public and private entities.
            (3) As an unintended consequence of these uses, Social 
        Security account numbers have become 1 of the tools that can be 
        used to facilitate crime, fraud, and invasions of the privacy 
        of the individuals to whom the numbers are assigned.
            (4) According to the Social Security Administration's 
        Inspector General, 16 percent of the 99,000 fraud cases it 
        investigated in the 1-year period ending September 30, 2006, 
        involved the misuse of Social Security account numbers.
            (5) The Social Security account number is also a key piece 
        of information used in the perpetration of identity theft. In 
        calendar year 2006, over 240,000 individuals reported to the 
        Federal Trade Commission that they had been the victims of an 
        identity theft. Identity theft is a serious crime that can 
        cause substantial financial losses and force victims to spend 
        significant time restoring the accuracy of their credit 
        records.
            (6) Social Security account numbers are publicly displayed 
        by some Government entities. In most jurisdictions throughout 
        the United States, State and local law requires that certain 
        documentary records, such as business filings, property 
        records, and birth and marriage certificates, be made available 
        to the general public. Some of these records contain personally 
        identifiable information of individuals, including Social 
        Security account numbers. Increasingly, State and local record 
        keepers are displaying public records on the Internet, where 
        these records are widely accessible at no cost or for a minimal 
        fee. There are known instances of criminals using personally 
        identifiable information from online public records to commit 
        identity theft.
            (7) Private information resellers also routinely record and 
        transfer individuals' Social Security account numbers and other 
        personally identifiable information. In a 2006 study, the 
        Government Accountability Office (GAO) was able to purchase 
        truncated or full Social Security account numbers from 5 of 21 
        Internet information resellers that were surveyed.
            (8) The GAO has concluded, based on available evidence, 
        that unauthorized access to personal data such as Social 
        Security account numbers is a frequent occurrence. A survey of 
        17 Federal agencies by the Committee on Oversight and 
        Government Reform of the House of Representatives found that 
        these agencies suffered more than 788 data breaches from 
        January 2003 through July 2006.
            (9) In many instances, public and private entities seek to 
        protect Social Security account numbers from abuse by 
        truncating a portion of each number. However, because 
        truncation methods are not uniform, it is possible to obtain a 
        full Social Security account number by reconstructing the 
        number based on partial information obtained from different 
        sources.
            (10) In a report issued in June 2007, the GAO found that 
        truncated Social Security account numbers in Federal documents 
        stored as public records remain vulnerable to misuse, in part 
        because different truncation methods used by the public and 
        private sectors permit the reconstruction of full Social 
        Security account numbers. Federal entities such as the 
        Department of Justice, the Internal Revenue Service, and the 
        Judicial Conference of the United States truncate by displaying 
        the last 4 digits of the Social Security account number. In 
        contrast, the GAO found that information resellers sometimes 
        sell records containing Social Security account numbers that 
        are truncated to display the first 5 digits.
            (11) The first 5 digits of an individual's Social Security 
        account number are assigned based on the location in which the 
        account number was issued and the order in which the account 
        number was issued. The last 4 digits of an individual's Social 
        Security account number are randomly generated, creating a 
        unique account number for each individual. Many public and 
        private entities ask consumers to supply the last 4 digits of 
        Social Security account numbers as a way to verify consumers' 
        identities, providing an additional reason for identity thieves 
        to seek to acquire these digits.
            (12) The GAO reported in 2006 that it had been unable to 
        identify any industry standards or guidelines for truncating 
        Social Security account numbers. Moreover, the GAO could not 
        identify any consensus among Government officials about which 
        method for truncation better protects Social Security account 
        numbers from abuse.
            (13) The GAO has stated that standardizing the truncation 
        of Social Security account numbers would better protect these 
        numbers from misuse. Since 2005, the GAO has on multiple 
        occasions recommended the establishment of uniform standards 
        for truncation of Social Security account numbers.
            (14) Given the Social Security Administration's role in 
        assigning Social Security account numbers, the Commissioner of 
        Social Security may be in the best position to determine 
        whether and how truncation should be standardized.
            (15) The truncation of Social Security account numbers, 
        even by Federal Government agencies, is not comprehensively 
        required or regulated. Currently, the Social Security 
        Administration does not have the legal authority to regulate 
        the use of Social Security account numbers by other entities.
            (16) Because the Federal Government created and maintains 
        the system of required Social Security account numbers, and 
        because the Federal Government does not permit individuals to 
        exempt themselves from those requirements, it is appropriate 
        for the Federal Government to take steps to curb the abuse of 
        Social Security account numbers.

SEC. 3. DEFINITION.

    In this Act, the term ``Social Security account number'' means the 
account number assigned to an individual by the Commissioner of Social 
Security in the exercise of the Commissioner's authority under section 
205(c)(2) of the Social Security Act (42 U.S.C. 405(c)(2)) and includes 
any derivative of such number.

SEC. 4. REQUIREMENT TO ISSUE UNIFORM STANDARDS FOR THE METHOD FOR 
              TRUNCATION OF SOCIAL SECURITY ACCOUNT NUMBERS.

    (a) Establishment of Uniform Standards.--
            (1) In general.--The Commissioner of Social Security shall 
        issue uniform standards for the method for truncation of Social 
        Security account numbers in order to facilitate the protection 
        of such numbers from being used in the perpetration of fraud or 
        identity theft. Such uniform standards shall not apply with 
        respect to a Social Security account number of a deceased 
        individual.
            (2) Application.--
                    (A) Federal government.--On and after the date that 
                the Commissioner of Social Security determines in 
                regulations established pursuant to subsection (b), the 
                uniform standards issued under paragraph (1) shall 
                apply to the Federal Government--
                            (i) whenever the Federal Government 
                        displays a Social Security account number; and
                            (ii) to the extent practicable, whenever 
                        the Federal Government transfers, records, or 
                        otherwise utilizes a Social Security account 
                        number.
                    (B) State and local governments and private 
                entities.--If a State, local government, or private 
                entity truncates Social Security account numbers, the 
                State, local government, or private entity shall comply 
                with the uniform standards issued under paragraph (1) 
                to the same extent that the Federal Government is 
                required to comply with such standards under 
                subparagraph (A).
            (3) Requirements.--
                    (A) In general.--In establishing the uniform 
                standards required under paragraph (1), the 
                Commissioner of Social Security shall consider the 
                matters described in subparagraph (B) and consult with, 
                at a minimum, the heads of the following Federal 
                agencies:
                            (i) The Department of Justice.
                            (ii) The Federal Trade Commission.
                            (iii) The Department of the Treasury.
                    (B) Specific considerations.--For purposes of 
                subparagraph (A), the matters described in this 
                subparagraph are the following:
                            (i) The extent to which various methods for 
                        truncation of Social Security account numbers 
                        will assist in the prevention of fraud and 
                        identity theft, taking into account the 
                        following:
                                    (I) The risk that a truncated 
                                Social Security account number can be 
                                combined with other personally 
                                identifiable information to derive or 
                                acquire a complete Social Security 
                                account number.
                                    (II) The risk that the numerical 
                                digits not masked in the truncation 
                                process will reveal personally 
                                identifiable information about an 
                                individual.
                                    (III) The risk that a truncated 
                                Social Security account number can be 
                                used to derive or acquire from other 
                                sources a full Social Security account 
                                number.
                            (ii) The methods in use for the truncation 
                        of Social Security account numbers by the 
                        Federal Government, State and local 
                        governments, and private entities and the 
                        extent of use of each method by the Federal 
                        Government, State and local governments, and 
                        private entities.
                            (iii) The reasons why Social Security 
                        account numbers are collected and recorded by 
                        the Federal Government, State and local 
                        governments, and private entities.
                            (iv) The effect of each proposed method for 
                        truncation on the uses for Social Security 
                        account numbers by the Federal Government, 
                        State and local governments, and private 
                        entities.
                            (v) Any comments regarding proposed methods 
                        for truncation submitted to the Commissioner 
                        from--
                                    (I) experts on privacy and data 
                                security, consumer advocacy groups, and 
                                identity theft assistance 
                                organizations;
                                    (II) the Federal Government or 
                                State or local governments, including 
                                State Attorneys General;
                                    (III) representatives of private 
                                entities that transfer, display, 
                                record, or otherwise utilize Social 
                                Security account numbers on a regular 
                                basis;
                                    (IV) the Comptroller General of the 
                                United States; and
                                    (V) any other appropriate entities.
    (b) Regulations.--Not later than the date that is 24 months after 
the date of enactment of this Act, the Commissioner of Social Security 
shall promulgate regulations to carry out this section.
    (c) GAO Report.--Not later than 18 months after the effective date 
of the regulations promulgated by the Commissioner of Social Security 
under subsection (b) (or, if more than 1 effective date applies to such 
regulations, the latest such date), the Comptroller General of the 
United States shall report to Congress on the extent to which the 
uniform standards required under subsection (a)(1) have resulted in the 
adoption of such standards by private entities, and whether these 
standards are likely to provide greater protection against fraud and 
identity theft than the practices adhered to prior to such date. The 
report shall include--
            (1) a recommendation regarding--
                    (A) whether such standards should be mandatory for 
                State and local governments and private entities, and 
                if so, under what circumstances; and
                    (B) whether making such standards mandatory for 
                such entities (with respect to each circumstance 
                identified under subparagraph (A)) would help prevent 
                fraud, identity theft, and unauthorized access to 
                consumers' personally identifiable information; and
            (2) recommendations for such additional legislation or 
        administrative action as the Comptroller General determines 
        appropriate to further reduce the risks of fraud, identity 
        theft, and unauthorized access resulting from the transfer, 
        sale, display, recording, or other utilization of Social 
        Security account numbers.

SEC. 5. PROHIBITION ON THE DISPLAY TO THE GENERAL PUBLIC ON THE 
              INTERNET OF SOCIAL SECURITY ACCOUNT NUMBERS BY STATE AND 
              LOCAL GOVERNMENTS.

    (a) In General.--Chapter 88 of title 18, United States Code, is 
amended by inserting at the end the following:
``Sec. 1802. Prohibition on the display to the general public on the 
              Internet of Social Security account numbers by State and 
              local governments
    ``(a) Prohibition.--
            ``(1) In general.--Subject to paragraph (2), a State, a 
        political subdivision of a State, or any officer, employee, or 
        contractor of a State or a political subdivision of a State, 
        shall not display to the general public on the Internet all or 
        any portion of any Social Security account number.
            ``(2) Exception if display complies with uniform 
        standards.--A State, a political subdivision of a State, or any 
        officer, employee, or contractor of a State or a political 
        subdivision of a State, may display to the general public on 
        the Internet a portion of a Social Security account number if 
        such display complies with the uniform standards for the method 
        for truncation of such numbers issued by the Commissioner of 
        Social Security under section 4 of the Safeguarding Social 
        Security Numbers Act of 2008.
    ``(b) Rules of Construction; Deemed Compliance.--
            ``(1) Rules of construction.--Nothing in this section shall 
        be construed to supersede, alter, or affect any statute, 
        regulation, or order of the Federal Government, a State, or a 
        political subdivision of a State relating to the submission of 
        a Social Security account number to a State or a political 
        subdivision of a State.
            ``(2) Deemed compliance.--A State, a political subdivision 
        of a State, or any officer, employee, or contractor of a State 
        or a political subdivision of a State, shall be deemed to be in 
        compliance with the requirements of subsection (a) if the State 
        or political subdivision--
                    ``(A) permits an individual to submit, in addition 
                to original material required to be submitted to the 
                State or political subdivision that contains all or any 
                portion of the individual's Social Security account 
                number, a duplicate of the material that has all of the 
                individual's Social Security account number redacted or 
                truncated in accordance with the uniform standards for 
                the method of truncation issued under section 4 of the 
                Safeguarding Social Security Numbers Act of 2008;
                    ``(B) displays such duplicate on the Internet in 
                place of the original material that contains all or any 
                portion of the individual's Social Security account 
                number; and
                    ``(C) prior to any display of such duplicate on the 
                Internet, obtains the individual's informed written 
                consent to such display.
    ``(c) Penalties.--A State or a political subdivision of a State 
that has a policy or practice of substantial noncompliance with this 
section shall be subject to a civil penalty imposed by the Attorney 
General of not more than $5,000 a day for each day of substantial 
noncompliance.
    ``(d) Enforcement.--The Attorney General may bring a civil action 
against a State, a political subdivision of a State, or any officer, 
employee, or contractor of a State or a political subdivision of a 
State, in any appropriate United States district court for appropriate 
relief with respect to a display to the general public on the Internet 
of all or any portion of any Social Security account number in 
violation of this section.
    ``(e) Definitions.--In this section:
            ``(1) Display to the general public on the internet.--
                    ``(A) In general.--The term `display to the general 
                public on the Internet' means, in connection with all 
                or any portion of a Social Security account number, to 
                place such number or any portion of such number in 
                violation of this section, in a viewable manner on an 
                Internet site that is available to the general public, 
                including any Internet site that requires a fee for 
                access to information accessible on or through the 
                site.
                    ``(B) Inclusion of certain unprotected 
                transmissions.--In any case in which a State, a 
                political subdivision of a State, or any officer, 
                employee, or contractor of a State or a political 
                subdivision of a State, requires as a condition of 
                doing business transmittal of all, or any part of, an 
                individual's Social Security account number by means of 
                the Internet without ensuring that such number is 
                encrypted or otherwise secured from disclosure, any 
                such transmittal of such number shall be treated as a 
                `display to the general public on the Internet' for 
                purposes of this section.
                    ``(C) Nonapplication.--Such term does not apply to 
                a Social Security account number of a deceased 
                individual.
            ``(2) Social security account number.--The term `Social 
        Security account number' means the account number assigned to 
        an individual by the Commissioner of Social Security in the 
        exercise of the Commissioner's authority under section 
        205(c)(2) of the Social Security Act and includes any 
        derivative of such number.''.
    (b) Clerical Amendment.--The chapter analysis for chapter 88 of 
title 18, United States Code, is amended by adding at the end the 
following:

``1802. Prohibition on the display to the general public on the 
                            Internet of Social Security account numbers 
                            by State and local governments.''.
    (c) Effective Date.--The amendments made by subsections (a) and (b) 
shall take effect on the date that is 1 year after the date on which 
final regulations are issued under section 4(b) and shall apply to 
violations occurring on or after that date.
    (d) No Retroactive Application.--Nothing in section 1802 of title 
18, United States Code, as added by the amendments made by subsections 
(a) and (b), shall be construed as applying to the placement of all or 
any portion of a Social Security account number in a viewable manner on 
an Internet site that is available to the general public, including any 
Internet site that requires a fee for access to information accessible 
on or through the site, by a State, a political subdivision of a State, 
or any officer, employee, or contractor of a State or a political 
subdivision of a State, that is done prior to the effective date of 
such amendments.
    (e) Grants to State and Local Governments To Come Into Compliance 
With the Prohibition on the Display to the General Public on the 
Internet of Social Security Account Numbers.--
            (1) In general.--The Attorney General shall award grants to 
        States and political subdivisions of States to carry out 
        activities to remove, redact, or truncate, in accordance with 
        the uniform standards for the method of truncation issued under 
        section 4, all Social Security account numbers on forms and 
        records of executive, legislative, and judicial agencies of 
        States and political subdivisions of States that, as of the 
        date of enactment of this Act, have been displayed to the 
        general public on the Internet and would be a violation of 
        section 1802 of title 18, United States Code (as added by the 
        amendments made by subsections (a) and (b)), if that section 
        had been in effect at the time such numbers were first 
        displayed.
            (2) Application.--A State or political subdivision of a 
        State desiring a grant under this subsection shall submit an 
        application to the Attorney General at such time, in such 
        manner, and containing such information as the Attorney General 
        shall require.
            (3) Authorization of appropriations.--There is authorized 
        to be appropriated to the Attorney General to carry out this 
        subsection, $10,000,000 for each of fiscal years 2009 and 2010.
            (4) Definition of state.--In this subsection, the term 
        ``State'' means each of the 50 States, the District of 
        Columbia, the Commonwealth of Puerto Rico, the United States 
        Virgin Islands, Guam, and the Commonwealth of the Northern 
        Mariana Islands.

SEC. 6. PREEMPTION OF STATE LAW.

    This Act and the amendments made by this Act shall supersede a 
provision of State law only if, and only to the extent that, such 
provision conflicts with a requirement of this Act or an amendment made 
by this Act.
                                 <all>