
	
		II
		110th CONGRESS
		2d Session
		S. 2915
		IN THE SENATE OF THE UNITED STATES
		
			April 24, 2008
			Mr. Schumer introduced
			 the following bill; which was read twice and referred to the
			 Committee on the
			 Judiciary
		
		A BILL
		To require the Commissioner of Social Security to issue
		  uniform standards for the method for truncation of Social Security account
		  numbers in order to protect such numbers from being used in the perpetration of
		  fraud or identity theft and to provide for a prohibition on the display to the
		  general public on the Internet of Social Security account numbers by State and
		  local governments, and for other purposes.
	
	
		1.Short
			 titleThis Act may be cited as
			 the Safeguarding Social Security
			 Numbers Act of 2008.
		2.FindingsCongress makes the following
			 findings:
			(1)The Federal
			 Government requires virtually every individual in the United States to obtain
			 and maintain a Social Security account number in order to pay taxes or to
			 qualify for old-age, survivors, and disability insurance benefits under title
			 II of the Social Security Act.
			(2)Many Government
			 agencies and private entities also use Social Security account numbers as
			 identifiers to track individual records or as information that an individual
			 must present to verify his or her identity. Thus, Social Security account
			 numbers are routinely collected, recorded, and transferred by public and
			 private entities.
			(3)As an unintended
			 consequence of these uses, Social Security account numbers have become 1 of the
			 tools that can be used to facilitate crime, fraud, and invasions of the privacy
			 of the individuals to whom the numbers are assigned.
			(4)According to the
			 Social Security Administration’s Inspector General, 16 percent of the 99,000
			 fraud cases it investigated in the 1-year period ending September 30, 2006,
			 involved the misuse of Social Security account numbers.
			(5)The Social
			 Security account number is also a key piece of information used in the
			 perpetration of identity theft. In calendar year 2006, over 240,000 individuals
			 reported to the Federal Trade Commission that they had been the victims of an
			 identity theft. Identity theft is a serious crime that can cause substantial
			 financial losses and force victims to spend significant time restoring the
			 accuracy of their credit records.
			(6)Social Security
			 account numbers are publicly displayed by some Government entities. In most
			 jurisdictions throughout the United States, State and local law requires that
			 certain documentary records, such as business filings, property records, and
			 birth and marriage certificates, be made available to the general public. Some
			 of these records contain personally identifiable information of individuals,
			 including Social Security account numbers. Increasingly, State and local record
			 keepers are displaying public records on the Internet, where these records are
			 widely accessible at no cost or for a minimal fee. There are known instances of
			 criminals using personally identifiable information from online public records
			 to commit identity theft.
			(7)Private
			 information resellers also routinely record and transfer individuals’ Social
			 Security account numbers and other personally identifiable information. In a
			 2006 study, the Government Accountability Office (GAO) was able to purchase
			 truncated or full Social Security account numbers from 5 of 21 Internet
			 information resellers that were surveyed.
			(8)The GAO has
			 concluded, based on available evidence, that unauthorized access to personal
			 data such as Social Security account numbers is a frequent occurrence. A survey
			 of 17 Federal agencies by the Committee on Oversight and Government Reform of
			 the House of Representatives found that these agencies suffered more than 788
			 data breaches from January 2003 through July 2006.
			(9)In many
			 instances, public and private entities seek to protect Social Security account
			 numbers from abuse by truncating a portion of each number. However, because
			 truncation methods are not uniform, it is possible to obtain a full Social
			 Security account number by reconstructing the number based on partial
			 information obtained from different sources.
			(10)In a report
			 issued in June 2007, the GAO found that truncated Social Security account
			 numbers in Federal documents stored as public records remain vulnerable to
			 misuse, in part because different truncation methods used by the public and
			 private sectors permit the reconstruction of full Social Security account
			 numbers. Federal entities such as the Department of Justice, the Internal
			 Revenue Service, and the Judicial Conference of the United States truncate by
			 displaying the last 4 digits of the Social Security account number. In
			 contrast, the GAO found that information resellers sometimes sell records
			 containing Social Security account numbers that are truncated to display the
			 first 5 digits.
			(11)The first 5
			 digits of an individual’s Social Security account number are assigned based on
			 the location in which the account number was issued and the order in which the
			 account number was issued. The last 4 digits of an individual’s Social Security
			 account number are randomly generated, creating a unique account number for
			 each individual. Many public and private entities ask consumers to supply the
			 last 4 digits of Social Security account numbers as a way to verify consumers’
			 identities, providing an additional reason for identity thieves to seek to
			 acquire these digits.
			(12)The GAO reported
			 in 2006 that it had been unable to identify any industry standards or
			 guidelines for truncating Social Security account numbers. Moreover, the GAO
			 could not identify any consensus among Government officials about which method
			 for truncation better protects Social Security account numbers from
			 abuse.
			(13)The GAO has
			 stated that standardizing the truncation of Social Security account numbers
			 would better protect these numbers from misuse. Since 2005, the GAO has on
			 multiple occasions recommended the establishment of uniform standards for
			 truncation of Social Security account numbers.
			(14)Given the Social
			 Security Administration’s role in assigning Social Security account numbers,
			 the Commissioner of Social Security may be in the best position to determine
			 whether and how truncation should be standardized.
			(15)The truncation
			 of Social Security account numbers, even by Federal Government agencies, is not
			 comprehensively required or regulated. Currently, the Social Security
			 Administration does not have the legal authority to regulate the use of Social
			 Security account numbers by other entities.
			(16)Because the
			 Federal Government created and maintains the system of required Social Security
			 account numbers, and because the Federal Government does not permit individuals
			 to exempt themselves from those requirements, it is appropriate for the Federal
			 Government to take steps to curb the abuse of Social Security account
			 numbers.
			3.DefinitionIn this Act, the term Social Security
			 account number means the account number assigned to an individual by the
			 Commissioner of Social Security in the exercise of the Commissioner's authority
			 under section 205(c)(2) of the Social Security Act (42 U.S.C. 405(c)(2)) and
			 includes any derivative of such number.
		4.Requirement to
			 issue uniform standards for the method for truncation of Social Security
			 account numbers
			(a)Establishment
			 of uniform standards
				(1)In
			 generalThe Commissioner of
			 Social Security shall issue uniform standards for the method for truncation of
			 Social Security account numbers in order to facilitate the protection of such
			 numbers from being used in the perpetration of fraud or identity theft. Such
			 uniform standards shall not apply with respect to a Social Security account
			 number of a deceased individual.
				(2)Application
					(A)Federal
			 GovernmentOn and after the
			 date that the Commissioner of Social Security determines in regulations
			 established pursuant to subsection (b), the uniform standards issued under
			 paragraph (1) shall apply to the Federal Government—
						(i)whenever the Federal Government displays a
			 Social Security account number; and
						(ii)to the extent practicable, whenever the
			 Federal Government transfers, records, or otherwise utilizes a Social Security
			 account number.
						(B)State and local
			 governments and private entitiesIf a State, local government, or private
			 entity truncates Social Security account numbers, the State, local government,
			 or private entity shall comply with the uniform standards issued under
			 paragraph (1) to the same extent that the Federal Government is required to
			 comply with such standards under subparagraph (A).
					(3)Requirements
					(A)In
			 generalIn establishing the uniform standards required under
			 paragraph (1), the Commissioner of Social Security shall consider the matters
			 described in subparagraph (B) and consult with, at a minimum, the heads of the
			 following Federal agencies:
						(i)The
			 Department of Justice.
						(ii)The Federal
			 Trade Commission.
						(iii)The Department
			 of the Treasury.
						(B)Specific
			 considerationsFor purposes of subparagraph (A), the matters
			 described in this subparagraph are the following:
						(i)The
			 extent to which various methods for truncation of Social Security account
			 numbers will assist in the prevention of fraud and identity theft, taking into
			 account the following:
							(I)The risk that a
			 truncated Social Security account number can be combined with other personally
			 identifiable information to derive or acquire a complete Social Security
			 account number.
							(II)The risk that
			 the numerical digits not masked in the truncation process will reveal
			 personally identifiable information about an individual.
							(III)The risk that a
			 truncated Social Security account number can be used to derive or acquire from
			 other sources a full Social Security account number.
							(ii)The methods in
			 use for the truncation of Social Security account numbers by the Federal
			 Government, State and local governments, and private entities and the extent of
			 use of each method by the Federal Government, State and local governments, and
			 private entities.
						(iii)The reasons why
			 Social Security account numbers are collected and recorded by the Federal
			 Government, State and local governments, and private entities.
						(iv)The effect of
			 each proposed method for truncation on the uses for Social Security account
			 numbers by the Federal Government, State and local governments, and private
			 entities.
						(v)Any
			 comments regarding proposed methods for truncation submitted to the
			 Commissioner from—
							(I)experts on
			 privacy and data security, consumer advocacy groups, and identity theft
			 assistance organizations;
							(II)the Federal
			 Government or State or local governments, including State Attorneys
			 General;
							(III)representatives
			 of private entities that transfer, display, record, or otherwise utilize Social
			 Security account numbers on a regular basis;
							(IV)the Comptroller
			 General of the United States; and
							(V)any other
			 appropriate entities.
							(b)RegulationsNot
			 later than the date that is 24 months after the date of enactment of this Act,
			 the Commissioner of Social Security shall promulgate regulations to carry out
			 this section.
			(c)GAO
			 ReportNot later than 18 months after the effective date of the
			 regulations promulgated by the Commissioner of Social Security under subsection
			 (b) (or, if more than 1 effective date applies to such regulations, the latest
			 such date), the Comptroller General of the United States shall report to
			 Congress on the extent to which the uniform standards required under subsection
			 (a)(1) have resulted in the adoption of such standards by private entities, and
			 whether these standards are likely to provide greater protection against fraud
			 and identity theft than the practices adhered to prior to such date. The report
			 shall include—
				(1)a recommendation
			 regarding—
					(A)whether such
			 standards should be mandatory for State and local governments and private
			 entities, and if so, under what circumstances; and
					(B)whether making
			 such standards mandatory for such entities (with respect to each circumstance
			 identified under subparagraph (A)) would help prevent fraud, identity theft,
			 and unauthorized access to consumers’ personally identifiable information;
			 and
					(2)recommendations
			 for such additional legislation or administrative action as the Comptroller
			 General determines appropriate to further reduce the risks of fraud, identity
			 theft, and unauthorized access resulting from the transfer, sale, display,
			 recording, or other utilization of Social Security account numbers.
				5.Prohibition on
			 the display to the general public on the Internet of Social Security account
			 numbers by State and local governments
			(a)In
			 generalChapter 88 of title 18, United States Code, is amended by
			 inserting at the end the following:
				
					1802.Prohibition
				on the display to the general public on the Internet of Social Security account
				numbers by State and local governments
						(a)Prohibition
							(1)In
				generalSubject to paragraph
				(2), a State, a political subdivision of a State, or any officer, employee, or
				contractor of a State or a political subdivision of a State, shall not display
				to the general public on the Internet all or any portion of any Social Security
				account number.
							(2)Exception if
				display complies with uniform standardsA State, a political
				subdivision of a State, or any officer, employee, or contractor of a State or a
				political subdivision of a State, may display to the general public on the
				Internet a portion of a Social Security account number if such display complies
				with the uniform standards for the method for truncation of such numbers issued
				by the Commissioner of Social Security under section 4 of the
				Safeguarding Social Security Numbers Act of
				2008.
							(b)Rules of
				construction; deemed compliance
							(1)Rules of
				constructionNothing in this section shall be construed to
				supersede, alter, or affect any statute, regulation, or order of the Federal
				Government, a State, or a political subdivision of a State relating to the
				submission of a Social Security account number to a State or a political
				subdivision of a State.
							(2)Deemed
				complianceA State, a political subdivision of a State, or any
				officer, employee, or contractor of a State or a political subdivision of a
				State, shall be deemed to be in compliance with the requirements of subsection
				(a) if the State or political subdivision—
								(A)permits an
				individual to submit, in addition to original material required to be submitted
				to the State or political subdivision that contains all or any portion of the
				individual's Social Security account number, a duplicate of the material that
				has all of the individual's Social Security account number redacted or
				truncated in accordance with the uniform standards for the method of truncation
				issued under section 4 of the Safeguarding
				Social Security Numbers Act of 2008;
								(B)displays such
				duplicate on the Internet in place of the original material that contains all
				or any portion of the individual's Social Security account number; and
								(C)prior to any
				display of such duplicate on the Internet, obtains the individual’s informed
				written consent to such display.
								(c)PenaltiesA State or a political subdivision of a
				State that has a policy or practice of substantial noncompliance with this
				section shall be subject to a civil penalty imposed by the Attorney General of
				not more than $5,000 a day for each day of substantial noncompliance.
						(d)EnforcementThe Attorney General may bring a civil
				action against a State, a political subdivision of a State, or any officer,
				employee, or contractor of a State or a political subdivision of a State, in
				any appropriate United States district court for appropriate relief with
				respect to a display to the general public on the Internet of all or any
				portion of any Social Security account number in violation of this
				section.
						(e)DefinitionsIn this section:
							(1)Display to the
				general public on the Internet
								(A)In
				generalThe term display to the general public on the
				Internet means, in connection with all or any portion of a Social
				Security account number, to place such number or any portion of such number in
				violation of this section, in a viewable manner on an Internet site that is
				available to the general public, including any Internet site that requires a
				fee for access to information accessible on or through the site.
								(B)Inclusion of
				certain unprotected transmissionsIn any case in which a State, a
				political subdivision of a State, or any officer, employee, or contractor of a
				State or a political subdivision of a State, requires as a condition of doing
				business transmittal of all, or any part of, an individual’s Social Security
				account number by means of the Internet without ensuring that such number is
				encrypted or otherwise secured from disclosure, any such transmittal of such
				number shall be treated as a display to the general public on the
				Internet for purposes of this section.
								(C)NonapplicationSuch
				term does not apply to a Social Security account number of a deceased
				individual.
								(2)Social security
				account numberThe term Social Security account
				number means the account number assigned to an individual by the
				Commissioner of Social Security in the exercise of the Commissioner's authority
				under section 205(c)(2) of the Social Security Act and includes any derivative
				of such
				number.
							.
			(b)Clerical
			 amendmentThe chapter analysis for chapter 88 of title 18, United
			 States Code, is amended by adding at the end the following:
				
					
						1802. Prohibition on the display to the general public on the
				Internet of Social Security account numbers by State and local
				governments.
					
					.
			(c)Effective
			 dateThe amendments made by subsections (a) and (b) shall take
			 effect on the date that is 1 year after the date on which final regulations are
			 issued under section 4(b) and shall apply to violations occurring on or after
			 that date.
			(d)No retroactive
			 applicationNothing in section 1802 of title 18, United States
			 Code, as added by the amendments made by subsections (a) and (b), shall be
			 construed as applying to the placement of all or any portion of a Social
			 Security account number in a viewable manner on an Internet site that is
			 available to the general public, including any Internet site that requires a
			 fee for access to information accessible on or through the site, by a State, a
			 political subdivision of a State, or any officer, employee, or contractor of a
			 State or a political subdivision of a State, that is done prior to the
			 effective date of such amendments.
			(e)Grants to State
			 and local governments To come into compliance with the prohibition on the
			 display to the general public on the Internet of Social Security account
			 numbers
				(1)In
			 generalThe Attorney General shall award grants to States and
			 political subdivisions of States to carry out activities to remove, redact, or
			 truncate, in accordance with the uniform standards for the method of truncation
			 issued under section 4, all Social Security account numbers on forms and
			 records of executive, legislative, and judicial agencies of States and
			 political subdivisions of States that, as of the date of enactment of this Act,
			 have been displayed to the general public on the Internet and would be a
			 violation of section 1802 of title 18, United States Code (as added by the
			 amendments made by subsections (a) and (b)), if that section had been in effect
			 at the time such numbers were first displayed.
				(2)ApplicationA
			 State or political subdivision of a State desiring a grant under this
			 subsection shall submit an application to the Attorney General at such time, in
			 such manner, and containing such information as the Attorney General shall
			 require.
				(3)Authorization
			 of appropriationsThere is authorized to be appropriated to the
			 Attorney General to carry out this subsection, $10,000,000 for each of fiscal
			 years 2009 and 2010.
				(4)Definition of
			 StateIn this subsection, the term State means each
			 of the 50 States, the District of Columbia, the Commonwealth of Puerto Rico,
			 the United States Virgin Islands, Guam, and the Commonwealth of the Northern
			 Mariana Islands.
				6.Preemption of
			 state lawThis Act and the
			 amendments made by this Act shall supersede a provision of State law only if,
			 and only to the extent that, such provision conflicts with a requirement of
			 this Act or an amendment made by this Act.
		
