[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4546 Introduced in House (IH)]

<DOC>






114th CONGRESS
  2d Session
                                H. R. 4546

    To require the Commissioner of Social Security to issue uniform 
  standards for the method for truncation of Social Security account 
    numbers in order to protect such numbers from being used in the 
     perpetration of fraud or identity theft and to provide for a 
  prohibition on the display to the general public on the Internet of 
  Social Security account numbers by State and local governments and 
               private entities, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           February 11, 2016

    Mr. Ross (for himself and Ms. Castor of Florida) introduced the 
 following bill; which was referred to the Committee on Ways and Means

_______________________________________________________________________

                                 A BILL


 
    To require the Commissioner of Social Security to issue uniform 
  standards for the method for truncation of Social Security account 
    numbers in order to protect such numbers from being used in the 
     perpetration of fraud or identity theft and to provide for a 
  prohibition on the display to the general public on the Internet of 
  Social Security account numbers by State and local governments and 
               private entities, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Safeguarding Social Security Numbers 
Act of 2016''.

SEC. 2. FINDINGS.

    Congress makes the following findings:
            (1) The Federal Government requires virtually every 
        individual in the United States to obtain and maintain a Social 
        Security account number in order to pay taxes or to qualify for 
        old-age, survivors, and disability insurance benefits under 
        title II of the Social Security Act.
            (2) Many Government agencies and private entities also use 
        Social Security account numbers as identifiers to track 
        individual records or as information that an individual must 
        present to verify his or her identity. Thus, Social Security 
        account numbers are routinely collected, recorded, and 
        transferred by public and private entities.
            (3) As an unintended consequence of these uses, Social 
        Security account numbers have become one of the tools that can 
        be used to facilitate crime, fraud, and invasions of the 
        privacy of the individuals to whom the numbers are assigned.
            (4) According to the Social Security Administration's 
        Inspector General, 16 percent of the 99,000 fraud cases it 
        investigated in the 1-year period ending September 30, 2006, 
        involved the misuse of Social Security account numbers.
            (5) The Social Security account number is also a key piece 
        of information used in the perpetration of identity theft. In 
        calendar year 2006, over 240,000 individuals reported to the 
        Federal Trade Commission that they had been the victims of an 
        identity theft. Identity theft is a serious crime that can 
        cause substantial financial losses and force victims to spend 
        significant time restoring the accuracy of their credit 
        records.
            (6) Social Security account numbers are publicly displayed 
        by some Government entities. In most jurisdictions throughout 
        the United States, State and local law requires that certain 
        documentary records, such as business filings, property 
        records, and birth and marriage certificates, be made available 
        to the general public. Some of these records contain personally 
        identifiable information of individuals, including Social 
        Security account numbers. Increasingly, State and local 
        recordkeepers are displaying public records on the Internet, 
        where these records are widely accessible at no cost or for a 
        minimal fee. There are known instances of criminals using 
        personally identifiable information from online public records 
        to commit identity theft.
            (7) Private information resellers also routinely record and 
        transfer individuals' Social Security account numbers and other 
        personally identifiable information. In a 2006 study, the 
        Government Accountability Office (GAO) was able to purchase 
        truncated or full Social Security account numbers from 5 of 21 
        Internet information resellers that were surveyed.
            (8) The GAO has concluded, based on available evidence, 
        that unauthorized access to personal data such as Social 
        Security account numbers is a frequent occurrence. A survey of 
        17 Federal agencies by the Committee on Oversight and 
        Government Reform of the House of Representatives found that 
        these agencies suffered more than 788 data breaches from 
        January 2003 through July 2006.
            (9) In many instances, public and private entities seek to 
        protect Social Security account numbers from abuse by 
        truncating a portion of each number. However, because 
        truncation methods are not uniform, it is possible to obtain a 
        full Social Security account number by reconstructing the 
        number based on partial information obtained from different 
        sources.
            (10) In a report issued in June 2007, the GAO found that 
        truncated Social Security account numbers in Federal documents 
        stored as public records remain vulnerable to misuse, in part 
        because different truncation methods used by the public and 
        private sectors permit the reconstruction of full Social 
        Security account numbers. Federal entities such as the 
        Department of Justice, the Internal Revenue Service, and the 
        Judicial Conference of the United States truncate by displaying 
        the last 4 digits of the Social Security account number. In 
        contrast, the GAO found that information resellers sometimes 
        sell records containing Social Security account numbers that 
        are truncated to display the first 5 digits.
            (11) The first 5 digits of an individual's Social Security 
        account number are assigned based on the location in which the 
        account number was issued and the order in which the account 
        number was issued. The last 4 digits of an individual's Social 
        Security account number are randomly generated, creating a 
        unique account number for each individual. Many public and 
        private entities ask consumers to supply the last 4 digits of 
        Social Security account numbers as a way to verify consumers' 
        identities, providing an additional reason for identity thieves 
        to seek to acquire these digits.
            (12) The GAO reported in 2006 that it had been unable to 
        identify any industry standards or guidelines for truncating 
        Social Security account numbers. Moreover, the GAO could not 
        identify any consensus among Government officials about which 
        method for truncation better protects Social Security account 
        numbers from abuse.
            (13) The GAO has stated that standardizing the truncation 
        of Social Security account numbers would better protect these 
        numbers from misuse. Since 2005, the GAO has on multiple 
        occasions recommended the establishment of uniform standards 
        for truncation of Social Security account numbers.
            (14) Given the Social Security Administration's role in 
        assigning Social Security account numbers, the Commissioner of 
        Social Security may be in the best position to determine 
        whether and how truncation should be standardized.
            (15) The truncation of Social Security account numbers, 
        even by Federal Government agencies, is not comprehensively 
        required or regulated. Currently, the Social Security 
        Administration does not have the legal authority to regulate 
        the use of Social Security account numbers by other entities.
            (16) Because the Federal Government created and maintains 
        the system of required Social Security account numbers, and 
        because the Federal Government does not permit individuals to 
        exempt themselves from those requirements, it is appropriate 
        for the Federal Government to take steps to curb the abuse of 
        Social Security account numbers.

SEC. 3. REQUIREMENT TO ISSUE UNIFORM STANDARDS FOR THE METHOD FOR 
              TRUNCATION OF SOCIAL SECURITY ACCOUNT NUMBERS.

    (a) In General.--The Commissioner of Social Security shall issue 
uniform standards--
            (1) for the method for truncation of Social Security 
        account numbers in order to facilitate the protection of such 
        numbers from being used in the perpetration of fraud or 
        identity theft; and
            (2) for the method for encryption (or other method of 
        securing from disclosure) of Social Security account numbers 
        transmitted by means of the Internet.
Such uniform standards shall not apply with respect to a Social 
Security account number of a deceased individual.
    (b) Requirements.--
            (1) In general.--In establishing the uniform standards 
        required under subsection (a), the Commissioner of Social 
        Security shall consider the matters described in paragraph (2) 
        and consult with, at a minimum, the heads of the following 
        Federal agencies:
                    (A) The Department of Justice.
                    (B) The Federal Trade Commission.
                    (C) The Department of the Treasury.
            (2) Specific considerations.--For purposes of paragraph 
        (1), the matters described in this paragraph are the following:
                    (A) The extent to which various methods for 
                truncation of Social Security account numbers will 
                assist in the prevention of fraud and identity theft, 
                taking into account the following:
                            (i) The risk that a truncated Social 
                        Security account number can be combined with 
                        other personally identifiable information to 
                        derive or acquire a complete Social Security 
                        account number.
                            (ii) The risk that the numerical digits not 
                        masked in the truncation process will reveal 
                        personally identifiable information about an 
                        individual.
                            (iii) The risk that a truncated Social 
                        Security account number can be used to derive 
                        or acquire from other sources a full Social 
                        Security account number.
                    (B) The methods in use for the truncation of Social 
                Security account numbers by the Federal Government, 
                State and local governments, and private entities and 
                the extent of use of each method by the Federal 
                Government, State and local governments, and private 
                entities.
                    (C) The reasons why Social Security account numbers 
                are collected and recorded by the Federal Government, 
                State and local governments, and private entities.
                    (D) The effect of each proposed method for 
                truncation on the uses for Social Security account 
                numbers by the Federal Government, State and local 
                governments, and private entities.
                    (E) Any comments regarding proposed methods for 
                truncation submitted to the Commissioner from--
                            (i) experts on privacy and data security, 
                        consumer advocacy groups, and identity theft 
                        assistance organizations;
                            (ii) the Federal Government or State or 
                        local governments, including State Attorneys 
                        General;
                            (iii) representatives of private entities 
                        that transfer, display, record, or otherwise 
                        utilize Social Security account numbers on a 
                        regular basis;
                            (iv) the Comptroller General of the United 
                        States; and
                            (v) any other appropriate entities.

SEC. 4. APPLICATION OF UNIFORM STANDARDS.

    (a) Federal Government.--On and after the date that the 
Commissioner of Social Security determines in regulations issued 
pursuant to section 6, the uniform standards issued under section 
3(a)(1) shall apply to the Federal Government--
            (1) whenever the Federal Government displays a Social 
        Security account number; and
            (2) to the extent practicable, whenever the Federal 
        Government transfers, records, or otherwise utilizes a Social 
        Security account number.
    (b) State and Local Governments; Private Entities.--
            (1) Display or transmission by a state or local government 
        by means of the internet.--
                    (A) Prohibition.--
                            (i) In general.--Subject to clause (ii), a 
                        State, a political subdivision of a State, or 
                        any officer, employee, or contractor of a State 
                        or a political subdivision of a State, shall 
                        not display to the general public on the 
                        Internet all or any portion of any Social 
                        Security account number.
                            (ii) Exceptions.--A State, a political 
                        subdivision of a State, or any officer, 
                        employee, or contractor of a State or a 
                        political subdivision of a State may display to 
                        the general public on the Internet--
                                    (I) a portion of a Social Security 
                                account number if such display complies 
                                with the uniform standards for the 
                                method for truncation and encryption of 
                                such numbers issued by the Commissioner 
                                of Social Security under section 3; and
                                    (II) all or any portion of a Social 
                                Security account number of a deceased 
                                individual.
                    (B) Penalties.--A State, a political subdivision of 
                a State, or any officer, employee, or contractor of a 
                State or a political subdivision of a State that 
                violates subparagraph (A) shall be subject to a civil 
                penalty of not more than $5,000 per day for each day 
                that the State or political subdivision violated such 
                subsection.
                    (C) Enforcement.--The Attorney General may bring a 
                civil action against a State, a political subdivision 
                of a State, or any officer, employee, or contractor of 
                a State or a political subdivision of a State, in any 
                appropriate United States District Court for a 
                violation of subparagraph (A).
                    (D) Effective date.--Subparagraphs (A) through (C) 
                shall take effect on the date that is 1 year after the 
                date on which regulations are issued under section 6 
                and shall apply to violations occurring on or after 
                that date.
            (2) Display by other means.--It is the sense of Congress 
        that if a State, local government, or private entity displays a 
        Social Security account number in a manner other than that 
        described in paragraph (1), the State, local government, or 
        private entity should comply with the uniform standards issued 
        under section 3 to the same extent that the Federal Government 
        or a State or local government is required to comply with such 
        standards under subsection (a) and paragraph (1) of this 
        subsection.

SEC. 5. GRANTS TO STATE AND LOCAL GOVERNMENTS TO COME INTO COMPLIANCE 
              WITH THE PROHIBITION ON THE DISPLAY TO THE GENERAL PUBLIC 
              ON THE INTERNET OF SOCIAL SECURITY ACCOUNT NUMBERS.

    (a) In General.--The Attorney General shall award grants to States 
and political subdivisions of States to carry out activities to remove, 
redact, or truncate, in accordance with the uniform standards for the 
method of truncation issued under section 3, all Social Security 
account numbers on forms and records of executive, legislative, and 
judicial agencies of States and political subdivisions of States that, 
as of the date that is 1 year after the date on which regulations are 
issued under section 6, would be displayed to the general public on the 
Internet in violation of section 4(b)(1).
    (b) Application.--A State or political subdivision of a State 
desiring a grant under this subsection shall submit an application to 
the Attorney General at such time, in such manner, and containing such 
information as the Attorney General may reasonably require.
    (c) Authorization of Appropriations.--There is authorized to be 
appropriated to the Attorney General to carry out this subsection, 
$10,000,000 for each of fiscal years 2017 and 2018.

SEC. 6. REGULATIONS.

    Not later than the date that is 6 months after the date of the 
enactment of this Act, the Commissioner of Social Security shall issue 
regulations to carry out this Act.

SEC. 7. GAO REPORT.

    Not later than 18 months after the effective date of the 
regulations issued by the Commissioner of Social Security under section 
6, the Comptroller General of the United States shall report to 
Congress on the extent to which the uniform standards required under 
section 3 have resulted in the adoption of such standards by private 
entities, and whether these standards are likely to provide greater 
protection against fraud and identity theft than the practices adhered 
to prior to such date. The report shall include--
            (1) a recommendation regarding--
                    (A) whether such standards should be mandatory for 
                State and local governments and private entities, and 
                if so, under what circumstances; and
                    (B) whether making such standards mandatory for 
                such entities (with respect to each circumstance 
                identified under subparagraph (A)) would help prevent 
                fraud, identity theft, and unauthorized access to 
                consumers' personally identifiable information; and
            (2) recommendations for such additional legislation or 
        administrative action as the Comptroller General determines 
        appropriate to further reduce the risks of fraud, identity 
        theft, and unauthorized access resulting from the transfer, 
        sale, display, recording, or other utilization of Social 
        Security account numbers.

SEC. 8. PREEMPTION OF STATE LAW.

    This Act and the amendments made by this Act shall supersede a 
provision of State law only if, and only to the extent that, such 
provision conflicts with a requirement of this Act or an amendment made 
by this Act.

SEC. 9. DEFINITIONS.

    In this Act--
            (1) the term ``display to the general public on the 
        Internet'' means, in connection with all or any portion of a 
        Social Security account number, to post or to permit the 
        continued presence of such number, or any portion of such 
        number in a viewable manner on an Internet site that is 
        available to the general public, including any Internet site 
        that requires a fee for access to information accessible on or 
        through the site;
            (2) the term ``Social Security account number'' means the 
        account number assigned to an individual by the Commissioner of 
        Social Security in the exercise of the Commissioner's authority 
        under section 205(c)(2) of the Social Security Act (42 U.S.C. 
        405(c)(2)) and includes any derivative of such number; and
            (3) the term ``State'' means each of the 50 States, the 
        District of Columbia, the Commonwealth of Puerto Rico, the 
        United States Virgin Islands, Guam, and the Commonwealth of the 
        Northern Mariana Islands.
                                 <all>