[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]
USE AND MISUSE OF SOCIAL SECURITY NUMBERS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON SOCIAL SECURITY
of the
COMMITTEE ON WAYS AND MEANS
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
__________
MAY 9 AND 11, 2000
__________
Serial 106-108
__________
Printed for the use of the Committee on Ways and Means
U.S. GOVERNMENT PRINTING OFFICE
68-072 DTP WASHINGTON : 2001
_______________________________________________________________________
For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington, DC
20402
COMMITTEE ON WAYS AND MEANS
BILL ARCHER, Texas, Chairman
PHILIP M. CRANE, Illinois CHARLES B. RANGEL, New York
BILL THOMAS, California FORTNEY PETE STARK, California
E. CLAY SHAW, Jr., Florida ROBERT T. MATSUI, California
NANCY L. JOHNSON, Connecticut WILLIAM J. COYNE, Pennsylvania
AMO HOUGHTON, New York SANDER M. LEVIN, Michigan
WALLY HERGER, California BENJAMIN L. CARDIN, Maryland
JIM McCRERY, Louisiana JIM McDERMOTT, Washington
DAVE CAMP, Michigan GERALD D. KLECZKA, Wisconsin
JIM RAMSTAD, Minnesota JOHN LEWIS, Georgia
JIM NUSSLE, Iowa RICHARD E. NEAL, Massachusetts
SAM JOHNSON, Texas MICHAEL R. McNULTY, New York
JENNIFER DUNN, Washington WILLIAM J. JEFFERSON, Louisiana
MAC COLLINS, Georgia JOHN S. TANNER, Tennessee
ROB PORTMAN, Ohio XAVIER BECERRA, California
PHILIP S. ENGLISH, Pennsylvania KAREN L. THURMAN, Florida
WES WATKINS, Oklahoma LLOYD DOGGETT, Texas
J.D. HAYWORTH, Arizona
JERRY WELLER, Illinois
KENNY HULSHOF, Missouri
SCOTT McINNIS, Colorado
RON LEWIS, Kentucky
MARK FOLEY, Florida
A.L. Singleton, Chief of Staff
Janice Mays, Minority Chief Counsel
______
Subcommittee on Social Security
E. CLAY SHAW, Jr., Florida, Chairman
SAM JOHNSON, Texas ROBERT T. MATSUI, California
MAC COLLINS, Georgia SANDER M. LEVIN, Michigan
ROB PORTMAN, Ohio JOHN S. TANNER, Tennessee
J.D. HAYWORTH, Arizona LLOYD DOGGETT, Texas
JERRY WELLER, Illinois BENJAMIN L. CARDIN, Maryland
KENNY HULSHOF, Missouri
JIM McCRERY, Louisiana
Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public
hearing records of the Committee on Ways and Means are also published
in electronic form. The printed hearing record remains the official
version. Because electronic submissions are used to prepare both
printed and electronic versions of the hearing record, the process of
converting between various electronic formats may introduce
unintentional errors or omissions. Such occurrences are inherent in the
current publication process and should diminish as the process is
further refined.
C O N T E N T S
__________
MAY 9, 2000
Page
Advisory of May 2, 2000 announcing the hearing................... 2
WITNESSES
U.S. General Accounting Office, Barbara D. Bovbjerg, Associate
Director, Education, Workforce and Income Security Issues,
Health, Education, and Human Services Division................. 24
Social Security Administration, Hon. James G. Huse, Jr.,
Inspector General, Office of the Inspector General............. 37
______
Stevens, John T., Jr., and Mary Elizabeth H., Upper Marlboro,
Maryland....................................................... 7
MAY 11, 2000
WITNESSES
American Association of Motor Vehicle Administrators, Katherine
Burke Moore.................................................... 95
American Council of Life Insurers, Roberta Meyer................. 104
Associated Credit Bureaus, Inc., Stuart K. Pratt................. 83
Electronic Privacy Information Center, and Georgetown University
Law Center, Marc Rotenberg..................................... 99
Hostettler, Hon. John N., a Representative in Congress from the
State of Indiana............................................... 70
Kleczka, Hon. Gerald D., a Representative in Congress from the
State of Wisconsin............................................. 62
Markey, Hon. Edward J., a Representative in Congress from the
State of Massachusetts......................................... 67
McDermott, Hon. Jim, a Representative in Congress from the State
of Washington.................................................. 60
Paul, Hon. Ron, a Representative in Congress from the State of
Texas.......................................................... 73
United States Public Interest Research Group, Edmund Mierzwinski. 90
SUBMISSIONS FOR THE RECORD
American Target Advertising, Inc., Manassas, VA, Mark J.
Fitzgibbons, letter and attachments............................ 136
Anderson, Robert J., Mineral, VA, statement and attachment....... 138
Home School Legal Defense Association, Purcellville, VA,
Christopher J. Klicka, statement............................... 139
Hyatt, Gil, Las Vegas, NV, statement and attachment.............. 144
Liberty Study Committee, Falls Church, VA, Kent Snyder, statement 150
USE AND MISUSE OF SOCIAL SECURITY NUMBERS
----------
TUESDAY, MAY 9, 2000
House of Representatives,
Committee on Ways and Means,
Subcommittee on Social Security,
Washington, DC.
The Subcommittee met, pursuant to notice, at 10:00 a.m., in
room 1100, Longworth House Office Building, Hon. E. Clay Shaw,
Jr. (Chairman of the Subcommittee) presiding.
[The advisory announcing the hearing follows:]
ADVISORY
FROM THE
COMMITTEE
ON WAYS
AND
MEANS
SUBCOMMITTEE ON SOCIAL SECURITY
FOR IMMEDIATE RELEASE
May 2, 2000
No. SS-17
Shaw Announces Hearing on
Use and Misuse of Social Security Numbers
Congressman E. Clay Shaw, Jr., (R09FL), Chairman, Subcommittee on
Social Security of the Committee on Ways and Means, today announced
that the Subcommittee will hold a hearing to examine the increasing use
and misuse of Social Security numbers (SSNs). The hearing will begin on
Tuesday, May 9, 2000, in the main Committee hearing room, 1100
Longworth House Office Building, beginning at 10:00 a.m. The hearing
will be continued on Thursday, May 11, 2000, also in 1100 Longworth
House Office Building, beginning at 2:00 p.m. The first day of the
hearing will provide an overview of the issue and discuss current laws
and proposals to protect SSNs from misuse. The second day will focus on
the advantages and disadvantages of restricting the use of SSNs.
Oral testimony at this hearing will be from invited witnesses only.
Witnesses will include representatives of the U.S. General Accounting
Office, the Social Security Administration's Office of Inspector
General, watchdog groups promoting privacy concerns, and affected
industries. However, any individual or organization not scheduled for
an oral appearance may submit a written statement for consideration by
the Committee and for inclusion in the printed record of the hearing.
BACKGROUND:
The SSN was created in 1936 solely for the purpose of tracking
workers' Social Security earnings records. Today, approximately 277
million individuals have SSNs. Because of its near universal coverage
as a unique identifier of individuals in the Social Security system,
the SSN is commonly used as a personal identifier in other settings.
For example, use of the SSN is required, by law, for the administration
of several Federal programs, such as the income tax, Food Stamp
program, and Medicaid. SSNs are also commonly used in the private
sector for record-keeping and data exchange systems. Consequently, use
of the SSN has expanded significantly beyond its original purpose.
According to the Social Security Administration (SSA), the SSN is the
single-most widely used personal identifier in the public and private
sectors.
Some believe that the expanded use of the SSN benefits the public
by improving access to financial and credit services in a timely
manner, reducing administrative costs, and improving record-keeping so
consumers can be contacted and identified accurately. Others argue that
the pervasive use of SSNs makes them a primary target for fraud and
misuse. Allegations of fraudulent SSN use increased from 10,915 in
fiscal year 1998 to 30,115 in fiscal year 1999--a 175 percent increase.
SSA and its Office of Inspector General have increased efforts to
combat fraudulent use of SSNs through jointly-developed ``zero
tolerance for fraud'' initiatives. In addition to concerns about SSN
misuse, privacy concerns have also been raised as companies
increasingly share and sell personal information without the customer's
knowledge or consent.
There are two primary laws aimed at protecting privacy and reducing
SSN misuse. The Privacy Act of 1974 prohibits Federal agencies from
disclosing personal information, including the SSN, without the
individual's consent. The Identity Theft Act, enacted in 1998, makes it
a Federal crime to assume another person's means of identification.
However, no Federal law regulates the overall use of SSNs and Federal
laws neither require nor prohibit other public and private uses of the
SSN. As a result, several legislative proposals have been introduced
that would restrict SSN use. These proposals are aimed at protecting
consumer privacy and curbing fraudulent use of SSNs. Some believe that
proposals to restrict the use of SSNs would negatively impact many
businesses and State and local governments which rely on SSNs to
administer transactions and provide services.
In announcing the hearing, Chairman Shaw stated: ``This hearing
will explore how Social Security numbers are used and sometimes
misused. We will consider ways to better protect Americans' privacy and
security, and what ramifications--both positive and negative--such
changes may have. Given the importance of this issue and how interwoven
SSNs have become in the fabric of our information society, it is
critical that changes are assessed with great care.''
FOCUS OF THE HEARING:
The hearing will focus on the widespread use of SSNs in the public
and private sectors. The growing misuse of SSNs and associated costs
will also be discussed. The hearing will examine current laws which
restrict or regulate SSNs and the adequacy of these laws. The hearing
will also examine legislative proposals aimed at combating SSN misuse
and protecting privacy. The ramification of these proposals on
businesses, governments, and consumers will also be examined.
DETAILS FOR SUBMISSION OF WRITTEN COMMENTS:
Any person or organization wishing to submit a written statement
for the printed record of the hearing should submit six (6) single-
spaced copies of their statement, along with an IBM compatible 3.5-inch
diskette in WordPerfect or MS Word format, with their name, address,
and hearing date noted on a label, by the close of business, Thursday,
May 25, 2000, to A.L. Singleton, Chief of Staff, Committee on Ways and
Means, U.S. House of Representatives, 1102 Longworth House Office
Building, Washington, D.C. 20515. If those filing written statements
wish to have their statements distributed to the press and interested
public at the hearing, they may deliver 200 additional copies for this
purpose to the Subcommittee on Social Security office, room B09316
Rayburn House Office Building, by close of business the day before the
hearing.
FORMATTING REQUIREMENTS:
Each statement presented for printing to the Committee by a
witness, any written statement or exhibit submitted for the printed
record or any written comments in response to a request for written
comments must conform to the guidelines listed below. Any statement or
exhibit not in compliance with these guidelines will not be printed,
but will be maintained in the Committee files for review and use by the
Committee.
1. All statements and any accompanying exhibits for printing must
be submitted on an IBM compatible 3.5-inch diskette in WordPerfect or
MS Word format, typed in single space and may not exceed a total of 10
pages including attachments. Witnesses are advised that the Committee
will rely on electronic submissions for printing the official hearing
record.
2. Copies of whole documents submitted as exhibit material will not
be accepted for printing. Instead, exhibit material should be
referenced and quoted or paraphrased. All exhibit material not meeting
these specifications will be maintained in the Committee files for
review and use by the Committee.
3. A witness appearing at a public hearing, or submitting a
statement for the record of a public hearing, or submitting written
comments in response to a published request for comments by the
Committee, must include on his statement or submission a list of all
clients, persons, or organizations on whose behalf the witness appears.
4. A supplemental sheet must accompany each statement listing the
name, company, address, telephone and fax numbers where the witness or
the designated representative may be reached. This supplemental sheet
will not be included in the printed record.
The above restrictions and limitations apply only to material being
submitted for printing. Statements and exhibits or supplementary
material submitted solely for distribution to the Members, the press,
and the public during the course of a public hearing may be submitted
in other forms.
Note: All Committee advisories and news releases are available on
the World Wide Web at ``waysandmeans.house.gov''.
The Committee seeks to make its facilities accessible to persons
with disabilities. If you are in need of special accommodations, please
call 20209225091721 or 20209226093411 TTD/TTY in advance of the event
(four business days notice is requested). Questions with regard to
special accommodation needs in general (including availability of
Committee materials in alternative formats) may be directed to the
Committee as noted above.
Chairman Shaw. Good morning. I apologize for being about
ten minutes late starting this morning.
Welcome to the first day of our two-day hearing about a
topic that is on many people's minds today. That is privacy and
security of their personal information, starting with their
Social Security number.
Just about everyone's privacy and financial security depend
upon seeing these numbers used as originally intended, that is,
to track our earnings so Social Security knows whether we
qualify for benefits and what we should get.
Today, our interests go well beyond that. Social Security
numbers have evolved into every corner of our lives from
qualifying for other government benefits to collecting child
support to obtaining instant credit. We value these expanded
uses when we want to buy and drive home a car on the same day,
on a Saturday afternoon. Yet many have started to wonder about
the proliferating uses of Social Security numbers and the
privacy and security implications of all of this.
Most telling are the rapidly rising allegations of fraud
involving Social Security numbers. That is cause for great
alarm. That is why we are holding these extended hearings. We
need to carefully consider the causes and consequences of the
expanded use and increasing misuse of Social Security numbers.
While we are committed to finding better ways to combat
fraud, we need to carefully consider the consequences of any
actions on this complicated issue.
With us today are two people who know too much about Social
Security number fraud. John T. and Mary Elizabeth Stevens will
tell us how their lives were turned upside down by someone who
stole their Social Security numbers. They lost their credit
rating, were refused loans, incurred large legal bills and
spent three years fighting to get their good names back and
their battle still isn't over.
Next, the General Accounting Office will provide an
overview of the effect of limiting the use of these numbers for
government and private businesses.
Then Social Security's Inspector General will provide
specific recommendations for improving systems designed to
protect the privacy and security of Social Security numbers.
Later this week, we will hear from privacy experts,
consumer advocates and representatives of industries that use
Social Security numbers in the course of their business. We
will also consider legislative recommendations of outside
groups as well as members of Congress. Clearly, we won't suffer
from the lack of ideas to better protect everyone who has a
Social Security number.
To be sure, better protecting Social Security numbers is
only one piece in the puzzle of combating identity theft. No
one proposal will constitute a total solution. Since Social
Security numbers often represent the entry point for ripoff
artists and identity thieves, there is no better place that we
should start. We will find that each proposal we consider comes
with tradeoffs, often balancing privacy and security against
commerce and efficiency.
Just because this is complicated and difficult doesn't mean
we should not act. Indeed, we should. In the coming weeks, with
the support of the Administration and our colleagues on this
panel, we can approve legislation to better protect Social
Security numbers from misuse. In my view, such legislation
should increase fines and penalties for identity theft, give
the Inspector General new powers to catch thieves and better
protect the privacy and integrity of Social Security numbers.
As I mentioned, that will not solve all problems of
identity theft, many of which stretch far beyond our
subcommittee's reach. If we can take some common sense and
bipartisan steps in the right direction, indeed we should.
I look forward to working with all of our witnesses and all
of our members to do the right thing.
At this time, I yield to Mr. Matsui for any remarks he
might want to make.
Mr. Matsui. Thank you very much, Chairman Shaw.
I appreciate the fact you are holding these hearings. I
think they are extremely important. Last year my staff advised
me there were 19,000 reported cases of Social Security fraud
and abuse and we suspect there were many more. With the
increased use of the Internet, I suspect unless the Congress
gets involved in this issue in a very substantive way, we will
probably see more and more fraud and abuse. Certainly with both
the Social Security number and a driver's license, a criminal
can do almost anything he or she wants in terms of getting
private information from our citizens.
I look forward to hearing from Colonel and Mrs. Stevens,
the GAO and the Inspector General of the Social Security
Administration.
I want to thank you, Chairman Shaw, for your leadership on
this issue and certainly I look forward to working with you in
a bipartisan fashion.
Thank you.
[The opening statement of Mr. Matsui follows:]
Opening Statement of Hon. Robert T. Matsui, a Representative in
Congress from the State of California
I would like to thank the Chairman for holding this
hearing. Our topic today is extremely important as it affects
every American, young and old, whether or not they currently
collect Social Security.
The Social Security number is almost as old as the program
itself. Created in 1936 to keep track of workers' earning
records, the uses of the Social Security number have extended
far beyond its original intent, to the point where it is now
commonly used as a personal identifier.
These days, it is quite common to give out one's Social
Security number--for record keeping, on health forms, to obtain
a drivers license or to sign up for a government program such
as Medicaid.
Unfortunately, there is some risk associated with the
expanded use of the Social Security number. Since the Social
Security number can be linked with confidential information,
there is the possibility that if it falls into the wrong hands,
an individual's Social Security number and information could be
mis-used as Lt. Col. John T. Stevens will testify to this
morning.
Common areas for fraud and abuse of the Social Security
number include counterfeiting Social Security cards for
citizenship and fraudulently collecting government benefits.
And it seems that the problem is growing worse. From FY 1998 to
FY 1999, there was an increase of 19,200 allegations of
fraudulent Social Security number use. That is a startling
number.
Because of this potential, many people are concerned about
their ability to protect their privacy. On Thursday we will be
hearing from Members of Congress who will talk about their
legislation to increase privacy protections and combat the mis-
use of the Social Security number.
Today we will hear from Barbara Bovbjerg, Associate
Director of the General Accounting Office, and James Huse,
Inspector General of the Social Security Administration. Both
of these witnesses will discuss their agencies' findings on the
use and abuse of the Social Security number.
We will also hear from Lt. Colonel John Stevens and his
wife Mary who had the unfortunate experience of discovering
firsthand the horrors of having their lives turned upside down
from identity theft.
I want to welcome all of our witnesses. I look forward to
hearing your testimony and to working with my Republican
colleagues to address this growing problem.
Thank you.
Chairman Shaw. Thank you.
Should any other member have an opening statement, we will
make that a part of the record.
[This opening statement of Mr. Portman follows:]
Statement of Hon. Rob Portman, a Representative in Congress from the
State of Ohio
Thank you, Mr. Chairman, for holding this hearing today on
a critical issue.
As we're learning, one of the negative consequences of the
digital economy is that what most of us consider to be private
personal information is becoming neither private nor personal.
The Social Security Number is a perfect case in point.
While there are some laws and regulations that require and
restrict use of the Social Security Number within certain
federal programs, these could be improved. I have real concerns
about the lack of restrictions on the use and privacy
protections on Social Security Numbers by state and local
governments and the private sector.
Mr. Chairman, Americans are increasingly concerned that
the benefits of the information age are coming at the expense
of their personal privacy. I hope this hearing will help shed
some additional light on this problem -and I hope that this
Congress will consider taking appropriate action to protect the
taxpayers of this country against unauthorized, unnecessary or
fraudulent use of their Social Security Numbers.
At this time, I would like to recognize our first panel
whom I mentioned in my opening statement, Lieutenant Colonel
Stevens and Mrs. Stevens. You may proceed as you wish.
We have the text of your full statement and you may
summarize as you see fit.
STATEMENT OF LIEUTENANT COLONEL (RETIRED) JOHN T. STEVENS, JR.,
UPPER MARLBORO, MARYLAND
Colonel Stevens. I have summarized the full statement and
this is what I will present today.
My wife and I are encouraged that this subcommittee is
looking into the widespread use and misuse of the Social
Security number. We have experienced this misuse for over three
years now. We hope by testifying here today, we can alert
others to the danger of this crime and the toll it takes on
your life to fight it.
This horrible nightmare started in March 1997 with a phone
call from Nations Bank, demanding payment on a 1997 Jeep
Cherokee, which of course I don't have. We immediately
requested our credit reports from the three major credit
reporting agencies. The total damage was 33 fraud accounts with
a value of $113,000.
We wrote letters to the credit reporting agencies listing
the fraud accounts and requesting their removal. When this
approach failed, we hired an attorney to write to them. This
did not work either. I then used the Internet to locate the
fraud accounts, identify a point of contact and have our
attorney send them a sworn affidavit.
We cleared most of the fraud accounts and data in about a
year. There were some creditors, however, who refused to accept
our affidavits. The nightmare continues.
When some creditors delete an account, it is transferred to
a third party collection agency. This returns the account to
our credit report under their name and with the same account
number. So far, we have had to deal with over 14 third party
collection agencies. They are nasty people to deal with.
When we refused to pay even a reduced amount to close the
account, it is transferred to another collection agency. My
wife has had one account recycled six times to different
collection agencies. I have had one recycled four times within
the same collection agency. They are all from accounts that
have been previously cleared.
We have received some copies of the applications that
opened these accounts. Usually only a first and last name is
listed. Sometimes a wrong middle initial is given, various
spellings of the last name, different places of employment,
birthdays, home addresses all are listed. Usually the only
correct item is a Social Security number. The creditor approves
these applications after the information is verified by the
credit reporting agency. Although we have lived in Maryland for
over 35 years, neither the creditor not the credit reporting
agency, questioned a home address in Texas, the opening of
numerous accounts in different States or any other significant
changes to our personal data.
My wife currently has a default judgement against her in
Texas. This is for furniture bought and delivered to an address
there. It was repossessed from the same address when the loan
defaulted. The furniture company obtained a default judgment
against the name listed on the application. This is not my
wife's name. The credit reporting agency then listed it in my
wife's credit report.
Our attorney wrote to the furniture company to have the
judgment vacated. The furniture company stated in a letter back
to him, that they had used the items in the application to
check our credit file with the Credit Bureau of North Texas. It
was approved even though the Social Security number was the
only correct item in the application. The judge never
responded.
The Social Security number is the primary and sometimes the
only means of identification required to open an account. Any
variation of a name, address and place of employment, age or
spouse name is acceptable. When the account goes bad, the
correct address is located and the harassment begins.
When you challenge a fraud account, a 30-day investigation
is initiated. This investigation is usually a farce. The usual
finding is that the information being recorded is correct. As
long as there continues to be a lack of responsibility and
accountability by the creditors and the credit reporting
agencies and the Social Security number is considered a
national personal identification number or PIN, we will have a
problem of identity theft.
Our Social Security numbers are available on the network of
DOD computers and through DEERS. We have to put our Social
Security number, home address, telephone number and rank on a
check to pay for purchases in the base exchange or the
commissary on any military base. The Andrews Federal Credit
Union uses a Social Security number for an account number. The
last four digits in your Social Security number must be
provided to have clothes cleaned or altered at Andrews Air
Force Base. Civilian medical facilities, which we are now
forced to use, demand our Social Security number and our
driver's license number. Merchants ask for a Social Security
number and a drivers' license number to write on your check or
charge slip. Our greatest vulnerability to fraud, however, is
on a military base where the Social Security number is openly
used and not fully protected from unauthorized disclosure.
I believe that the creditors who accept fraudulent
information from an imposter and the credit reporting agencies
that ignore these obvious changes should be held equally
responsible for the mental, physical and monetary damage caused
by their negligence. They are just as guilty of fraud as the
imposter who opens the account.
We do not want to spend the rest of our lives correcting
the fraud accounts and false data that so easily becomes a part
of our credit reports. We are prevented from buying a home,
establishing a credit account, making purchases and leading a
normal life. We are tired of the harassing phone calls and the
threatening letters.
I am now 72 years old and my wife is three years younger
than me. We have been married for over 45 years. We hope some
day soon that we can get our lives back and begin to enjoy our
retirement in the time we have left to be together in this
world.
We do not consider ourselves victims. It doesn't fit. I
prefer the designation targets. A target can take evasive
action, Activate counter measures and fight back. Our warrior
instinct drives us to keep going until we win this battle. We
intend to fight this crime with every resource we can muster.
We have been assisted by many people and we wish to express our
thanks for their help and encouragement.
I would also like to thank this subcommittee for
recognizing that there is a very severe identity theft problem
in this country caused by the free access and widespread use of
the Social Security number as a primary and sometimes the only
means used to identify a person. I hope that with your
continued concern and support this national problem will be
contained and solved. My wife and I thank all of you.
[The prepared statement follows:]
Statement of Lieutenant Colonel (Retired) John T. Stevens, Jr., and
Mary Elizabeth H. Stevens, Upper Marlboro, Maryland
My wife and I are encouraged that this subcommittee is
looking into the widespread use and misuse of the social
security number. We have experienced its misuse now for over
three years. We are sure that very few people realize the
problems that this little 9-digit number can create. It has
reached the point that names and other personal data don't
matter anymore. This 9-digit number is the only correct
identification you need to initiate major credit transactions
and other purchases. We hope that by testifying here today, we
can alert others of the danger of this crime and the toll it
takes on your life to fight it.
Since March 1997 my wife and I have been going through
hell. We have received harassing phone calls, been yelled at,
insulted, humiliated and accused of not paying our bills and
defaulting on loans. We have been denied credit and been forced
to pay cash for major items that would normally be financed.
Our Maryland home has been under surveillance and my 1990 Ford
Bronco was almost towed by Nations Bank (now Bank of America)
attempting to repossess a 1997 Jeep Cherokee.
I am a retired Air Force officer. While on active duty, a
breach in fiscal responsibility or personal integrity would
have ended my career. After an automobile accident forced me to
retire in 1972, I was employed as a physicist at The Johns
Hopkins University Applied Physics Laboratory. I was trusted by
both government and industry to have the integrity, experience
and knowledge to analyze, test and evaluate advanced and
complex weapon systems. Any breech of fiscal or personal
responsibility would have affected my security clearance and my
employment. My wife and I had always paid our bills on time and
never defaulted on any obligation. Since retiring from The
Johns Hopkins University, we have been looking forward to
moving to South Carolina to be with my 96-year-old mother and
enjoy being closer to our grandchildren. All these plans ended
very quickly when we discovered that our social security
numbers and names had been used to open 33 fraud accounts with
a total value of $113,000. Our credit had been destroyed.
We did not know this was happening until March 1997. I
received a phone call from Nations Bank, demanding payment on a
Jeep Cherokee purchased in Texas. This was our first
realization that something was wrong. When we requested credit
reports from the major credit-reporting agencies, we were
shocked to learn the extent of the damage done to our credit
and our lives. Our attempts to clear these accounts through the
credit-reporting agencies failed. They would initiate a 30-day
investigation and then tell us that the information being
reported is correct. We hired an attorney to contact them. He
was also ignored. I was forced to locate the address and phone
numbers of these fraud accounts by using the Internet, as the
credit reports did not provide this information at that time.
After we verified the location of a fraud account by calling
them and establishing a point of contact, our attorney would
send them a sworn affidavit stating that we are not the persons
who opened this account. It is ironic that we were being
required to prove a negative. We have since learned to make the
creditor prove their assumption that we opened an account with
them by insisting that they send us a copy of the application,
the delivery tickets, or charge receipts.
In less than a year we cleared the initial reports of the
fraud data, and all of the fraud accounts we could identify and
locate. When a fraud account is established, the new address,
birthday, place of employment and other personal data,
submitted in the application, all become a part of that credit
record. We have had to continuously write or call the credit-
reporting agencies to remove the same fraud data that keeps
reappearing in our credit reports. This information should be
used to identify or flag an application as being legitimate or
false. For instance, the date of birth submitted on the
applications that I have received indicated that the social
security number was issued before the applicant was born.
Although we have lived in Maryland for over 35 years,
applications were readily approved for an address in Texas. The
social security number was the only consistent item in the
copies of the applications that we have received. It was the
primary identification factor required by the creditors and the
credit-reporting agencies.
Some of the creditors clear the fraud accounts at the
credit-reporting agency and then assign them to a third party
collection agency. The delinquent or charged off fraud accounts
then reappears on our credit reports with a different name and
the process starts over. We have cleared our reports of all
identifiable fraud data at least three times. These accounts
seem to reappear on the credit report about every three to six
months. Some collection agencies recycle the account within
themselves or pass it over to another collection agency. This
has occurred even after they have sent us a letter clearing the
account or they have verbally cleared it through a telephone
call. Dealing with credit-reporting agencies that keep
reinserting fraud data and accounts in your report and
collection agencies that keep recycling cleared fraud accounts
is like the trick candle that keeps re-lighting itself every
time you blow it out. To partially quote Forrest Gump, ``
Getting a credit report is like opening a box of chocolates,
you never know what you are going to get.''
Third party collection agencies are rude, nasty, and mean
to deal with. We have dealt with more than 14 of them. We have
dealt with one agency four times on the same account. One of
the worst and meanest companies to deal with was Household Bank
Credit Services. Their representative was demanding, nasty and
rude to both my attorney and me. He refused to accept the sworn
affidavit that we had previously sent to clear the account. He
would only accept their forms. When we refused to resubmit in
their format, the account was transferred to Gulf State Credit
in Atlanta, Ga. So far Gulf States has recycled it four times
since initially clearing it in July 1997. This account is for
an Oreck vacuum cleaner bought over the phone and delivered to
an address in Texas. It is still on my latest credit report.
Norwest Bank in Lubbock, Texas closed a fraud account opened in
their Wichita Falls branch after an affidavit was sent to them
on May 29, 1997. The same account showed up again with Mountain
States Adjustment in Golden, CO. Again the social security
number was the primary means of identification used in opening
these accounts and in locating and harassing us. It did not
matter to them that we have never lived in Texas.
My wife has a cell phone charge that has been recycled
through four different third party collection agencies. This
account has had a resurfacing period of four to six months. It
should reappear at any time now, as it has been dormant for six
months. There is also a jewelry purchase of over $2000 that
keeps showing up in her records. The initial purchase was made
in Texas and has cycled through six different third party
collection agencies. Even though it has been verbally cleared
it just resurfaced again on April 10, 2000.
There is a new fraud account listed on my latest Trans
Union report. It is charged off as a bad debt. The name is GECS
CARE CR with an account number. There is no address or phone
number. By using the account number listed I traced this
account back to a fraud account with a company called Lew
Magram Credit located in Tulsa, OK. They were sent a letter and
affidavit in May 1997. The account was deleted from my credit
report on July 7,1997. This account has now resurfaced through
this third party collection agency and is now appearing on my
credit report. Again my social security number was used to open
the account and to reinstall it in my credit report. We have
never lived in Oklahoma or opened any accounts there.
My wife currently has a default judgment against her in
Texas. Greens Furniture Company opened an account using her
social security number, her first and last name with a
different middle initial. The application was not completely
filled in. A desk was delivered to the address shown on the
application in Wichita Falls, Texas. It was later picked up
from the same address when the loan defaulted. A default
judgment was issued when no one showed up in court. This
judgment is now on my wife's credit report listing our address
in Maryland. Our attorney called the store and the Judge to get
the judgment vacated. Neither the Judge nor the furniture
company has bothered to correct their error or notify us of any
action taken. The furniture company stated, in a letter, that
they had no reason to doubt the person's identity, as the
social security number and other information was checked by the
Credit Bureau of North Texas.
It is frustrating to know that a social security number is
the primary identification required in opening an account. Any
variation of a name, address, place of employment, age, or
spouse name will be accepted without a challenge. When the
account goes sour, the address and owner of the social security
number is suddenly discovered and that person is now held
responsible for the debt. When a fraud account is opened
through the negligence and lack of attention of the creditor
and the credit-reporting agency, there is little concern shown
about correcting the damage done to the person whose name and
the social security number was used. Their 30-day investigation
is a farce, as it usually shows that the information provided
(by the creditor) is correct. Even when the account is cleared,
it may be assigned to a third party collection agency. Only one
person in all of the 33-fraud accounts bothered to apologize to
us. She was a loan officer at Nations Bank in Wichita Falls,
Texas. She stated that she met and talked with John and Mary
Stevens when they applied for a loan. When she described the
couple as being in their late 30's, I pointed out to her that
this meant my social security number had been issued before
they were born. As long as there continues to be a lack of
responsibility and accountability by creditors and credit-
reporting agencies and the social security number is considered
as a National Personal Identification Number (PIN), we will be
faced with this problem of identity theft. Who would provide
his or her ATM PIN to anyone requesting it?
When asked if I had filed a police report, I answered no.
Identity theft was not a crime in the state of Maryland and in
many other states when this started in 1997. Also, the
creditors are considered the victims of fraud, not the person
whose identity was stolen. Some states, including Maryland,
have now passed laws making identity theft a crime. Since the
Maryland bill amended so many other statutes, I have never seen
a clean copy of the law so I am really not sure what it covers.
Maryland just passed another law, to be signed this month, that
limits the use of the social security number on identification
cards or putting it on a driver's license. South Carolina is
considering a bill that is one of the toughest in the nation.
It includes the unauthorized sharing of personal information
for business or promotional purposes without their written
approval. Prince George's County in Maryland just recently
passed a law making it a misdemeanor to assume someone's
identity. The federal law, recently passed, may provide some
help if it is properly funded. Since we had spent over $6000 in
attorney fees plus other expenses such as long distance
telephone calls, I requested help from my USAA homeowner's
insurance policy under their credit card theft coverage. Their
reply was `` There has been no direct physical loss to personal
property; and, no apparent actual credit card forgery on
accounts established by you, or issued to you. Having your
credit record questioned is not a loss that would be covered in
our policy contract, even under the Additional Coverage
provision of your policy.'' They weasel-worded themselves out
of that one. Having your identity stolen is not an insurance
covered crime.
My wife first had to use her own social security number on
her Air Force dependents ID card in 1996. Social security
numbers are available on the network of DOD computers and
through DEERS. In addition, your social security number, home
address, telephone number and rank must be placed on your check
to make purchases in a Commissary or Base Exchange on any
military base. The Andrews Federal Credit Union uses it as an
account number. Even to have clothes altered or cleaned on a
base requires the last four digits of your social security
number. Civilian medical facilities, which we are now forced to
use, want both your social security number and your driver's
license number. Our Medicare number is the social security
number with a letter suffix. Merchants ask for a social
security number and driver's license number to write on your
check or charge card slip. My wife and I have resisted giving
them this information. We would state that they might look at
any identification we have, but they do not have our permission
to write down any numbers. If they insisted, we walk away and
leave our intended purchases at the checkout counter. Our
greatest vulnerability to fraud is on a military base where a
social security number is openly used and not fully protected
from unauthorized disclosure.
Treating a social security number with the same respect and
handling as a classified document would alleviate some of the
problems now being experienced. To receive a classified
document, the recipient must have the proper clearance and a
valid need-to-know for that information. It must be properly
stored, protected and accounted for. Any loss or improper use
is subject to severe penalties.
The creditors who accept the fraudulent information from an
imposter and the credit-reporting agencies who do not recognize
or warn of the obvious changes in names, addresses, age, and
other personal data that might indicate fraud should be held
equally responsible for the mental, physical and monetary
damages caused by their negligence. They are just as guilty of
fraud as the imposter who opens the account. A representative
of a credit-reporting agency told me that all the information
they collect on a person is their property to distribute and
sell to their clients. If they accept and distribute false and
damaging data about a person, it seems that the damaged person
should be allowed to sue them for liable, defamation of
character and mental stress as well as recover the expenses
incurred in repairing the damage they caused. After all, they
said they own the data.
We do not want to spend the rest of our lives correcting
the false data and fraud accounts that are accepted into our
credit reports. We are prevented from establishing credit
accounts, making required purchases and leading a normal life.
We are tired of the harassing phone calls and the threatening
letters. I am now 72 years old and my wife is 3 years younger.
We have been married for over 45 years. We hope someday soon
that we can get our lives back and begin to enjoy our
retirement and the time we have left to be together in this
world.
I have cited just a few of the many problems and some of
the numerous frustrations that we have encountered in trying to
restore our lives from the wreckage that this crime causes. We
do not consider ourselves victims. It doesn't fit. I prefer the
designation ``TARGETS.'' A target can take evasive action,
activate countermeasures and fight back. Our warrior instinct
drives us to keep going until we win this battle. We intend to
fight this crime with every resource we can muster. We could
not have made it this far without the help, advice and
encouragement of people like Beth Givens, Ed Mierswinsky, Mari
Frank and Cynthia Lamb. Without them we might still be fighting
33-(or more) fraud accounts, waiting on the credit-reporting
agencies to complete their 30-day investigation, stating that
the information being reported is correct, and being insulted
and harassed by third party collection agencies. We want to
thank them for helping us through some very rough times. They
gave us the encouragement, the knowledge and the courage to
keep fighting and in knocking down those stonewalls that keep
getting in our way. I would also like to thank this
subcommittee for recognizing that there is a very severe
identity theft problem in this country, caused by the free
access and wide spread use of the social security number as the
primary and sometimes the only means to identify a person. I
hope, that with your continued concern and support, this
national problem will be contained and solved. My wife and I
thank all of you.
Chairman Shaw. Mrs. Stevens, do you have a statement?
STATEMENT OF MARY ELIZABETH H. STEVENS, UPPER MARLBORO,
MARYLAND
Mrs. Stevens. I just wanted to say that we really do
appreciate being able to share our what I would call ``Stevens
Soap Opera'' at this point. It is not a very pleasant one.
We would like to see that others, as many as we can
prevent, from going through this kind of nightmare by working
together and with your help. We do appreciate you going into
this problem.--I think we can ace it.
It has really been an interesting experience and one we
could have done without.
May I leave you with a quick quotation. There is the
saying, ``A diamond is not polished without friction, nor man
without adversity.'' My husband seems to think, and I do, too
that we have had enough polishing, but I guess it is going to
go on for a while longer until we can solve it.
Thank you so much, all of you, for your help.
Chairman Shaw. Thank you, both.
Mr. Johnson?
Mr. Johnson. Thank you, Mr. Chairman.
It is a pleasure to have you all with us.
Do you feel there is any connection between the military
and your problems, the Social Security number in particular?
Colonel Stevens. All I know is when my wife first had to
put her Social Security on her own dependent's ID card, the
fraud seemed to increase, it seemed to start at that point. We
have no proof that was what did it or if it was just a
coincidence.
Also, our Social Security numbers are listed in all the DOD
computers which you can access at any base, anywhere they are
located. We also used to come under the medical facility,
DEERS, until they kicked us out. Our numbers were available
there too.
Mr. Johnson. But those numbers are the military
identification number as well. What do you want them to do?
You were probably in the service at the same time I was, I
remember when we had different numbers. They went to the Social
Security number because it was easier to collate. It is listed
on your ID card just as a number; it doesn't say it is a Social
Security number.
Colonel Stevens. It is so easily identifiable, it is only a
nine digit number. It is on everything we have to do. You
cannot even get clothes drycleaned without leaving your last
four. Whenever you make a purchase and use a check, you have to
put all that information on it.
They may protect it themselves, say in the base exchange
system, but it has to go through a lot of people before it gets
back to you as a canceled check. Anyone along the way can pick
off this information and use it, as we suspect probably
happened.
Mr. Johnson. My experience has been that you don't have to
put that number on a check.
Colonel Stevens. No, sir. We just gave something an article
that was in the Air Force Times that says it must be on your
check and that there is a law that requires that.
Mr. Johnson. Wait a minute. I don't think there is any law
that requires that.
Colonel Stevens. On a military base, to use any of their
facilities like a base exchange or a commissary, you have to
put your Social Security number, home address, phone number,
rank and all the other information on your check before they
will cash it.
Mr. Johnson. It is called a military ID number too. I
understand what you are saying but I don't think there is any
Federal law that requires that.
Colonel Stevens. This article is in the Air Force Times.
Mr. Johnson. It is probably a military regulation and they
have done that to protect themselves at those stores.
Can you tell me if you believe there is any other reason
other than Social Security number that your credit people got
involved the way they did?
Colonel Stevens. If you look at some of the applications,
sir, you will see that the only correct item on many of them
was the Social Security number. Different addresses, different
spellings of our first and last names, different places of
employment. In other words, it was so obvious it was not us
that we wondered why it got through the credit reporting
agency. The Social Security number has been the consistent
piece of identification that has been used to identify us in
all the fraud accounts.
Mr. Johnson. When you asked the credit companies for your
credit rating and listing, they are supposed to give you that
information. Do they do that?
Colonel Stevens. Oh, yes, they will give it to you. In
fact, in Maryland, thank goodness you can get them free but in
other States they charge you. If you have been denied credit or
have a problem, you can request them and they will send you one
free.
Mr. Johnson. They are supposed to give you one free in any
State. They do in Texas because I have done it.
Colonel Stevens. That was not my understanding, sir, but it
is only Maryland and several other States they don't charge you
five or seven dollars for them.
Mr. Johnson. When you pursue it, do they then clear your
records because my experience has been that they clear your
records and your testimony indicates they did not?
Colonel Stevens. Absolutely not. We would submit letters. I
wrote stacks of letters to them listing all the fraud accounts.
Some of them would be cleared but the majority of them would
not. They had to go through a 30-day investigation period which
I believe all they do is go back to the person who opened the
account in the first place, the creditor, and say is this
information correct. Of course it comes back that it is. We
would get a reply that the information is correct as listed. I
finally gave up on that approach.
Mr. Johnson. Let me ask you one more if I may. Do you feel
we should investigate the military process of requiring Social
Security numbers on all their documents?
Colonel Stevens. I don't know whether investigate is the
correct term but due to the fact that it is required everywhere
and everyone wants it, is what makes us very vulnerable. The
fact that the Social Security number can be used in other
civilian aspects such as opening accounts rather than
identifying you as a legitimate military person.
Mr. Johnson. Thank you so much.
Colonel Stevens. I had a five-digit serial number before as
a regular office and that was much more convenient.
Mr. Johnson. Yes, I did too.
Thank you for your testimony.
Chairman Shaw. When they say they want your name, rank and
serial number, that means name, rank and Social Security
number?
Colonel Stevens. Yes. I guess that is what the enemy asks
you for now.
Chairman Shaw. Mr. Matsui?
Mr. Matsui. Thank you for your testimony, Colonel and Mrs.
Stevens.
Do you know whether there as more than one person involved
in this $113,000 consumer fraud?
Colonel Stevens. It is fairly widespread, it could be more
than one person. It seems to be consistently located around
Sheppard Air Force Base at Wichita Falls, Texas. We really
don't have any proof other than just looking at the
applications that come back to us and the various information
that shows up on our credit reports.
Mr. Matsui. It is somewhat frightening, what you have
testified because apparently this person purchased a 1997 Jeep
Cherokee, right?
Colonel Stevens. Yes, sir.
Mr. Matsui. Do you know if whoever that person was had any
other credit information on you or they used the Social
Security number to get other information and then basically
identified themselves as you?
Colonel Stevens. The other information would generally be
that was available through the fact that I am retired military
but I have no proof of that.
Mr. Matsui. Have they apprehended this individual?
Colonel Stevens. The applications are there. If the people
who granted them the credit wanted to, they could go after the
people listed in the application but they don't do that, they
come after us.
Mr. Matsui. Obviously you have been to the law enforcement
agencies and I am assuming they have opened a file. Have they
at least identified the individual who has been using your good
name?
Colonel Stevens. Let me give you an example, sir. An
account that was opened at Nations Bank in Wichita Falls. We
got a call from the person who opened the account, the loan
officer, and she said she had talked to John and Mary Stevens.
They had come in and she had met them personally while they
were opening an account. She called to apologize to us for the
problems.
I asked her what was the age of these people. She said they
were in their mid-to late-30s. Then I pointed out to her, it
was so obvious but it wasn't obvious to her, I understand that,
but what it amounted to is that my Social Security number was
issued before they were born. A simple check like that would
have eliminated quite a lot of problems.
Mr. Matsui. To your knowledge--and I would not expect you
to have this information but I would imagine you have done some
research on this or maybe not, and there would not be any
reason for you to have done any research on it--you don't know
how this person actually made the transaction and what
information the individual using your name used in order to
drive out with a $30,000 automobile?
Colonel Stevens. We don't know where they got it, if I am
hearing you correctly, sir. All we know is they had the first
and last name, Social Security number and in the same case as
my wife, they just generally used her first and last name, plus
her Social Security number.
Mr. Matsui. You have no knowledge at this time about
whether the individual that has used your name has been
apprehended?
Colonel Stevens. I don't know that they have been
apprehended, however, they could have been. It seemed to me
that the person who opened the account has enough information
to go and get them. We are not considered the person
experiencing the loss.
Mr. Matsui. The bank is, I guess?
Colonel Stevens. The banks are the ones who have the loss
and they are the ones that really can bring the charges. Up
until recently, there was no law against this, especially since
we live in Maryland and they were in Texas.
Mr. Matsui. If I can ask you this question, have finally
the credit collection agencies stopped and has your record been
cleared?
Colonel Stevens. No.
Mr. Matsui. Not at all?
Colonel Stevens. I just got a recent report where they
recycled another account for the fourth time, even though I
have a letter clearing me of that account from that same third
party collection agency. This was on an account that had been
previously cleared back in 1997 with an affidavit. They just
keep recycling these things.
My wife has one on a $2,000 diamond that she can tell you
about.
Mrs. Stevens. As of April 10th, this account seems to come
around every four to six months. I explain to them that I am
not the individual. Well, give us your last four and we will
determine if you are the right individual. I will say, by what
authority or what law are you asking for this information. All
through the past up, to the time the Federal law that has now
been passed I would get no help. They would say, All right, we
will delete it.
Before they would agree to delete it, they would let it
rest for a little while and in about two or three weeks or a
month I would get a letter stating that, if you will pay this
amount, maybe $800 or something, we will clear this for you. Of
course I wouldn't pay them a dime. So, we would start around
again. They give it back to the credit bureaus. It is deleted
and later on it comes around again.
I have, in my briefcase, three sets right now and there are
more. I travel with about ten boxes in my little station wagon
up and down the coastline visiting grandchildren. I am always
prepared to explain this issue.
It is really devastating because there seems to be no end
to the recycling by the third parties. There now seems to be a
new approach. In the past month, my husband has had two phone
calls come in. The phone will ring and they leave an 800 number
that we are to call back on a business call--My husband can
explain more about this.
Colonel Stevens. You call back on an 800 number and then
they tell you about this account you owe money on and you can
make arrangements to pay it. So it just continues. It is a
neverending story. It is like when you blow out this trick
candle and it keeps relighting itself.
Mr. Matsui. Thank you for sharing your very sad story with
us. We appreciate it very much.
Chairman Shaw. Mr. Portman?
Mr. Portman. Colonel and Mrs. Stevens, thank you for being
willing to stand up for the rights of others. As Mrs. Stevens
said, you are here in part to tell us your story but what you
are doing is helping others avoid what you went through.
When I looked at your testimony and hear what you had to
say today, you spent the last three years living in a horror
story.
Mrs. Stevens. Absolutely.
Mr. Portman. I am sorry for that. I wish that we had the
power to wave a magic wand and make your problems go away and
be able to keep others from having to go through that because I
know how frustrating it is. I have not been through what you
have but all of us have been through some of these issues with
credit card companies and collection agencies and so on with
misinformation and it is so frustrating to get through the
bureaucracy.
I am concerned because my wife was born in Wichita Falls,
Texas at an Air Force base and maybe I will get linked to that
same source of your problem. Is it Sheppard Air Force Base?
Colonel Stevens. Sheppard Air Force Base. It seems to
center around that area.
Mr. Portman. You talked about what creditor reporting
agencies could do better and what creditors could do better. I
cannot believe the spelling of your names wasn't even correct,
and yet, based on the Social Security number, they went ahead
and processed things and did not even look at the application.
That clearly is a major problem.
I do not know enough about the rules and regulations. I
know this committee does not have jurisdiction over all that
but it seems to me that is one area where we could do more. Do
you agree? Shouldn't the reporting agencies, at the least, be
responsible for looking at the application and have some
liability if they go ahead and process something where the
names are not spelled right?
Colonel Stevens. Absolutely. The things are so obvious that
it is a wonder they don't do it. One of the things I have run
into is that one of the representatives of the credit reporting
agency said they could not be concerned with changes of address
because at least 15 percent of the people move every year and
they would be inconvenienced when they applied for credit.
My answer to that was that means 85 percent of the people
do not move, therefore why are you subjecting them to all this
harassment based on trying not to inconvenience the 15 percent.
Mr. Portman. What did they say with regard to not looking
at the spelling of the name?
Colonel Stevens. They really had no answer. That is one of
the things we have to continuously do when we get our credit
reports. We have to correct the misinformation that keeps
recycling into it--the wrong address, the wrong employment, the
wrong spelling of the name.
What infuriates my wife is when they use only her first
name because that is now her fraud name. She likes to go by
both of her names. The reports will come in and list my wife's
name as Mary. Of course I have to sit there and listen to the
explosion.
Mrs. Stevens. Quickly, on this line of thought. I was just
remembering, how much I had to use the Social Security number,
during the first time frame my husband did the letter writing
and I stayed on the phone with the credit bureaus for about
three months every day giving my Social Security number to
total strangers. In that process, I found I could cross
reference numbers and identify the accounts.
They would then send us a new report. They even co-mingled
our Social Security number at one point. In other words, they
had part of my number and part of his number. Then another
report came in from one of the bureaus with totally brand new
number--000, 000, 000, a string of zeros and then a one. I
could not figure that one out and the credit bureaus had no
answer, it was just a mistake.
The one that really got to me was, I read a report and at
the very end, it said, according to this Social Security number
this individual has been deceased for 22 years. They are
addressing this letter to me.
Mr. Portman. That makes you feel kind of bad, doesn't it?
Mrs. Stevens. My husband said he knew something was wrong.
Mr. Portman. We do have jurisdiction over the Social
Security Administration and that is something this subcommittee
takes very seriously. We do a lot of oversight.
Have you contacted SSA and have they been helpful to you?
Have you sought a new Social Security number, for instance, and
have they responded to that? What could the Social Security
Administration do to help in these kind of problems?
Colonel Stevens. We have not contacted them. Getting a new
Social Security number, I don't think would be a good idea
since it is my retired Air Force service number.
Mr. Portman. It could lead to other problems.
Colonel Stevens. It would really complicate things to
change that because the VA would have to come into it and
everything else since I am a disabled veteran.
The only thing I haven't run into is they don't seem to be
using my Social Security number for employment because I have
received no information that additional contributions have been
made.
Mr. Portman. That is where you want it to be used.
Colonel Stevens. That would help offset some of the
expenses we have gone through.
Mr. Portman. Thank you.
Chairman Shaw. Mr. Weller?
Mr. Weller. Thank you, Mr. Chairman. This is a very
interesting hearing.
I very much want to thank Colonel and Mrs. Stevens for
stepping forward and being a part of this. Reading your
testimony and listening today, it is frightening what can
happen to individuals.
In Congress we have some issues before us that are
concerned with personal security and here is a case where your
personal security was violated. I remember when I was in
college we often joked that the only number we needed to
remember was our Social Security number. People used to put it
on the back of their T-shirts and jerseys as a joke because
that was a number that identified us everywhere we went. Here
is a case where someone took yours.
Also, with the advent of technology, particularly
information technology and the Internet, we were looking at how
we can protect the privacy of individuals. In this case, your
privacy was violated as well as your personal security when
someone absconded with your Social Security number.
When you discovered that someone was using your Social
Security number, did you contact law enforcement?
Colonel Stevens. No, sir, because at that time, it wasn't
against the law. Again, we are not considered the victims so to
speak, it is the credit card company or the bank, so making a
police report would have been useless. We didn't try.
Mr. Weller. So you did not even contact law enforcement in
any way?
Colonel Stevens. No because as I said, we are not
considered the ones experiencing a loss--in other words, there
was no law against it.
Mrs. Stevens. The attorney was not even aware there was no
Federal law. We weren't aware either. This began March 27,
1997. Until up recently, with the new law we weren't covered.
Mr. Weller. Over what period of time did it take when you
discovered someone was using your Social Security number before
everything was cleared up and cleaned up, the mess that was
created as it impacted you personally?
Colonel Stevens. This candle keeps relighting itself. We
actually cleared our records within a year. Then they started
the recycling of the third party collection agencies. The fraud
data kept recycling and we would fight to clear that. Then it
would lie dormant for maybe three to six months and then show
up again. As I said, we have some that have been recycled six
times. In my case, one collection agency has recycled the same
account within their own organization four times for an account
that was cleared.
Mr. Weller. What do you feel was the biggest obstacle you
faced as an individual when you tried to resolve this issue?
Colonel Stevens. Getting people to believe that you are not
the one that opened the account. We have been yelled and
screamed at, cursed at, everything else, especially by
collection agencies. There was one that was very, very nasty to
us. They don't believe you. You have to prove a negative, you
have to prove I am not the person that opened that account. We
finally wised up on that one. We go after the creditor and say
prove to us that we are the ones that opened the account, send
us a copy of the application, send us a delivery slip, send us
a charge card slip. A lot of them are reluctant to do that but
that is the approach we have now taken.
Mr. Weller. When you were looking for help in solving this,
what was your best source of assistance? Who did you turn to
that actually was helpful in solving your problem?
Colonel Stevens. There were several people--Beth Givens,
Privacy Rights; Ed Mierswinsky, USPIRG.
Mrs. Stevens. One of our children found the address of the
Privacy Rights Clearinghouse, Beth Givens, Director. I
contacted her, I guess, over a year ago and that is how we
became involved with this and then through her U.S. PIRG and
Maryland PIRG. I was not aware of Mary PIRG at the time.
Through them we met Mari Frank and obtained her material that
we were using. She had suffered the same kind of crime as an
attorney.
Colonel Stevens. In the Federal Trade Commission, there was
Cynthia Lamb who was most helpful.
Mr. Weller. They can all serve as resources as we look for
ways to help prevent this from happening.
If there was one suggestion you could make as individuals
having suffered the consequences of identity theft through
someone else using your Social Security number, what suggestion
would you have for the Congress and how we could prevent this
from happening to someone else?
Colonel Stevens. The fact that the Social Security number
is used as the primary means of identification that importance
should somehow be diluted. People should not give out this
information. The problem stems from the fact that everyone
accepts this one nine-digit number as you, no matter who is
bearing it or who is handing it out, that number is you.
Nothing else matters. So, if you could degrade the importance
of that number being used for identification it would help.
My original Social Security card had on the front of it
``Not to be used for identification.'' They don't put that on
there anymore, but if you could reduce the importance of it and
have some other means of identification, that would help.
Chairman Shaw. Colonel Stevens, I want to go back to some
of the questioning for a moment and then I will recognize Mr.
Tanner--the colloquy you had back and forth with Mr. Johnson
regarding the commissary and how they require that, and your
thought this was some type of Federal regulation.
As I understand, most if not all of these commissaries are
private-owned or privately-run under contract with the
Government. If I go into Safeway or Winn-Dixie back home and in
the checkout line I want to give them a check, they don't
require my Social Security number, so why should a commissary,
which actually has a more select clientele than any store on
the outside has in which you probably had to show an ID to get
in the door, why should they require your Social Security
number for you to give them a check?
I think we had better look into what the contracts are with
these commissaries because to me, I would doubt that is a
military regulation. I am pretty sure it is not statutory. In
any event, it is something the Congress should look into.
Mrs. Stevens, you have a comment on that?
Mrs. Stevens. Just last night, I discovered in the Air
Force Times of May 15, 2000, ``Is Social Security number still
a must when you write a check?`` I made a batch of copies of
this last night because I was looking for some copies I have of
December 17, 1999, Capital Flyer newspaper from Andrews Air
Force Base. I happened to pick up a copy that particular
afternoon--it comes out on Friday--and the story was there,
that a military fraud ring had been discovered in Trenton, New
Jersey. I did not get that copy together but I can secure that
documentation for you. My husband can explain that better than
I can.
Colonel Stevens. When the major promotion list was approved
by Congress, it listed all the ones that were promoted with
their Social Security number in the Congressional Record. A
ring around McGuire Air Force Base used that to open fraud
accounts.
Chairman Shaw. Interestingly enough, I think many members
of Congress don't realize on our congressional ID card is our
Social Security number just as it is on your identification
card.
Colonel Stevens. It is a national PIN.
Chairman Shaw. I have a copy of the article you referred to
and while Mr. Tanner is inquiring, I will read through it.
[The information follows:]
[GRAPHIC] [TIFF OMITTED] T8072.002
Mr. Tanner. I too am impressed by your statement and the
severity of what can happen to innocent people who have their
identity stolen in the way that has happened to you. Is it
still ongoing?
Mrs. Stevens. Yes.
Mr. Tanner. With the use of your number, are there new
charges being placed?
Colonel Stevens. We have not seen any new accounts.
However, our latest credit report listed, one in my wife and
one for me in each of our credit reports, an inquiry that was
made, one to buy a car, and the other was for I don't know
what, but it was to establish credit Someone had applied and
was getting information, obviously, to open an account.
We immediately wrote letters to both of these organizations
and told them that we had not made any application whatsoever.
That is why I say it is probably still more attempts to
continue opening these accounts but the primary thing we are
concerned with now is the recycling of the ones we have closed
and cleared.
Mr. Tanner. Which brings me to the question I really want
to know. I was reading through your statement and your attorney
has notified these people that you are not the ones who opened
those accounts. Has he advised you that it seems to me after
one is notified that this account is a fraud, it is not yours,
you don't owe it, properly notified, if they continue to
recycle it looks to me like there might be a legal remedy
called defamation of character lawsuit or something against
these credit card companies that refuse to accept and
acknowledge the fact that it is not your account but yet keep
recycling it. I think you described it as a candle that keeps
reigniting itself. Could you enlighten me on where you are
there? I don't know that is a possibility but your attorney I
am sure would.
Colonel Stevens. We have not explored that possibility. Our
main focus was to just get our lives back and get rid of these
things.
Mr. Tanner. I don't mean to suggest but I just say that
once I know something is false and I continue to publish it,
then it seems to me I have some responsibility there. You
spent, I think you said in your statement, over $6,000 just on
telephone calls and letters. Somebody owes you for that if they
continue, it seems to me, to publish untrue, and they know it
is untrue, allegations with respect to your credit and your
payment performance. I hope you will explore that with your
attorney because oftentimes market forces have a much more, may
I say, dramatic effect in commerce than anything we might do
here immediately. So I hope you will explore that, particularly
when they know and continue to republish what they know to be
false information is not, in my judgment, something the law
will tolerate, civil law.
Colonel Stevens. I agree, sir. We would like to pursue
that. As I said, our main focus has been not to recoup as much
as to clear.
Mr. Tanner. But if it is ongoing, how does one ever. You
want relief.
Colonel Stevens. It has kept us from moving. When I
retired, I intended to move back to South Carolina because my
96-year-old mother is there as well as a lot of our
grandchildren. We couldn't qualify for a loan to buy house. We
would get the higher interest rates, being a high risk because
we have all these things on our credit record. This has delayed
us in moving. That is why our main focus so far as been to
clear it the point where we could really retire and start to do
some of the things we have been putting off for so many years.
Mrs. Stevens. I think your idea of going this route of
getting help is great. The situation has been that not too many
lawyers know how to fight this crime. As we are learning more
about it, the legal profession, I think is coming forward.
In reading the material from Mari Frank, an attorney that
was a victim, she suggested that an individual keep perfect
documentation so if it comes to a point, that one can go into
the legal aspect of trying to correct all this, we would have
something to go on. I think that is possibly the avenue we will
have to go which will be burdensome.
Mr. Tanner. Of course libel and slander laws have been
around for a long time and this seems to me to be something
that would be libelous to publish known false information about
one's credit. I hope you will pursue that. I would like to
know.
Thank you for being here. This has been enlightening.
Chairman Shaw. I have looked at this article and we are
running it down, particularly the paragraph that says, ``Store
officials said their Social Security number requirement is
founded in law.'' I think that is a misstatement and prior to
the end of this hearing today, we will have the answer to that.
If it is in law, Mr. Johnson and I intend to try to take it out
of law. In any event, there has to be some clarification. I
can't conceive of that particular requirement. We will have the
answer and take the corrective action if corrective action is
necessary.
Mr. McCrery?
Mr. McCrery. I don't have any further questions but I
appreciate the Stevens coming forward today and sharing with us
your story which really brings to light some of the problems
that undoubtedly many across our Nation are having because of
the widespread use these days of the Social Security number.
Thank you very much.
Chairman Shaw. Mr. Collins?
Mr. Collins. I don't know about South Carolina but in
Georgia, and Mr. Portman and I were discussing Ohio, it is an
option in each of our States as to whether or not you use your
Social Security number for your driver's license number because
when we go into a store in Georgia, the driver's license is
what they ask for to verify the photo and that you are who you
say you are, and they write down the driver's license number.
Some States do have that option but according to this article,
South Carolina does not. I encourage you to move to Georgia, it
is not far from Columbia.
Mrs. Stevens. We have grandchildren there, a great State.
Mr. Collins. Move to Augusta and play the Augusta National
and commute up there to Columbia to see your mother.
Thank you very much for being here.
Chairman Shaw. I am looking at my Social Security card
which was issued many years ago. In fact, I still have the
original. I was just advised I should not be carrying it. I am
looking at one of our younger staffer's card and his does not
say anything about identification. My says, ``For Social
Security purposes, not for identification.'' Why that was taken
off the card, I don't have any idea but I think we ought to
look into that too because I think that should probably be
reinstated on the card itself.
I, too, want to thank you for being here and being a part
of this hearing. It is quite important to us that you would
share your really bizarre tragedy with us. We certainly hope
you can work out of it.
I see that C-Span is carrying this hearing so you might
want to get a copy of it so that the next time you have a
creditor who gives you problems, you can send them a tape of
your appearance here before the subcommittee. You have done a
real service and I can tell you that it concerns me greatly
that name, rank and serial number has now been changed to name,
rank and Social Security number. That is not a good thing and
we need to take a close look at that. The fact that you have to
constantly give your Social Security number as your employment
identification is a real problem and I can certainly recognize
that. We will look further into that.
Thank you both.
Chairman Shaw. The next witness we have from the United
States General Accounting Office is Barbara Bovbjerg, Associate
Director, Education, Workforce and Income Security Issues,
Health, Education and Human Services Division. Welcome back to
this subcommittee and we look forward to your testimony. We
have placed your full testimony in the record and you may
summarize as you see fit.
STATEMENT OF BARBARA D. BOVBJERG, ASSOCIATE DIRECTOR,
EDUCATION, WORKFORCE AND INCOME SECURITY ISSUES, HEALTH,
EDUCATION, AND HUMAN SERVICES DIVISION, U.S. GENERAL ACCOUNTING
OFFICE
Ms. Bovbjerg. Mr. Chairman, members of the subcommittee, I
am pleased to be here today to discuss the uses of the Social
Security number.
Almost 277 million Americans have been assigned an SSN and
because each is unique to the individual, the SSN is frequently
used for a variety of purposes. Privacy concerns, coupled with
mounting instances of identity theft, have raised public
sensitivity to this issue.
I would like to focus my remarks on three aspects of this
topic: Federal laws directing SSN use, the purposes for which
the SSN is used and, finally, the possible impact of
restricting its use. My testimony is based on a report we
prepared for this subcommittee in 1998.
First, laws directing use. No single Federal law regulates
the overall use of the SSN, but several require its use to help
enforce the law, determine benefit eligibility, or both. For
example, the Internal Revenue Code requires that the SSN serve
as the taxpayer identification number. This means that the
taxpayers must report their SSNs when they pay taxes and their
SSNs must also be known to their employers and financial
institutions from whom they receive income.
Federal law also requires individuals to provide their SSN
when they apply for a means tested benefit such as Medicaid or
food stamps. The numbers are used not only for recordkeeping
but also to verify income that individuals report. States are
also required to use SSNs in their child support enforcement
programs and on a variety of documents such as marriage
licenses and death certificates.
Federal law generally does not restrict SSN use except in a
few instances. The Privacy Act of 1974 restricts Federal
agencies in collecting and disclosing personal information
including SSNs without the individual's consent. The Driver's
Protection Policy Act, a more recent law, restricts State
governments from disseminating the SSN with driver's license
databases.
I would like to turn now to how the SSNs are actually used.
In our work, we focused on those users who reached the largest
number of people: State governments and, for the private
sector, businesses that offer health services, financial
services or personal information.
State officials say they use SSNs in both administering
programs and enforcing the law. For example, State tax
administrators routinely use the SSN as a primary identifier in
their State tax systems and to cross-check taxpayer income.
State driver licensing agencies must typically use SSNs to
check an individual's driving record in other States. Law
enforcement agencies use SSNs to check criminal records.
In the private sector, the health care industry generally
uses SSNs as backup identifiers. Other numbers serve as primary
identifiers for patient medical records but SSNs are needed to
trace patients' medical care across providers or to integrate
patient records when providers merge.
Credit bureaus also use SSNs. Such organizations build
databases of consumer payments and credit transactions. Credit
bureaus use the SSN as a principal identifier for retrieving
credit histories on demand. Most customers--insurance
companies, collection agencies, credit grantors--provide an SSN
when requesting a credit history and can deny credit to
individuals who refuse to provide them.
In contrast to these administrative uses, businesses that
sell personal information collect SSNs for the sole purpose of
selling them in a linkage with other information. Generally,
these databases use SSNs to facilitate records searches when
they are sold to customers like lawyers, debt collectors,
employers or anyone who might want to carry out some form of
background check on an individual.
Finally, I would like to summarize the possible effects of
restricting use of the SSN. Users told us that without the SSN
as the unique identifier, data exchanges would be at risk. Tax
enforcement would be hampered by not being able to verify
income reported, States could not readily identify drivers
concealing out-of-state traffic violations, consumer credit
histories could not be quickly updated and accurately
retrieved.
Some users have voluntarily taken measures to restrict the
disclosure of some personal information, including SSNs. Many
of the businesses in the personal information industry have
signed an agreement restricting SSN disclosure to only a
limited range of customers such as law enforcement agencies.
In conclusion, the wide use of the SSN is permissible but
its presence in databases creates privacy concerns and fosters
the growing problem of identity theft. Restricting the use of
SSNs in law could reduce dissemination of personal information
but could also restrict commercial and public sector
activities. Such effects could be only temporary, however,
until users devise a new means of identifying personal records.
In an increasingly electronic world, protecting privacy
will continue to be a public policy challenge.
That concludes my statement, Mr. Chairman. I would be happy
to answer any questions you may have.
[The prepared statement follows:]
Statement of Barbara D. Bovbjerg, Associate Director, Education,
Workforce and Income Security Issues, Health, Education, and Human
Services Division, U.S. General Accounting Office
Mr. Chairman and Members of the Subcommittee:
Thank you for inviting me here today to discuss usage of
the Social Security number (SSN) for purposes not related to
Social Security. The SSN was created in 1936 as a means of
tracking workers' earnings and eligibility for Social Security
benefits. Today over 277 million individuals have a unique SSN.
For this reason it is used for myriad purposes not related to
Social Security. Both private businesses and government
agencies frequently ask individuals for their SSNs because in
certain instances they are required to or because SSNs provide
a convenient means to track and exchange information.
Perceived widespread sharing of personal information and
occurrences of identity theft have raised public concern. To
provide information about how the SSN is currently used, in my
remarks today I will describe (1) federal laws and regulations
directing the number's use, (2) the nonfederal purposes for
which the number is used, and (3) what businesses and state
governments believe the effect would be if federal laws
limiting the use of SSNs were passed. My testimony is based on
findings from a study \1\ we conducted for this Subcommittee
during 1998 and recent work conducted to update our
information.
---------------------------------------------------------------------------
\1\ Social Security: Government and Commercial Use of the Social
Security Number Is Widespread (GAO/HEHS09990928, Feb. 16, 1999).
---------------------------------------------------------------------------
In summary, the federal government, states and local
governments, and private businesses all widely use SSNs. In the
case of the federal government, a number of laws and
regulations require the use of SSNs for various programs, but
they generally also impose limitations on how these SSNs may be
used. However, no federal law imposes broad restrictions on
businesses' and state and local governments' use of SSNs when
that use is unrelated to a specific federal requirement.
Currently, governments and businesses frequently use SSNs to
identify and organize individuals' records. Some may also use
SSNs to exchange information with other organizations to verify
information on file, to coordinate benefits or services, or to
ensure compliance with certain federal laws. For example, by
sharing information about applicants for the Supplemental
Security Income (SSI) program, the Social Security
Administration (SSA) can identify individuals whose benefits
should be reduced, such as those in prison. In addition, some
information brokers use SSNs to retrieve the large amount of
personal information on individuals that they collect and sell.
Public concern over the availability of personal information
has encouraged some to consider ways to limit using SSNs to
disclose such information. However, officials from both private
businesses and state governments have stated that if the
federal government passed laws that limited their use of SSNs,
their ability to reliably identify individuals' records would
be limited, as would their subsequent ability to administer
programs and conduct data exchanges with others. Nonetheless,
some state agencies and businesses have voluntarily taken steps
to limit their disclosure of SSNs.
Federal Laws and Regulations Require and Restrict Certain SSN Uses
Although SSA originally intended SSNs as a means to
identify workers' earnings and eligibility for Social Security
benefits, a number of federal laws and regulations now require
the use of the SSN to track participation in a variety of
federal programs. Use of SSNs facilitates automated exchanges
that help administrators enforce compliance with federal laws,
determine eligibility for benefits, or both. The Internal
Revenue Code and regulations that govern the administration of
the federal personal income tax program require that
individuals' SSNs serve as taxpayer identification numbers.
Employers and others making payments to individuals must
include the individual's SSN in reporting to the Internal
Revenue Service (IRS) many of these payments. In addition, the
Code and regulations require that individuals filing personal
income tax returns include their SSN and those of any
dependents or former spouses to whom they pay alimony.
Similarly, the Social Security Act requires individuals to
provide their SSNs in order to receive benefits under the SSI,
food stamp, Temporary Assistance for Needy Families (TANF), and
Medicaid programs--programs that provide benefits to people
with limited income. Applicants give program administrators
information about their income and resources, and program
administrators use applicants' SSNs to match records with those
of other organizations to verify the information. For example,
we have recommended in previous reports that SSA match its
records with other state and federal program records to reduce
SSI payments to individuals whom agencies find residing in
nursing homes and prisons. Similarly, the Commercial Motor
Vehicle Safety Act of 1986 requires states to use individuals'
SSNs to determine if an individual holds a commercial license
issued by another state. Also, federal law requires that states
use SSNs to maintain records of individuals who owe state-
ordered child support or are owed child support and to collect
from employers reports of new hires identified by SSN. States
then transmit this information to the Federal Parent Locator
Service, an automated database searchable by SSNs. The use of
SSNs in these instances ensures compliance with federal tax
laws, enhances program payment controls, reduces the
possibility of inappropriately licensing applicants, and
facilitates enforcement of child support payments.
Federal laws that require the use of an SSN generally limit
its use to the statutory purposes described in each of the
laws. For example, the Internal Revenue Code, which requires
the use of SSNs for tax purposes, also declares tax return
information, including SSNs, to be confidential and prescribes
both civil and criminal penalties for unauthorized disclosure.
Similarly, the Social Security Act, which requires the use of
SSNs for disbursement of benefits, declares that SSNs obtained
or maintained by authorized individuals on or after October 1,
1990, are confidential and prohibits their disclosure. Finally,
the Personal Responsibility and Work Opportunity Act, which
expanded the Federal Parent Locator Service, explicitly
restricts the use of SSNs to purposes set out in the act, such
as locating absentee parents to enforce child support payments.
In addition to the restrictions contained in laws that
require the use of SSNs, the Privacy Act of 1974 also restricts
federal agencies in collecting and disclosing personal
information, which includes SSNs. The act requires federal
agencies that collect information from individuals to inform
the individuals of the agencies' authority for requesting the
information, whether providing the information is optional or
mandatory, and how the agencies plan to use the information.
The act, which also prohibits federal agencies from disclosing
information without individuals' consent, does not apply to
other levels of government or to private businesses.
Except as discussed above, federal law does not regulate
the use of SSNs. Thus, nonfederal agencies and legitimate
businesses have uses of SSNs not covered by federal law, which
I will now discuss.
Governments and Businesses Use SSNs Extensively
Because there are so many users of the SSN, I will focus on
organizations that routinely use SSNs for activities that
affect a large number of people. These include state government
agencies as well as private businesses that sell health
services, financial services, and personal information. In
general, organizations may record SSNs in their databases for
two purposes: to locate records for routine internal
activities, such as maintaining and updating account
information and, more frequently, to facilitate information
exchanges with other organizations. Governments, health care
organizations, and financial services businesses use SSNs, at
least in part, to perform services for the person who owns the
number. Information brokers, however, collect information that
may include SSNs for the sole purpose of selling it.
State Agencies
States use SSNs to support state government operations and
offer services to residents. The Social Security Act allows
states to use SSNs to identify individuals who pay taxes,
receive general public assistance, own a vehicle, or drive. My
comments today will focus on two examples of how states use
SSNs to administer programs: states' personal income tax
programs and licensing of drivers.
All states that have personal income tax use SSNs to
administer their programs, according to an official at an
organization representing state tax administrators. States use
SSNs as primary identifiers in their programs and for auditing
purposes. Tax administrators from Maryland and Virginia told us
that their states require individuals to provide their SSNs on
state tax returns and that those who do not risk being
considered nonfilers if tax administrators cannot otherwise
identify them. In order to monitor taxpayer income reporting,
states rely on SSNs to match data with IRS and state tax
agencies. In addition, tax administrators said they use SSNs to
cross-reference owners' or officers' business income tax
returns with their personal income tax returns so that an audit
of one triggers an audit of the other. They also use SSNs to
identify residents who received income or tax credits in other
states. Finally, when they assess liens against a taxpayer, tax
administrators may also use SSNs to gather information from
credit bureaus and information brokers about a taxpayer's
assets.
State driver licensing agencies are more likely to use SSNs
to exchange data with other organizations than to support
internal activities. Information from the American Association
of Motor Vehicle Administration (AAMVA) and other sources
suggests that many states request, but may not require,
applicants for noncommercial driver licenses to provide their
SSNs. Most state driver licensing agencies that request SSNs
include SSNs in driver records as a secondary identifier and
devise their own license numbers. To monitor drivers'
compliance with state laws, state officials said they use SSNs
during the licensing process to search national databases
maintained by AAMVA. This allows states to identify driver
licenses an applicant may hold in other states and to determine
whether the applicant has had a license suspended or revoked in
another state. Licensing officials told us that courts and law
enforcement agencies may request driver records by SSN when
they do not know the driver's license number. In the past, some
states have sold personal information collected from drivers
and automobile owners, including SSNs, to individuals and
businesses. However, the federal Drivers' Privacy Protection
Act now prohibits states from disclosing this personal
information for purposes such as surveys, marketing, and
solicitation without the express consent of the individual.\2\
---------------------------------------------------------------------------
\2\ Until a 1999 amendment to the act, states were permitted to
disclose this information if they provided drivers with the opportunity
to prohibit disclosure and the driver opted not to do so.
---------------------------------------------------------------------------
Having discussed how state governments use SSNs, I would
like now to focus on how private businesses use these numbers.
Specifically, I will discuss use of SSNs by health care service
organizations, financial services businesses, and businesses
that sell information.
Health Care Services Organizations
Officials representing hospitals, a health maintenance
organization (HMO), and a health insurance trade association
told us that their organizations always ask for an SSN, but
they do not deny services if a patient refuses to provide the
number.
Officials from a hospital and an HMO told us that although
they ask patients for their SSNs, they assign patients other
identifying numbers, which they use internally as the primary
identifiers for patient medical records. If a patient either
forgets or does not know the patient number he or she was
assigned then the hospital or HMO uses SSNs as a backup to
identify records. These officials also told us that hospitals
and HMOs use SSNs to track patients' medical care across
multiple providers because doing so helps establish a patient's
medical history and avoid duplicate tests. Similarly, health
care providers use SSNs to integrate patients' records when
providers merge, a trend that is growing.
We also spoke with a representative from a health insurance
trade association to understand how insurers use SSNs. He told
us that some health insurers use the SSN or a variation of the
number as the customer's insurance number. We were told that
the BlueCross BlueShield health insurance plans and the
Medicare program frequently use this method. This
representative also said that insurers and providers frequently
match records among themselves, using SSNs to determine whether
individuals have other insurance. This allows insurers to
coordinate payment of insurance benefits.
Officials in the health care industry expect their use of
SSNs to increase. Because health care services are generally
delivered through a coordinated system that includes health
care providers and insurers, it is important for health care
providers to be able to accurately identify information about
patients. However, health care providers may also use SSNs to
gather information that is not directly relevant to a patient's
health care. For example, one hospital official said that her
hospital plans to use SSNs during the admission process to
obtain on-line verification of patients' addresses.
Financial Services Businesses
Three national credit bureaus serve as clearinghouses for
consumer credit reports and receive information about
consumers' credit card transactions and payments from
businesses that grant consumer credit. Officials from a bank
and a credit card company told us that banks and credit card
companies voluntarily report customers' payments and credit
card transactions, accompanied by SSNs, to credit bureaus. They
do so because ensuring that credit bureaus have up-to-date
consumer payment histories serves the interest of companies,
like themselves, that provide credit. An official for a credit
bureau trade association estimated that each national credit
bureau has more than 180 million credit records. SSNs are one
of the principal identifiers credit bureaus use to update
individuals' credit records with the monthly reports of credit
and payment activity creditors send them. In addition, credit
bureaus use SSNs that are provided by customers to retrieve
credit reports on individuals. Credit bureau officials told us
that customers are not required to provide SSNs when requesting
reports, but requests without SSNs need to include enough
information to identify the individual.
Businesses such as insurance companies, collection
agencies, and credit grantors use SSNs to request information
about customers from credit bureaus. Banks and credit card
companies in particular want information on customers'
histories of repaying debts and whether customers have filed
for bankruptcy or have monetary judgments against them, such as
tax liens. Officials representing credit grantors said most
banks and credit card companies ask applicants to provide their
SSNs, and these credit grantors may choose to deny services to
individuals who refuse. These officials said that their
organizations generally do not use SSNs as internal identifiers
but instead assign an account number as a customer's primary
identifier.
Businesses That Sell Personal Information
Continuing advances in computer technology and the ready
availability of computerized data have spurred the growth of
information brokers who amass and sell vast amounts of personal
information, including SSNs, about members of the public. One
official from a firm that sells information told us that his
organization has more than 12,000 discrete databases with
information about individuals. Federal law does not prohibit
these businesses from disclosing SSNs.
Brokers buy and sell information from and to a variety of
public and nonpublic sources. Examples of the information they
buy include public records of bankruptcy, tax liens, civil
judgments, real estate ownership, driving histories, voter
registration, and professional licenses. The information
broker's purchase may include SSNs. Some brokers sell
information only to businesses that establish accounts with
them; others sell it to anyone. Law firms, law enforcement
agencies, research organizations, and individuals are among
those who use brokers' services. For example, lawyers, debt
collectors, and private investigators may request information
about an individual's bank accounts and real estate holdings
for use in divorce or other civil proceedings; automobile
insurers may want information about whether insurance
applicants have been involved in accidents or have been issued
traffic citations; employers may want background checks on new
hires; pension plan administrators may want information to
locate pension beneficiaries; and individuals may ask for
information to help locate their birth parents.
To meet the needs of the parties to whom they sell
information, information brokers have databases that can be
searched by identifiers that may include SSNs; brokers may also
include SSNs along with the other information they provide to
customers. When possible, information brokers retrieve data by
SSN because it is more likely than other identifiers to produce
records for a specific individual.
Business and State Officials Believe Federal Laws Restricting Uses of
SSNs Would Have a Negative Effect on Their Activities and Programs
Officials from the businesses and agencies we contacted
told us that federal restrictions on using SSNs could hamper
their ability to conduct routine internal activities and their
ability to exchange data. For each of these entities, correctly
matching a specific individual to a corresponding record of
information is an important concern. Consequently, these
officials told us, federal limits on the use of SSNs could
adversely affect their activities and programs. They told us
that limits on the use of SSNs, for example, would lessen the
certainty with which credit information could be matched to
specific individuals and hinder health care service providers'
ability to track patients' medical histories over time and
among multiple providers. They also told us that such action
could impede state tax agencies' ability to identify those who
file taxes, make it difficult to associate tax return
information received from other tax agencies with tax
information reported by residents, and make it more difficult
for states to link driver license applicants to traffic
violations they may have acquired under other state licenses.
Finally, officials from state agencies that license drivers
told us that if they could not use SSNs to query their
databases, it would increase the likelihood that government and
law enforcement agencies would receive the records of multiple
people with the same name when they requested information about
a particular individual.
Because of privacy concerns raised by the disclosure of
personal information, some businesses and states have
voluntarily restricted their disclosure of such information,
including SSNs. In December 1997, 14 of the self-identified
industry leaders of those businesses that sell personal
information voluntarily agreed to make the SSNs they obtain
from nonpublic sources available only to a limited range of
customers. They identified such customers as those having
appropriate uses for this information, such as law enforcement.
Although these brokers agreed to limit their disclosure of SSNs
obtained from nonpublic sources, it should be noted that most
of the SSNs they acquire come from public sources, according to
an official from an information brokerage company. As part of
their agreement regarding disclosure of SSNs, the 14
organizations also agreed to annual compliance reviews by
independent contractors. If an organization fails to comply
with the agreement, the Federal Trade Commission can cite the
organization for unfair and deceptive business practices. The
agreement became effective on December 31, 1998. Recent reports
indicate that the first round of compliance reviews is complete
and all of the companies have generally complied with the
agreement.\3\
---------------------------------------------------------------------------
\3\ One company no longer offers products that fall within the
scope of the agreement.
---------------------------------------------------------------------------
In addition to the voluntary efforts of businesses, some
states are discontinuing practices that result in routine
disclosure of SSNs. For example, since July 1, 1997, Georgia no
longer automatically prints SSNs on licenses but rather assigns
its own numbers for driver licenses and uses the SSN as a
license number only if requested by the license holder to do
so. Ohio, which before July 29, 1998, routinely printed SSNs
along with state-assigned numbers on driver licenses, now
allows drivers the option of not having SSNs printed on their
licenses. Also, AAMVA officials believe most states in which
driver records are public now exclude SSNs when responding to
requests for driver records.
Finally, SSA has stated that the expanded use and misuse of
SSNs poses an administrative burden for the agency. According
to agency officials, widespread use of SSNs as identifiers
requires SSA to meet more requests for SSN verification from
employers and government agencies. In addition, the disclosure
of SSNs increases those instances in which the agency must
issue individuals new SSNs when theirs are being misused by
another party.
Concluding Observations
In conclusion, the widespread use of the SSN is permissible
under existing laws and regulations, but because it provides a
means to build and share databases of personal information, it
creates privacy concerns and enables the growing problem of
identity theft. Although restricting the use of SSNs may slow
or reduce wide dissemination of personal information, such an
action could also restrict commercial and public sector
activities. However, such effects could be only temporary,
until a new means of identifying unique personal records was
devised. In our increasingly electronic world, protecting
privacy will continue to be a public policy challenge.
Mr. Chairman, this concludes my prepared statement. At this
time, I will be happy to answer any questions you or other
Members of the Subcommittee may have.
GAO Contact and Staff Acknowledgments
For information regarding this testimony, please contact
Barbara Bovbjerg at (202) 512097215. Individuals who made key
contributions to this testimony include Kay Brown, Jacquelyn
Stewart, Roger Thomas, and Patrick di Battista.
Chairman Shaw. Mr. Johnson?
Mr. Johnson. None.
Chairman Shaw. Mr. Tanner?
Mr. Tanner. We just ironically or interestingly enough got
a call last week from a constituent in Tennessee whose home had
been broken into, lockbox violated and stolen from that were
the birth certificates and Social Security numbers of herself
and her children.
My question is, what should she do to alert whomever to the
possible misuse of the Social Security number and the birth
certificate?
Ms. Bovbjerg. With the cautionary note that I am not a law
enforcement officer, I would tell her to contact legal
authorities. One of the things I was thinking when I was
listening to the Stevens family's very troubling story is that
in work we did a couple of years ago for this subcommittee on
identity theft, we were struck that no single Federal agency
has law enforcement power in this area. It is difficult, partly
for this reason, to get a sense of frequency and magnitude of
identity theft crimes. It is difficult to know how much money
is involved, what the costs are, it becomes difficult to know
who exactly to talk to when something like this happens.
The Federal Trade Commission has been given more authority
to provide public information, to work with the personal
information industry on this voluntary disclosure agreement, I
believe they have to contact appropriate enforcement officials
to actually find the offender and carry out penalties.
Mr. Tanner. Is your answer the Federal Trade Commission
then at the moment? Would that be a good place to start?
Ms. Bovbjerg. That would be a good place to start.
Mr. Tanner. In your analysis of this, you said there is no
single agency where identity theft crimes are housed. Do you
have a suggestion for the Congress on how we should address
this area and if there is any legislation you think
appropriate?
Ms. Bovbjerg. I don't have a suggestion for you. I am
sorry. I think it is such an emerging area that all Federal
agencies are struggling with this. You will hear from the
Social Security Inspector General later some of the things they
are doing to deal with identity theft but much of what SSA does
will focus on the issuance of cards and making sure that only
the appropriate people are receiving Social Security numbers.
They cannot always make changes on the back end, they cannot
always go after people once they have stolen someone's number.
I really think this is something that needs more Federal
attention, more policy attention. It is worth considering how
best the Federal Government can respond to it.
Mr. Tanner. I really appreciate you having this hearing,
Mr. Chairman. This is more potentially disastrous and
widespread than many had thought. I want to commend you for
having this. It is something I think we have some room to do
some good work on.
Thank you.
Chairman Shaw. I think you are right, John. I think what we
are seeing is just a new and growing theft industry that we
have to nip in the bud.
Mr. Portman?
Mr. Portman. A couple of things. First, I appreciate your
testimony and following the comment of my colleague from
Tennessee, I really appreciate, Mr. Chairman, your having the
hearing and taking some time on this, and your personal
commitment to it.
I understand you walked into a video store somewhere down
in Florida and they asked for your Social Security number and
you walked out without the video. That is a frustration.
I have a couple of things I would like to raise with GAO.
First, with regard to driver's license, I notice on page seven
of your testimony you talk about how since 1998 Ohio no longer
prints Social Security numbers along State-assigned numbers on
the driver's license. It is optional. I notice it is on mine
and I am not going to try to get it off, but it does say
optional now. It didn't use to be that way. In fact, it was the
identifier. Mr. Collins mentioned that is true with Georgia as
well. You can move to Ohio instead of Georgia for those who
heard his earlier comments.
I think this is a very important step in the direction to
help ensure an individual's privacy not to require these
numbers on driver's licenses. I would like to put into the
record if I could a letter I got from the Registrar of the
Bureau of Motor Vehicles of Ohio with further comment on the
situation in Ohio. I think it would be helpful with regard to
this discussion and perhaps help other States move in this
direction as well.
Chairman Shaw. Without objection.
[The information follows:]
Bureau of Motor Vehicles
Columbus, OH 43266
May 9, 2000
The Honorable Rob Portman
United States Representatives
House Office Building
Washington, DC 20515
Dear Congressman Portman:
Thank you for the opportunity to further comment on Ohio's use of
SSN relative to our motor vehicle records. For purposes of
clarification, motor vehicle records includes driver license records,
state identification cards, motor vehicle title records and motor
vehicle registration records (license plates).
Since the early 1990's, the Ohio Bureau of Motor Vehicles (Ohio
BMV) has not released SSN information from our records unless the
requestor provides that information as part of their record request.
For instance, if an automobile insurance company requests a copy of a
driver record, we will only provide the SSN as part of the record
report if the SSN was originally provided to us as an identifier.
Since July, 1998, the Ohio BMV has provided an option to
individuals to request the SSN be removed from the face of their
license. While the Ohio BMV permits an individual to request the SSN
not be printed on their license, we still require verification of the
SSN to determine eligibility to obtain a driver's license. Like most
states, Ohio verifies driving status. This is done for all classes of
motor vehicles. Federal standards specifically require states verify
eligibility of drivers applying for a commercial driver license. The
primary purpose of this procedure to avoid instances where drivers,
with suspended or revoked driving privileges, apply for a license in
another state.
Law enforcement agencies and courts are able to receive SSN
information from the Ohio Bureau of Motor Vehicles.
To date, SSN remains the most common and relied upon identifier, to
match the various records of courts and law enforcement agencies with
our own records. Names are unreliable because of common names and
variations in spelling and usage.
The use of motor vehicle records, by government agencies, has also
been expanded beyond the traditional motor vehicle related activities.
For instance, Ohio has a law that permits the revocation of driving
privileges of a person who is in arrears for child support; children
with excessive truancy can loose their driving privileges or ability to
apply for a license; etc.
In order to tie all of these different activities together, a
reliable form of identification is required. Presently, SSN is that
identifier for most government agencies.
The Ohio BMV recommends that the opinion of the American
Association of Motor Vehicle Administrators (AAMVA) be considered in
determining an appropriate policy. AAMVA has spent considerable time
and effort in determining an appropriate policy on behalf of its
members.
Sincerely,
Franklin R. Caltrider
Registrar
Mr. Portman. My question to GAO would be, do you have any
feedback on how this is working, either in Ohio or other
States?
Ms. Bovbjerg. It is really an emerging area. It is
permissible for States to put Social Security numbers on a
driver's license, but they may allow people an option not to
have it on there. In the meantime, there is a recent court
decision that upheld the law saying States may not sell that
information without the express permission of the individual.
There has been a lot of turmoil in the States on driver's
license information, and we haven't been able to determine to
what extent things are working or not working at the State
level.
Chairman Shaw. Would the gentleman yield on that?
Mr. Portman. Absolutely.
Chairman Shaw. It is my understanding, and I could be
wrong, but in the State of Virginia that they use the Social
Security number as the driver's license number. Is that
correct, do you know? I see a head bobbing yes.
Ms. Bovbjerg. I am not a Virginia driver so I cannot say
from personal experience, but they can. It is permissible for a
State to do that. I think more States are following the Ohio
and Georgia lead though of retaining the Social Security number
in their records because they need it to determine if somebody
has been a scofflaw in another jurisdiction. Also, they need it
to demonstrate that person has not been a scofflaw in their
jurisdiction when someone else asks from another State, but
they can no longer sell that information without individual
permission.
Chairman Shaw. I have just been handed a Virginia driver's
license and the gentleman's Social Security number appears
prominently on it and it is identified as ``customer number.''
There is no other number on the license, so I think it is clear
the State of Virginia is using Social Security numbers as the
driver's license number which is something we ought to look
into.
Mr. Portman. I guess one of the issues that we might want
to look at is penalties at the Federal level. What are the
penalties now for Social Security number fraud or for misuse
under the Identified Theft Act?
Ms. Bovbjerg. I don't know the answer to that question.
Perhaps the Social Security IG will know better. I know that
the penalties have stepped up. I am looking in my notes to see
which law it is. It is the Identity Theft Assumption and
Deterrence Act that made identity theft a Federal crime. This
was in 1998. The penalties became substantial criminal
penalties. I don't know exactly what those are but I know the
penalties have expanded in response to that law.
Mr. Portman. That would be helpful for the subcommittee to
have that research. Perhaps the IG can provide it today. If
not, if GAO could provide that?
Ms. Bovbjerg. I will contact your office with that
information.
Mr. Portman. Thank you. One final question, which is a
general one.
Let us say someone refuses to disclose their Social
Security number to a private business. Again, I reference the
Chairman had to watch TV rather than a video. Can that
business, by law, decline to provide the service?
Ms. Bovbjerg. We are not aware of any law that requires a
business to serve you if you don't provide information. It is
also common in a place like Radio Shack. I had a similar
experience to the Chairman's where they asked for my phone
number and my Social Security number to buy a CD player. I said
no, and they said, oh, okay, and I still got the CD player.
In some cases, credit agencies, credit bureaus, lenders,
will deny credit without the number.
Mr. Portman. And a bank deny a loan if you refuse to
provide your Social Security number. I assume a bank can at
this point deny a loan if you do not provide your Social
Security number?
Ms. Bovbjerg. Yes, they can.
Mr. Portman. Thank you, Mr. Chairman.
Chairman Shaw. Mr. Collins, your State was mentioned in the
gentleman from Ohio's questioning. Would you like to respond?
Mr. Collins. We have a lot of residents of Georgia who were
former residents of Ohio and we are pleased to have them. We
expect more. [Laughter.]
Mr. Collins. In your review of the misuse of Social
Security numbers as it pertains to commercial or the
marketplace, in any sort of way did you find the same misuse of
Social Security numbers or identity in earned income tax credit
areas?
Ms. Bovbjerg. In our work, we did not look at misuse of
Social Security numbers. We focused entirely on what legally
was permissible, what was legally restricted, how different
entities were using the numbers, but we did not investigate
misuse.
Mr. Collins. The same could be true then for those who
would misuse a Social Security number in application for the
refundable income tax credit.
Thank you, Mr. Chairman.
Chairman Shaw. Thank you for your testimony. We appreciate
it. It helps round out our knowledge.
With regard to the comment that there is no restriction on
asking but they don't have to continue to do it to give you the
service, this goes back to the check cashing and the military
bases which we are still researching.
Thank you. It is always nice to have you back before this
committee.
Ms. Bovbjerg. Thank you, sir.
[Questions submitted by Chairman Shaw, and Ms. Bovbjerg's
responses follow:]
General Accounting Office
Washington, DC 20548
July 7, 2000
The Honorable E. Clay Shaw, Jr.
Chairman, Subcommittee on Social Security
Committee on Ways and Means
House of Representatives
Subject: Social Security Numbers: Subcommittee Questions Concerning the
Use of the Number for Purposes Not Related to Social Security
Dear Mr. Chairman:
This letter responds to your request that we provide answers to
questions relating to our May 9, 2000 testimony.\1\ In that testimony
we discussed the usage of the Social Security number (SSN) for purposes
not related to social security and the implication of restricting such
usage. Your questions, along with our responses, follow.
---------------------------------------------------------------------------
\1\ Social Security: Use of the Social Security Number is
Widespread (GAO/T09HEHS090009111, May 9, 2000).
1. The term ``national identifier'' has a very bad connotation to many
people. In your opinion, has the Social Security number become a
---------------------------------------------------------------------------
national identifier?
The SSN is widely used by governments and businesses to maintain
and exchange information. The Office of the Inspector General of the
Social Security Administration (SSA) has noted that, over time, the SSN
has become a ``de facto'' identifier used by federal and state
governments. Banks, credit bureaus, insurance companies, and health
care providers also use the SSN for identification purposes. This
widespread use of the SSN beyond its original purpose has raised
privacy concerns. While privacy concerns should not be discounted, it
is important to note that the use of SSNs to link individuals to
information about them enhances the administration of federal and state
programs, makes credit more accessible to consumers, and allows medical
care to be integrated across providers and insurers.
2. In your testimony, you indicated that there is no federal law that
regulates the overall use of SSNs. In your view, is such a law needed?
Is it feasible to enact, administer, and enforce such a law?
Whether a law regulating the overall use of SSNs is needed depends
on a number of factors. The first of these is the extent to which such
a law could effectively curb identity theft and address privacy
concerns. Secondly, these potential benefits would have to be weighed
against how additional restrictions on the use of SSNs might hamper
government and businesses' ability to conduct routine business. The
feasibility of administering and enforcing such a law would depend on
how restrictive it was and its scope--whether it was intended to change
existing practices or limit uses of the SSN beyond those currently
practiced. In addition, it would be necessary to decide what agency or
agencies would be responsible for administration and enforcement and
the resources those agencies would have to carry out those duties.
3. As you pointed out in your testimony, the Social Security number was
created as a means of tracking workers' earnings and eligibility for
Social Security benefits. It was never intended to serve as a personal
identification document. Only certain information is maintained by SSA
as a part of its Social Security number database. What information is
available? What proof is required to obtain a Social Security number?
How have the proof requirements changed over time?
SSA collects only certain information about applicants for SSNs,
and the documentation required as proof of this information has changed
over time. Originally, SSA assigned an SSN to applicants based solely
on individuals' unverified statements regarding age, identity, and
place of birth. However, since 1978, applicants for new SSNs must
provide proof of age, identity, and U.S. citizenship or proof that they
are lawfully residing in the U.S. In addition, applicants must provide
other information such as their place of birth, mother's maiden name,
and father's name. Those applicants who are not U.S. citizens must also
provide Immigration and Naturalization Service documentation showing
whether they are allowed to work or provide a valid non-work reason for
needing an SSN.
4. Despite public concerns about sharing personal information in
today's electronic world, does the public benefit from the widespread
use of SSNs and the sharing of personal information? Can you provide
some examples?
When consumers want to be uniquely identified, particularly in the
health care and consumer credit service industries, the use of SSNs to
share personal information accomplishes this purpose with one uniform
number. Using SSNs to link individuals to their medical records allows
doctors, hospitals, and HMO's to coordinate a person's health care
among health providers and with insurers. Similarly, because up-to-date
consumer payment histories linked to SSNs are available through
national credit bureaus, the use of SSNs helps individuals instantly
demonstrate their credit worthiness anywhere in the country when
requesting credit.
5. If someone refused to disclose his or her SSN to a private business,
can the business, by law, decline to provide the service? For example,
if someone refuses to provide his or her SSN on a loan application, can
the bank deny the loan?
No federal law imposes broad restrictions on businesses' use of
SSNs; consequently, businesses that request SSNs as a condition for
receiving services may deny such services to individuals who refuse.
However, practices vary by industry. Health care providers generally
request patients' SSNs, but we were told that they do not require them
as a condition for treatment. In contrast, most credit card companies
request clients' SSNs as a condition for extending credit and may
refuse service to those who do not comply. States vary in whether they
require an SSN as part of the application for non-commercial driver
licenses. Some require it for inclusion in a database, some do not, and
in some states it is optional.
6. What are the possible effects on businesses of restricting their use
of SSNs?
Federal restrictions on using SSNs could hamper businesses' ability
to conduct routine internal activities and their ability to exchange
data. Correctly matching a specific individual to a corresponding
record of information is an important concern for health care
providers, information brokers, and credit agencies. Limits on the use
of SSNs could make it harder for health care service providers to track
patients' medical histories, make it less easy for employers to do
background checks, and lessen the certainty with which credit
information could be matched to specific individuals.
7. You mentioned in your testimony that many businesses and agencies
are voluntarily restricting the use of SSNs to help protect their
customers' privacy and reduce SSN misuse. Can you please elaborate on
some of these self-regulatory policies?
In 1997, 13 of the self-identified leaders in the information
brokerage industry agreed to limit their disclosure of the SSNs they
obtain from nonpublic sources to those customers who have legitimate
uses for this information, such as law enforcement officials. In
addition, they agreed to annual compliance reviews by an independent
contractor. The Federal Trade Commission can cite them for unfair and
deceptive business practices if they do not do as they have agreed.
While recent reports indicate that the companies have generally
complied with the agreement to limit their sale of SSNs that they
obtain from nonpublic sources, it should be noted that the SSNs
contained in the records they acquire are more likely to come from
public sources, according to an information broker.
Some states have taken steps to protect individuals' privacy by
changing whether they display SSNs on driver licenses. For example,
according to driver license officials in Georgia and Massachusetts,
these states no longer automatically use SSNs as driver license
numbers. They give drivers the option of using a state generated
license number, instead of their SSN. Similarly, driver license
officials in Ohio told us that the state previously printed SSNs along
with state-assigned numbers on driver licenses, but now allows drivers
the option of not having SSNs printed on their licenses. According to
an American Association of Motor Vehicle Administrators official, only
Hawaii still requires that SSNs be used as a driver's license number,
but the state plans to discontinue this requirement next year.
8. One area not discussed in your written testimony is e-commerce. How
has the high-tech economy affected SSN use? In general, can people
conduct business on the Internet without providing their SSNs? How
would restricting the use of SSNs affect e-commerce?
Our work to date has not included assessing the uses of SSNs within
the high-tech economy or the effects of their restricted usage on e-
commerce. However, in visits to two of the existing e-commerce sites,
we found that certain consumer purchases can currently be made via the
Internet without requiring the use of an SSN. Instead, these sites
typically required new and repeat customers to register for on-line
services by providing an identifier such as the user's name, and by
selecting a password. Additionally, they require a credit card number
to cover purchases of goods or services. Certain other e-commerce sites
that we observed, however, such as those that sell securities or
insurance policies, did require SSNs for tax or identification
purposes.
9. You indicated that ``information brokers'' collect SSNs for the sole
purpose of selling them. What exactly is an information broker? How are
consumers served by this industry? What is the downside of limiting
their activities? Why do information brokers need people's SSNs?
Information brokers buy personal information, amass it in
databases, and then resell it to clients. Brokers buy some of this
information from private sources. However, some of the information they
buy is already available to the public. Brokers offer customers
convenient one-stop shopping for information that might otherwise by
widely dispersed. For example, an employer can obtain information about
a person's driving history and criminal history from an information
broker, rather than attempt to locate and access public records
containing the same information. Information brokers serve a variety of
clients--a lawyer may request information needed for a civil
proceeding; a pension plan administrator may request information to
locate pension beneficiaries; or an individual may ask for information
to help locate a birth parent. Information brokers may use SSNs to
search databases. Limiting information brokers' use of SSNs might make
it more difficult for them to conduct searches that produce records
unique to a given individual.
10. According to your testimony, the Social Security Act declares that
SSNs obtained by authorized individuals after October 1, 1990 are
confidential and cannot be disclosed. If the Social Security Act
prohibits the disclosure of SSNs why is their use so widespread and why
are businesses allowed to ask for the SSN?
The Social Security Act provision to which you refer, section
205(c), protects against unauthorized disclosure of SSNs, but does not
restrict the many legally authorized uses of the SSN. Businesses are
allowed to ask for and use SSNs because section 205(c) generally only
applies to governmental use of SSNs.
Section 205(c) generally does not apply to business transactions.
It prohibits disclosure by ``authorized persons,'' and it defines that
term in part to mean those who gain access to SSNs ``pursuant to any
provision of law.. . .'' Someone who comes into possession of an SSN as
part of a business relationship--for example, the bank that requires it
as part of a credit card application--has not gained access to it
pursuant to a provision of law, and is therefore not subject to the
section 205(c) restriction on disclosure.
11. If the use of the SSN were restricted by federal law, is it likely
that another personal identifier would take its place?
Although privacy concerns should not be discounted, exchanges of
computerized data are important to the functioning of governments and
businesses, and these exchanges can benefit the public. Given the large
amount of such data available, in general, accuracy in linking the
correct individual with information about him or her is desirable in
the administration of some programs and in cases where people want to
be uniquely identified. The SSN provides a convenient and effective
method for doing this. If the SSN were not available for this purpose,
in all likelihood, some other mechanism for doing the same would
eventually take its place.
We are sending copies of this letter to other interested parties.
If you have any questions on matters discussed in this letter, please
contact Kay Brown or me on 512097215. Key contributors to this
assignment were Jacquelyn Stewart, Patrick di Battista, Valerie Melvin
and Roger Thomas.
Sincerely,
Barbara Bovbjerg
Associate Director, Education,
Workforce, and Income Security Issues
Chairman Shaw. Our final witness this morning is from the
Social Security Administration, the Honorable James Huse,
Inspector General, Office of the Inspector General.
Mr. Huse, welcome back to the subcommittee. You may proceed
as you wish. We have your full statement which will be made a
part of the record.
STATEMENT OF HON. JAMES G. HUSE, JR., INSPECTOR GENERAL, OFFICE
OF THE INSPECTOR GENERAL, SOCIAL SECURITY ADMINISTRATION
Mr. Huse. Good morning, Mr. Chairman and subcommittee
members.
Thank you for the opportunity to testify on this critical
issue which impacts greatly on the lives of American citizens.
In my full statement for the record, I outline for you the ways
in which the SSN has been transformed from a simple agency
recordkeeping tool into a cornerstone of modern commerce.
Although the SSN was never intended to be a national
identifier, it has rapidly evolved into the de facto
identifier, especially with the introduction of electronic
commerce.
Our office is acutely aware that SSN misuse is on the rise
because of the large number of SSN misuse allegation we receive
and by the increasing number of requests for constituent
assistance. In fiscal year 1999, our fraud hotline processed
over 75,000 allegations, 80 percent of which involved the
misuse of an SSN, with about 32,000 of these having an impact
on Social Security's trust funds.
Our work has revealed that certain misuse occurs because of
vulnerabilities in SSA's processes such as cases where
individuals apply for benefits under erroneous or counterfeit
SSNs or where individuals sell legitimate SSNs for hundreds of
dollars. We have also seen examples where Social Security's
vulnerabilities in its enumeration business process adds to the
pool of SSNs available for criminal, fictitious identities.
Once an improperly issued Social Security number enters the
stream of commerce, there is scant hope for preventing
subsequent damage. In our audit work, we have made several
recommendations to Social Security to improve its business
processes which I have outlined in my full statement for the
record.
Through our audit work, we have also determined that there
is a direct correlation between Social Security number misuse
and Social Security's responsibility to maintain accurate
earnings records for individuals. When Social Security cannot
reconcile Social Security numbers and identifying information
provided by employers, Social Security sends notices to wage
earners requesting pertinent information to resolve these
discrepancies. Most of the responses are returned
``undeliverable, address unknown.''
Ideally, we would like to pursue the thousands of potential
Social Security number misuse and identity theft referrals that
we receive each month. However, we are presently lacking the
investigative capacity to handle the entire volume. As a
result, we are forced to focus on major cases that directly
impact on Social Security's operations.
One of our toughest challenges is to find realistic
strategies to fight this battle in an effective and efficient
manner while remaining focused on Social Security's programs.
Our current approach to Social Security number misuse only
provides protection for what is Social Security's current area
of responsibility. It will be little consolation to the
thousands of identity theft victims and private industry whose
cases are the responsibility of an array of Federal, State and
local law enforcement agencies.
We have several suggestions for Social Security and
Congress to consider in addition to our formal audit
recommendations, including, first, regulating the sale of
Social Security numbers; second prohibiting businesses from
refusing services for nondisclosure of a Social Security number
when not relevant to the services being provided; third,
requiring photo identification when conducting business with
Social Security Administration; fourth, urging the
implementation of new technologies and databases to help
employers, government and private industry verify that names
and/or Social Security numbers are correct to improve the
identification process; fifth, legislating statutory law
enforcement authority for our OIG investigators and sixth,
broadening our civil monetary penalty authority for the sale or
misuse of a Social Security number.
When SSN misuse compromises Social Security's business
processes, and the Social Security Trust Funds, our involvement
is necessary and vigorous. To focus on our mission, we make
tough choices to ensure that we bring the most benefit to the
Social Security Administration. Yet, we often become the court
of last resort for victims of identity theft. Therefore, I
would appreciate your views on how to fulfill that role that
the public seems to expect from SSA and our OIG.
Thank you for the opportunity to speak this morning and I
would be glad to answer your questions.
[The prepared statement follows:]
Statement of the Hon. James G. Huse, Jr., Inspector General, Office of
the Inspector General, Social Security Administration
Mr. Chairman and Members of the Subcommittee:
Good morning Mr. Chairman and members of the Subcommittee.
I want to thank the Subcommittee for holding this hearing on
Social Security number (SSN) misuse. Your interest in this
critical issue, which impacts on the lives of American
citizens, is heartening.
Today, I would like to provide you with a brief overview of
how the SSN has been transformed, from a simple Agency record-
keeping tool into a cornerstone of modern commerce and what
this transformation means for the Social Security
Administration (SSA), this Office of the Inspector General
(OIG), and the American public. I would also like to provide
you with an overview of our efforts in this area. Finally, I
offer several options for preventing SSN misuse from the
perspective of what I believe to be the responsibility of SSA
and by extension, this OIG. The more extensive problem of
identity theft requires far more Government action than SSA and
this office can provide. I would like to inform you about that,
and elicit your views as our oversight committee.
Evolution of the SSN
With the enactment of the Social Security Act in 1935, a
system was developed to track the annual earnings of employed
individuals. This system required a specific, unique identifier
that could accurately maintain earnings records for decades to
come. Thus, the SSN was born. The SSN was never intended to be
a ``national identifier,'' but over the years, the SSN became
the ``de facto'' identifier for Federal and State Governments.
For example, in 1967 the Department of Defense adopted the SSN
in lieu of the military service number for identifying Armed
Forces personnel. An SSN was required to enroll in schools,
receive financial assistance, and to apply for State drivers'
licenses. Over time, the SSN has also become a critical
identifier for banks, credit bureaus, insurance companies,
medical care providers, and innumerable other industries.
Not surprisingly, the introduction of the SSN into the
stream of electronic commerce has been accompanied by a
dramatic rise in SSN misuse. There is no end to the creativity
and ingenuity employed by those with fraudulent intent. Our
office is acutely aware of this problem due to the large number
of SSN misuse allegations received by our Fraud Hotline and by
the increasing number of requests for constituent assistance
that we receive from Congressional offices. In FY 1999, our
Fraud Hotline processed over 75,000 allegations. Over 80
percent of the allegations and referrals made to our office
involve the misuse of an SSN. Specifically, 32,000 had SSN
misuse implications involving SSA programs and an additional
30,000 represented SSN misuse allegations with no direct
program implication. In the future, we expect this number to
escalate as we begin to process investigative referrals from
the Federal Trade Commission (FTC), which was designated as the
Federal clearinghouse for identity theft complaints in the
Identity Theft and Assumption Deterrence Act of 1998 (Identity
Theft Act). Once the public is fully aware of the FTC's new
role, we expect a considerable increase in the number of
referrals of SSN misuse each month. These daunting numbers will
seriously challenge our already strained resources.
As such, I would now like to describe how SSN misuse
impacts SSA's programs and operations, the public, and offer
some possible solutions.
SSN Misuse and SSA's Programs and Operations
Our work has revealed that certain misuse occurs because of
vulnerabilities in SSA's processes. In many instances, SSN
misuse strikes at the core of SSA's programs and operations and
we have dedicated substantial resources to this area. For
example, our office has investigated numerous cases where
individuals apply for benefits under erroneous SSNs.
Additionally, we have uncovered situations where individuals
counterfeit SSN cards for sale on America's streets. From time
to time, we have even encountered SSA employees who sell
legitimate SSNs for hundreds of dollars. Finally, we have seen
examples where SSA's vulnerabilities in its enumeration
business process adds to the pool of SSNs available for
criminal fictitious identities. Each of these scenarios has a
direct and material impact on the integrity of SSA's programs
and operations.
To that end, we have conducted numerous undercover
operations regarding trafficking in SSA cards and numbers. We
have prioritized SSN misuse cases where there is a material
impact on the SSA's Trust Funds, such as benefit application
cases. And we have been unyielding in our commitment to root
out employee fraud and abuse in the SSN arena. I am pleased to
report that SSA employee fraud cases in this area have been few
and far between.
Preventing SSN misuse will provide the greatest cost
benefit to the Agency. To this end, we have dedicated
substantial audit resources to study SSA's business processes,
as it relates to the issuance of SSNs. Once an improperly
issued SSN enters the stream of commerce, there is scant hope
for preventing subsequent damage. As such, we would like to
share some of our suggested preventative measures with this
Subcommittee.
In May 1999, we issued a Management Advisory Report
entitled Using Social Security Numbers to Commit Fraud. This
report detailed cases in which the Agency issued SSNs based on
fraudulent documentation. Thereafter, the improperly issued
SSNs were used to commit identity crimes. For example, one
individual and his associates obtained 1,120 SSNs for
nonexistent children using fraudulent birth certificates.
During our investigation, we learned a number of the SSNs were
linked to a larger criminal network being investigated by a
Secret Service task force where credit card companies were
defrauded out of approximately $30 million. We recommended that
SSA incorporate preventative controls in its Modernized
Enumeration System and as a result, SSA is developing automated
edits within the system to identify transactions that have the
greatest potential for fraud. This systems upgrade will alert
employees to suspicious SSN applications, which they can then
refer to the OIG for investigation. The efforts of SSA's work
in this area will potentially result in thousands of cases
being referred to our office for investigation over and above
what we currently receive.
This month, we released a follow-up report that further
examined SSA's procedures for examining evidentiary documents.
This draft audit report, entitled Review of the Social Security
Administration's Procedures for Verifying Evidentiary Documents
Submitted with Original Social Security Number Applications,
traced the SSN issuance process for over 3,000 SSNs. We
selected a judgmental sample of original SSN issuances from a
universe of transactions where SSA sent 10 or more SSN cards to
a single address within a six-month period. While our small
sample was not statistically selected, making extrapolations to
the entire SSN universe inappropriate, it was quite instructive
in identifying specific vulnerabilities in the SSN issuance
process. In our sample, 28 percent of the original SSNs
reviewed, or 999 SSNs, were based on invalid evidentiary
documents. While a substantial portion of these improperly
issued numbers were used to obtain employment, the majority of
these numbers were not. It is not implausible to believe that
these SSNs were obtained for identity-related crimes. Our draft
audit also uncovered the following instances where false
identification documents were used to acquire SSNs:
SSA sent 43 SSN cards to three post office boxes
in a small southern town. At our request, Immigration and
Naturalization Service (INS) reviewed the application documents
and determined that 98 percent of the documents presented were
invalid.
SSA sent 56 SSNs to nonexistent children at seven
different addresses. In support of their SSN applications, the
``parents'' or ``guardians'' of these purported children had
presented invalid birth certificates.
Our draft report concludes that SSA needs stronger
procedures and better tools to verify evidentiary documents.
Specifically, we will be recommending that SSA employees obtain
independent verification of alien evidentiary documents, prior
to issuing SSNs. We are also recommending that SSA accelerate
negotiations with INS and the State Department to implement an
``Enumeration at Entry'' program; that SSA not mail new SSNs to
a post office box; and that SSA employees receive work credit
and recognition for fraud detection and development. Without
such recognition, we see little hope for long-term
improvements.
We have also determined that there is a direct correlation
between SSN misuse and SSA's responsibility to maintain
accurate earnings records for individuals. When SSA cannot
reconcile SSNs and identifying information provided by
employers, SSA sends notices to wage earners requesting
pertinent information to resolve the discrepancy. Most of the
responses are returned ``undeliverable--addressee unknown'' to
SSA. Some individuals provide the necessary information so that
the earnings records can be reconciled while others reply that
they do not have a legal SSN.
Our office performed an audit in 1999, entitled Patterns of
Reporting Errors and Irregularities by 100 Employers with the
Most Suspended Wage Items, to determine which major employers
had the most suspended wage items, and to examine why this was
occurring. Ninety-six of the 100 employers reported over
109,000 SSNs that had never been assigned by SSA. Over 3,000 of
these numbers were entirely comprised of zeroes. As for the
others, employers admitted that many workers provide incorrect
names and SSNs because they do not want to be identified. One
of our recommendations to SSA was to develop and implement a
corrective action plan for these 100 employers and continue its
efforts to contact those employers who are responsible for
large numbers of suspended wage items. It is important to take
this action because it only costs SSA 50 cents to post a wage
item when originally submitted, as compared to $300 to correct
it later.
SSN Misuse and Its Impact on the Public
SSN theft also has a substantial impact on the lives of
private citizens, as well as private industry. Theft of SSNs is
also becoming more and more prevalent as a result of today's
electronic environment, which has facilitated easy access to
individuals' SSNs and other personal identifying information.
This point was highlighted in great detail at the
Administration's Identity Theft Summit in March of this year,
where several victims explained how the theft of their SSN
turned their lives upside down.
Since the passage of the Identity Theft Act, which provided
the OIG with additional tools to fight SSN theft, the OIG has
been in the forefront of the Federal Government's efforts to
fight identity theft crimes. The OIG, in conjunction with the
U.S. Attorneys' Office in Milwaukee, Wisconsin, was responsible
for one of the first criminal prosecutions under this new law.
This case exemplifies the extent to which SSN theft has an
impact on both SSA's operations and the public.
In Milwaukee, Waverly Burns, a Supplemental Security Income
recipient, had commandeered another person's SSN. This stolen
SSN was used to secure employment as a cleaning crew
supervisor. While on the job, Mr. Burns stole over $80,000 in
computer equipment from the offices of the Wisconsin Supreme
Court. The stolen SSN was used to obtain a State of Wisconsin
identity card, to open bank accounts in the victim's name, and
to file fraudulent tax returns. Meanwhile, Mr. Burns continued
to falsely represent to SSA that he was disabled and
unemployed; indeed no earnings had appeared under his true SSN.
On May 5, 1999, OIG special agents arrested Mr. Burns after
tracking him to Chicago. Ultimately, Mr. Burns was sentenced to
21 months in prison and ordered to pay over $62,000 in
restitution.
We would like to pursue the thousands of potential identity
theft cases that we receive each month. With less than 300
investigators nationwide, however, we lack the investigative
capacity to handle the entire volume of identity theft
referrals. As a result, we are forced to focus on major cases
that directly impact on SSA's operations such as the Wisconsin
case. Or, we work collectively through task forces with other
law enforcement agencies to make the most efficient use of our
resources. One of our toughest challenges is to find realistic
strategies to fight this battle in an effective and efficient
manner, while remaining focused on SSA's programs.
To that end, our Office of Investigations launched an SSN
misuse pilot operation in five major American cities last
summer. We partnered with Federal and State law enforcement
agencies to target identity crimes and SSN misuse. This allowed
us to ``bundle'' smaller SSN cases for prosecutions -cases that
would not typically be prosecuted if presented independently.
In less than one year, we have opened 125 investigations which
have resulted in 30 convictions to date. U.S. Attorneys'
Offices and outside law enforcement entities have
enthusiastically welcomed such pilots and have thanked our
office for taking the investigative lead.
To prepare for the future, we are developing for our fiscal
year 2002 budget submission, an integrated model that combines
the talents of our auditors, investigators, and attorneys. If
authorized, this group will focus its efforts on developing
patterns and trends to better target our audit work, refer
cases for investigation, and liaison with other relevant public
and private sector entities. This appears to be the most
effective way of using our resources.
Without any change to our current priorities, I believe we
have a responsibility to focus our resources on the SSN's
integrity as it relates to SSA core business practices. In
particular, we need to focus our audit and investigative
attention where there is:
1. an apparent failure of SSA's business processes for
issuing SSNs;
2. an apparent failure in SSA's wage and reporting systems;
3. a suspicion that SSN cards are being counterfeited;
4. concealment of work activity using false identifications
to obtain or maintain eligibility for Federal benefits.
However, this approach will only provide protection for
what is SSA's area of responsibility. It will be little
consolation to the thousands of identity theft victims,
including private industry, whose cases are the responsibility
of an array of Federal, State, and local law enforcement. We
have a responsibility to participate in this effort as a major
partner to whatever extent we are able.
Possible Solutions
We have several suggestions for SSA and Congress to
consider, in addition to our formal audit recommendations that
I have discussed previously:
1. Regulating the sale of SSNs;
2. Prohibiting businesses from refusing services for
nondisclosure of an SSN when not relevant to the services being
provided;
3. Requiring photo identification when conducting business
with SSA;
4. Urging the implementation of new technologies and data
bases to help employers, Government, and private industry
verify that names and/or SSNs are correct to improve the
identification process;
5. Legislating statutory law enforcement authority for our
investigators; and
6. Broadening civil monetary penalty authority for the sale
or misuse of an SSN.
As I close, I hope I have informed this Subcommittee that
we presently cannot investigate every instance of identity
theft, while fulfilling our mission to protect SSA's programs
from fraud, waste, and abuse. When SSN misuse compromises SSA
business processes and the Social Security Trust Funds, our
involvement is necessary and vigorous. Even in this context,
the magnitude of SSN misuse is vast, and our resources are
limited. To focus on our mission, we make tough choices to
ensure that we bring the most benefit to SSA. Yet, we often
become the court of last resort for victims of identity theft.
Therefore, I would appreciate your views on how to fulfill the
role that the public seems to expect from SSA and this OIG.
Thank you for the opportunity to appear today to discuss
this most important issue. I would be happy to answer any
further questions from the Subcommittee.
Chairman Shaw. Thank you, Mr. Huse.
I have one question and then I will yield to Mr. Johnson.
In your six-point solution, you referred to regulating the
sale of Social Security numbers. Can you think of any good
reason that we should even allow the sale of Social Security
numbers?
Mr. Huse. Mr. Chairman, as the previous witness spoke,
there is a great deal of commerce--
Chairman Shaw. I am talking about the sale of it; I am not
talking about passing it on. I mean actually getting paid for a
list of people with Social Security numbers. To me, there is
nothing but mischief involved in such actions.
Mr. Huse. It is kind of hard to divide between those two
uses but I agree with you, the flat sale of our identities to
me is deeply troubling, but it does go on. Much of the
information we leave on the record as we transact our own
personal commerce migrates to these databases that are
maintained by businesses and it is a big business.
Chairman Shaw. Yes, sir, but my question is a very pointed
one. If you would just answer yes or no and elaborate as you
see fit--can you think of any legitimate reason why somebody
would be engaged in the purchase and sale of Social Security
numbers?
Mr. Huse. No, there is no reason.
Chairman Shaw. Thank you. That is a good answer and I agree
with you.
Mr. Johnson?
Mr. Johnson. I agree with that too. I think it is
atrocious.
I wonder if you could tell us, the Federal laws mandate
Social Security numbers in food stamp, Medicaid, those kind of
programs, what would happen if we said you cannot use them
anymore?
Mr. Huse. It would be very difficult for us to sort out the
identity of our recipient and beneficiary population. By
default, over time, beginning with when our serial numbers were
changed in the military in the 1960s and I was one of those who
had a serial number changed over in Vietnam, the Social
Security number has migrated to a variety of uses in
government. It is not only at the Federal level, it is at the
State level, and at local government level too. It is really
what sorts us out one from each other.
Mr. Johnson. But it was pointed out by the gentleman from
Georgia to the gentleman from Ohio that in Texas as well, we
use the driver's license number for ID. What is wrong with
using that as opposed to the Social Security number?
Mr. Huse. Nothing whatsoever. I think those are choices
that businesses and government can make, but it represents some
business cost. There is a convenience issue here that is also
attached to this. Perhaps in the future, with new technology,
there will be better ways to sort us out one from each other
and to identify us as a unique person but we are kind of locked
into this by habituation, I think.
Mr. Johnson. When you talk about fraud and abuse, with the
advent of the Internet and fast communication, do you
anticipate more abuse of the Social Security number and the way
it is used? Have you seen any of that?
Mr. Huse. Yes, we have. It is growing--I hesitate to use
the word ``exponentially'' but it is increasing by significant
numbers each year. Some of that may be caused by the fact that
we are a new agency, only five years old, and our capacity to
take these reports gets better each year but the fact of the
matter is the numbers have increased. They have gone up in the
tens of thousands each year, each of the five years we have
been in existence.
Mr. Johnson. You do not submit any solutions for our
consideration in that arena.
Mr. Huse. In terms of asking for resources?
Mr. Johnson. No, trying to fix the problem. How do we slow
it down, without saying you cannot use the Social Security
number for any identification?
Mr. Huse. I think the solutions that I can recommend, there
are some huge choices here. No one readily says that the Social
Security number is the national identifier. We all are very
careful that we do not say that, but in effect, it is. It has
become that.
Until something replaces that and facilitates all the
rights and freedoms and ability to trade that we have, I don't
know that you can suggest anything else responsibly. I don't
know that I can. I agree with you, there needs to be some focus
on regulating the use of the Social Security number.
There also needs to be some aggressive deterrence. We need
to make examples of the people. We have good laws, the Identity
Theft and Assumption Deterrence Act of 1998 is a good law.
Before that, we had other good laws that Congress passed in the
area of identity fraud, but it is seeing that those laws are
enforced that are critical. All of this falls on law
enforcement agencies which are already manifestly committed to
many things. We need to make this a priority. I think there is
an answer in that. I really believe that is the most effective
answer, if you make it costly for people to do this.
Mr. Johnson. Federal attorneys would probably tell you this
is pretty low on the totem pole and they are not going to spend
time with it, isn't that true?
Mr. Huse. It is true because it is hard to get to the
bottom of what things of value are lost here. We heard Colonel
Stevens and his wife tell us that their reputation has been
lost. How do we put a dollar value on someone's reputation?
We receive hundreds of constituent letters from all of the
members of Congress with individual stories very much like the
Stevens. We have become a court of last resort because they
have tried local, State and Federal law and they have been
turned aside because their cases did not reach thresholds for
prosecution. Yet horrific things happen to these folks. I think
that is an area we need to fix too, but again we need some
teeth in that. That is why we have asked for the civil money
penalties.
Maybe there isn't a case there for a criminal prosecution
but we certainly can sanction the people that are causing some
of the trouble for these folks.
Mr. Johnson. Thank you for your comments. I appreciate
them.
Chairman Shaw. Mr. Huse, is there any case law or statutory
law to the effect that the numbers issued are the property of
the Federal Government? You can supply that to the record.
Mr. Huse. We may have to check that for the record. I don't
know of my own accord.
Chairman Shaw. That is a line of questioning that we have
that I think is important to this hearing.
Mr. Huse. It is regulated in statute but it doesn't say
that it is the property of the United States Government.
Chairman Shaw. When somebody dies is their number recycled?
Mr. Huse. No.
Chairman Shaw. Why aren't you out of numbers?
Mr. Huse. Again, I would have to ask my actuarial expert. I
think there is an infinite possibility still in the issuance of
numbers.
Chairman Shaw. Pardon me?
Mr. Huse. We still have several hundred million to issue
yet, so we are not at the point where they need to recycle.
Chairman Shaw. I guess then you will go to using the
alphabet or something of that nature.
Mr. Tanner?
Mr. Tanner. Thank you for being here, Mr. Huse.
Did you hear my comment to the lady that testified before
you? How does your office interact with the FTC when the FTC
gets a complaint or notice that there is a possible identity
theft in progress?
Mr. Huse. We have a great relationship with the FTC. When
the Identity Theft and Assumption Deterrence Act was passed
making the FTC the clearinghouse for victims reports, we
established a very close relationship with FTC and they refer
to us those cases they receive that fall under our general
jurisdiction.
There are other Federal law enforcement agencies in this
also, the Postal Inspection Service, the Secret Service, the
FBI, but I would say our relationship with the FTC is probably
the closest because we both get into a lot of victim reporting.
Sometimes the victim reporting comes to us in our fraud hotline
and then we refer that to the FTC. These are relatively new
processes, so I hope over time they become more vigorous and
abiding.
Mr. Tanner. What happens then to stop it? Where do you go?
What happens? Do you go to the FBI, do you go to the State
police? How do you try to stop it?
Mr. Huse. We have our own investigative arm of the Office
of the Inspector General, albeit small, they are still Federal
agents just like all the others. We actively investigate and
bring cases to the Justice Department for prosecution just like
other Federal law enforcement agencies.
Mr. Tanner. So you are an investigative, law enforcement
agency yourself to go and try to find the perpetrator of an
identity theft in progress?
Mr. Huse. We focus our efforts on those portions that deal
with where Social Security's programs are being defrauded or
other government benefit programs, or an area where the
activity, like sale of SSNs, has an impact on Social Security's
business processes, perhaps trying to corrupt the integrity of
one of our employees to get these numbers or something. That
keeps us pretty busy.
Mr. Tanner. In your unit, you investigate and refer for
prosecution individual instances of this?
Mr. Huse. We do. Also, we do participate in task forces. We
have established a number of these as pilot projects around the
country with our Federal, State partners, and local partners to
try and aggregate the impact that we can have in this area.
This is a new attempt too.
Mr. Tanner. I understand your administration hopes to
process 97 percent of all Social Security number applications
within five days. Do you have the manpower to do that with some
level of degree of certainty as it relates to the fact that the
person you are actually giving a Social Security number exists
and two, it is not somebody else. I mean, 97 percent in five
days is a laudable goal but it seems to me if we are going to
really research the accuracy of this event in our lives, that
is a pretty tall order. Do you have the resources to do that?
Mr. Huse. In our recent audit work on this issue of the
customer service goal Social Security has to issue numbers
within five days, we have suggested and recommended in our
audit work to SSA that this process is probably too fast. With
today's technology and the ability to counterfeit almost
anything so that it looks real, we need to slow down this
process to verify the actual breeder documents that go behind
Social Security numbers, birth certificates or other
documentation.
Mr. Tanner. That was the purpose of my question. Most
people now getting Social Security numbers, I would guess are
infants. It seems to me waiting 10, 15 even a month to give an
infant a Social Security number because you are going to check
in some manner that is going to give you a reasonable degree of
certainty that this person exists and is the one you want, it
seems to me that is not an unreasonable imposition on an infant
that is two months old. If I am wrong in that, I stand
corrected.
You heard what Colonel Stevens and his wife testified, I
assume?
Mr. Huse. I did.
Mr. Tanner. Do you have any suggestions for us to tell
them? I was horrified. This man and his wife's life has
literally been ruined through no fault of their own in terms of
their plans for their children, grandchildren and so forth.
This to me is an outrageous abuse of the system and the system,
I think, ought to respond in some manner more than just saying
we are really sorry about this, we are going to look into it.
I suggested to him that the people who continue to
circulate knowingly false credit reports may be liable if they
know and continue to recycle these, the candle being relit all
the time I believe is the way he put it.
Do you have any suggestions for people in their
circumstance? I would sure like to help them.
Mr. Huse. It is my understanding that as the Federal Trade
Commission's ability to take in these victims' reports, they
then would have the civil authority to sanction these entities
that improperly recycle bogus credit histories. I think that
same power probably should be applied to some of our
investigative agencies perhaps in the civil monetary penalty
area at least where victims have no other recourse, there needs
to be a way to make people pay for recirculating what basically
is data garbage.
Mr. Tanner. Does the FTC have that authority, in your
opinion, now?
Mr. Huse. I don't know that for a fact. They regulate but
they don't have any enforcement authority, civil enforcement
authority.
Mr. Tanner. If they were going to be civilly fined for
recirculating this, who would do that?
Mr. Huse. I am suggesting perhaps in the civil monetary
penalty area that we could do that.
Mr. Tanner. Do you have that authority now?
Mr. Huse. We have some civil monetary penalty authority in
some areas, but we are asking for that to be expanded to add
that dimension to our array of tools that we could use to help
victims.
Mr. Tanner. Have you submitted a suggestion along that line
formally to the Chairman and the committee?
Mr. Huse. I have forwarded it to the Chairman, yes.
Mr. Tanner. I apologize for taking so much time but this is
important.
Thank you.
Chairman Shaw. Don't apologize, this is important.
Mr. Portman?
Mr. Portman. If I might follow up on some of the
recommendations you made in your testimony today and see if we
can get at the next level as to how we would approach this.
This story we heard at the beginning from Colonel and Mrs.
Stevens has to focus everybody's attention. They are not the
only ones, of course. There are people out there all over the
place unfortunately having their Social Security numbers stolen
and then end up in a living hell which is what they are going
through right now.
One of the things you just responded to in Mr. Tanner's
questioning was something you testified to, broadening civil
monetary penalty authority for the misuse of a Social Security
number or the sale of a Social Security number. You said you
thought the Social Security Administration might be the place
to expand on existing authority. Can you elaborate on that and
perhaps provide some more information to the committee
regarding that possibility?
Mr. Huse. I would be glad to do that. I think perhaps it
would be better if I refine that a little better in writing and
I would be glad to do that.
Mr. Portman. Why don't we do that. I would be interested in
it personally but I am sure the subcommittee would like to hear
what specifically you would recommend in that regard. Clearly
there is not adequate recourse right now for people like the
Stevens.
Another recommendation you had is to legislate statutory
authority law enforcement authority for your investigators. How
would this help to combat Social Security fraud? Is this a
Social Security fraud issue or some other issue?
Mr. Huse. It is Social Security fraud that is the driver
for us but Social Security fraud as it rushes into what becomes
identity fraud.
Mr. Portman. It is a Social Security number issue?
Mr. Huse. We have a responsibility as part of this array of
Federal, State and local law enforcement because we are at the
front end of most of this process, to be a cooperative piece of
whatever they do and our ability to task force, to cross
deputize local and State law enforcement to participate with us
in different investigative endeavors to tackle some of these
things and some of them are very complex conspiracies. We can't
do that under the existing authorities that we have now. We are
deputized United States Marshals; that is the way IG
investigators are upholding to the Federal law enforcement
family under current rules.
If we had our free-standing statutory authority, as some
inspector, general do in the Department of Agriculture and the
Department of Defense, we would then have the ability to
deputize other sworn law enforcement to help us in these
projects. That is the key reason we need it.
Mr. Portman. That is the authority you are looking for?
Mr. Huse. Yes.
Mr. Portman. Let me go to your other recommendations. One
is that people show a photo ID when they are conducting
business with the Social Security Administration. This seems
like a useful suggestion but I wonder what portion of the
population doesn't have a photo ID? Is this a practical
solution?
Mr. Huse. I am not aware of many that don't but I do know
it is not a common business practice in Social Security's field
operations today.
Mr. Portman. They do not require a photo ID?
Mr. Huse. They don't. We had evidence a week or so ago
before this committee where a woman obtained the ability to
become a representative payee without ever showing any
identification. She did it over the telephone. These practices
in today's world, you can't take people on faith anymore. It is
unfortunate but you really need to have more vetting of your
identity in a lot of transactions today.
Mr. Portman. This could cut down on fraud in a lot of areas
of Social Security, not just in terms of the number. I think it
is a useful suggestion.
I also note that Social Security is rightly so doing much
more on-line now and you are looking to expand that, like
applications for retirement benefits. At least with existing
technology, require a photo ID in the context of an on-line
service is going to be difficult. How do you reconcile this
trend toward more on-line services with a photo ID requirement?
Mr. Huse. I agree, until we get to the actual visual
biometrics that may come in the future, and I think they will.
I think our commerce will drive that, for electronic service we
are going to need some aspects of public key infrastructure
technology to enable us to do business over the Internet or
transact business electronically.
Mr. Portman. Both for privacy and fraud reasons?
Mr. Huse. For both reasons. I think this, of necessity,
will limit then the potential of electronic commerce because
not everybody is going to be able to have their piece of the
public key tradeoff in order to be able to identify themselves.
You would have to have some way to do that.
We are going to end up with both tiers of service for a
long, long time, person to person and electronic but the
electronic will have to be public key infrastructure.
Mr. Portman. I appreciate what you are doing with regard to
fraud and also with regard to ensuring people's privacy which
in our digital economy is an increasingly troublesome issue to
a lot of us and something in the area of Social Security we can
make an impact.
Chairman Shaw. Mr. Cardin?
Mr. Cardin. I very much appreciate your testimony.
I want to concentrate on some of your recommendations. You
have recommended that we regulate the sale of SSNs and I hope
you are aware of H.R. 1450 by Representative Kleczka. I see
that you are, that he has introduced legislation that would
prohibit the sale or purchase of any information that includes
one's Social Security number less there is a written consent
from the individual.
You have also recommended prohibiting business from
recusing services for nondisclosure of SSN numbers when not
relevant to the services being provided. That provision is
included in Congressman Kleczka's bill along with prohibiting
merchants from requiring a Social Security number on a check
that is used for the purchase of an entity or utility company
from asking for SSN numbers on service applications.
You also have suggested broadening the civil monetary
penalty authority for the sale or misuse of SSN numbers.
Have you had a chance to review Congressman Kleczka's
legislation and do you have a view as to whether what is
included in that legislation would help carry out the
recommendations you are making to the committee?
Mr. Huse. The very short answer is we have seen Congressman
Kleczka's bill. I believe it is a good start. I think it pretty
much addresses the issues I suggest in my recommendations.
Mr. Cardin. I understand we will have a subsequent hearing
and Congressman Kleczka will have a chance to present his bill
to our committee. I think your views on pending legislation is
very helpful to us. We appreciate the information you made
available to us as we try to give the right tools to protect
our constituents.
Thank you.
Chairman Shaw. Very quickly, in your testimony you mention
85 percent of the cases you did--if my math is correct, that is
60,000--in 1999 involved the misuse of Social Security numbers.
Is that a growing problem and what would be your guess as to
the percentage of misuse that ever gets to your attention?
Mr. Huse. I didn't hear the last.
Chairman Shaw. My question is twofold. One, is this an
increasing problem, is 99 more than 98 and the second part of
that is what percentage of the cases would you estimate are
brought to your attention?
Mr. Huse. That is a very good question. We have one of the
largest hotlines in government and yet we don't really get the
whole universe of calls that come to us every day. Each year we
have had this capacity increase on the hotline, we have gotten
more and more allegations.
The constant, in terms of from the allegations we get, the
pieces that involve SSN misuse--
Chairman Shaw. How would someone know to get to you? Has
Colonel Stevens come to you or do you know? How would anybody
really think to get in touch with your office on this?
Mr. Huse. We have made the number public. A lot of
newspapers have published it.
Chairman Shaw. If I were to call the Social Security
Administration and say, someone is using my number, would they
refer me to you?
Mr. Huse. They would gate you over to the hotline.
Chairman Shaw. So that is how you get most of your
referrals?
Mr. Huse. We get a lot of it that way. Others, people just
call the 800 number directly.
To answer your question, it is growing. What I cannot
answer for you is what the universe is.
Chairman Shaw. Perhaps for the record, you could let us
know what the first four or five months of this year, how that
curve is looking. If you could supply that for the record, I
think it is important we measure that.
Mr. Huse. We will do that.
Chairman Shaw. This has been a very good hearing. We have
called the Pentagon to try to find out the answer to the
question I asked to Colonel Stevens. You don't know the answer
to that, do you?
Mr. Huse. We don't know if it is a military regulation but
there is no Federal law that requires the use of the Social
Security number in the transaction.
Chairman Shaw. I think some people are making some
misstatements in that regard and I think we need to let the
Congress weigh in on that.
Mr. Huse. I also wanted to say another piece of the Stevens
testimony where they were told there were no Federal laws that
applied to the situation in 1997, in effect, there were. We
have always had good statutes. What Senator Kyl's bill did was
even make it better.
The criminal teeth are there; it is really in the
implementation and the coordination of that implementation that
we are getting lost.
Chairman Shaw. I would say your staff would be swamped by
the numbers you have now so you do not have the personnel to
adequately investigate all these cases. That is my guess. I
think I am right on that.
Mr. Huse. You are. We have 300 special agents across the
United States. That is far too small a number.
Chairman Shaw. They do more than just this?
Mr. Huse. Their principal mission is the program fraud that
Social Security faces.
Chairman Shaw. So the 60,000 complaints really are not--you
don't have the personnel to adequately investigate them all?
Mr. Huse. We do not.
Chairman Shaw. We will have the response to my question
from the Pentagon at the hearing on Thursday which will be a
continuation of this hearing. I think this has been very
helpful.
I appreciate your testimony Mr. Huse, and all of the
witnesses we have had throughout the morning. Thank you.
[Questions submitted by Chairman Shaw, and Mr. Huse's
reponses, follow:]
Office of the Inspector General Response to Social Security Number Use
and Misuse
1. You mention that a good deal of SSN misuse creates a cost to
the Social Security program because people fraudulently apply
for benefits. Has anyone estimated the cost of SSN misuse to
the Social Security Trust Funds? Has anyone estimated the cost
of SSN misuse to private-sector businesses?
To our knowledge, no one has estimated the total cost of
SSN misuse to the Social Security Trust Funds (Trust Funds).
Additionally, we are not aware of any reliable estimates that
reflect the total cost of SSN misuse to private sector
businesses.
In its May 1998 report entitled Identity Fraud: Information
on Prevalence, Cost, and Internet Impact is Limited, the U.S.
General Accounting Office (GAO) concluded that identity fraud
is very difficult to track. One of the reasons for this
difficulty is that identity fraud cuts across many of the
statistical categories tracked by law enforcement authorities.
We echo GAO's conclusion. Additionally, even though over 80
percent of the allegations and referrals made to our office
involve the misuse of an SSN, our limited resources only allow
us to investigate a small percentage of these cases. Therefore,
our data only illustrates the impact to the Trust Funds and/or
private sector entities of those cases we investigated, not the
universe of such occurrences.
Since the issuance of GAO's report and the passage of the
Identity Theft and Assumption Deterrence Act of 1998 (Identity
Theft Act), we have started to redesign our systems to capture
SSN misuse referrals in a more defined structure that will
delineate SSN misuse by type. Also in response to the Identity
Theft Act, other Federal Agencies, such as the Federal Trade
Commission, have initiated system enhancements that will
capture SSN misuse data. Therefore, we would anticipate more
thorough statistics in the near future.
2. What are the key vulnerabilities in SSA's business processes
relating to the issuance of SSNs? What recommendations have you
made and how has the agency responded?
Based on our audit and investigative work, we believe the
key vulnerability in SSA's enumeration business process is the
Agency's procedures for verifying evidentiary documents
submitted with SSN applications. Testimony given at the May 19,
2000, Hearing on the Sale of False Identification Documents via
the Internet before the Senate Committee on Governmental
Affairs, Permanent Subcommittee on Investigations, provided
evidence of how easily official documents can be counterfeited
with today's computer technology. Unfortunately, SSA employees
are faced with determining the legitimacy of such expertly
counterfeited documents every day. Certainly, we acknowledge
that the preponderance of SSN applicants are law-abiding
individuals who present valid documents in support of their SSN
applications. Nevertheless, we believe this vulnerability is
significant because (1) obtaining an SSN is often the first
step in committing other identity fraud crimes and (2) once an
SSN is issued, SSA has little ability to prevent the misuse of
that SSN. As such, we believe it is essential that SSA
incorporate more front-end controls in its enumeration process
that would help identify counterfeit documents and prevent the
improper issuance of SSNs.
Based on our audits and investigations, we identified the
following reasons that fraudulent documents are ``slipping
through the system.''
SSA employees do not have adequate tools (for
example, real-time on-line verification mechanisms) to verify
the validity of evidentiary documents.
SSA's emphasis on customer service discourages
personnel from employing security measures that might detect
fraudulent documents.
SSA has implemented and is planning several initiatives
designed to address the use of fraudulent documents in
obtaining SSNs. For example, SSA is negotiating the Enumeration
at Entry program with the U.S. Immigration and Naturalization
Service (INS) and the U.S. Department of State. Under this
program, INS and the State Department will collect enumeration
data from aliens entering the United States. Additionally, SSA
is attempting to negotiate with State Bureaus of Vital
Statistics to gain on-line access to verify birth and death
records. We applaud these initiatives, however, we believe that
they will take several more years to implement.
As such, we recommended that SSA make both policy and
procedural changes to ensure the integrity of the enumeration
function. We recognize that the recommendations may affect the
amount of time necessary to process original SSN applications.
However, we believe that if SSA intends to fully address the
issues of fraudulent SSN attainment and use, we believe these
are investments the Agency should make. Our specific
recommendations to SSA include the following:
Obtain independent verification from the issuing
agency for all alien evidentiary documents before approving the
respective SSN applications, until the Enumeration at Entry
program is implemented.
Accelerate negotiations with INS and the State
Department to implement the Enumeration at Entry program. Once
implemented, all non-citizens should be required to obtain
their SSNs by applying at one of these Agencies.
Give credit for fraud detection and development in
measuring the performance of field offices and their employees.
Continue efforts and establish an implementation
date for planned system controls that will interrupt SSN
assignment in certain suspect circumstances.
Propose legislation that disqualifies individuals
who improperly attain SSNs from receiving work credits for
periods that they were not authorized to work or reside in the
United States.
In its recent response to our recommendations, SSA agreed
to accelerate negotiations with INS and the State Department to
implement the Enumeration at Entry program. On June 16, 2000,
SSA, INS, and the Office of Management and Budget met to
resolve any remaining concerns INS has so that implementation
may occur. In its response, SSA also agreed to continue efforts
and establish an implementation date for planned system
improvements that interrupt SSN assignment in certain suspect
circumstances. Due to the extensive systems improvements that
will be required, SSA expects to have these controls in place
by April 2002.
Although we are certainly encouraged by these planned
actions, we regret to report that SSA disagreed with our
remaining recommendations, both of which we believe are very
important in preventing SSN fraud. SSA declined to obtain
independent verification from the issuing Agency for all alien
evidentiary documents before approving the respective SSN
applications. SSA stated that the Agency already verifies with
INS all documents for noncitizens applying for SSNs, except
documents for those who have been in the country less than 30
days. The Agency also responded that, while it is committed to
reducing fraud, SSA also has an obligation to provide SSNs to
newly-arrived noncitizens who have legal authority to work. SSA
believes that delaying approval of their SSN applications for 1
to 2 months until INS can verify their applications would
result in a grave disservice to these individuals. Instead, SSA
stated that the Agency would continue to work with INS to
shorten the lag time needed to update the latter Agency's
systems and to have INS collect enumeration data.
SSA also disagreed with our recommendation to propose
legislation that disqualifies individuals who improperly attain
SSNs from receiving work credits for periods that they were not
authorized to work or reside in the United States. SSA stated
that the legislative proposal we recommended would be extremely
difficult to administer because SSA cannot on its own determine
when or if an individual's immigration or work status has
changed. SSA believed that these determinations could only be
made by INS or a court.
Although we acknowledge SSA's concerns with these
recommendations, we do not agree with the Agency's position. We
continue to believe that the vulnerability within SSA's
enumeration process regarding the possible acceptance of
counterfeit alien documents is significant enough to warrant
the verification of such documents. Additionally, we believe a
delay in the receipt of SSNs for many noncitizens will be
inevitable under the Enumeration at Entry program, unless INS
makes extensive changes in its processes. We also disagree that
the implementation of our legislative proposal would be
extremely difficult to administer. It is our contention that it
would be the responsibility of the number holder to amend the
SSN record if he or she subsequently became eligible to reside
and/or work in the United States. In summary, we believe that
if the holder of a fraudulently attained SSN applies for SSA
benefits, he or she should be required to prove that they have
sufficient work credits as a legal worker in the United States
before those benefits are approved.
We will continue to work with SSA to resolve these two
issues.
3. GAO testified before you that there is no federal law that
regulates the overall use of SSNs. Is such a law needed? Is it
feasible to enact, administer, and enforce such a law?
There is no doubt that such a law is needed. The abuse of
SSNs is possible only when the number is made available to
those who would misuse it, and existing law fosters misuse. The
most potent tool we have to combat misuse of an SSN at the
criminal level is Section 208(a)(8) of the Social Security Act,
42 U.S.C. 408(a)(8), but that statute only prohibits misuse of
an SSN in violation of the laws of the United States. In other
words, misuse of the SSN becomes a crime only if another crime
is committed in the process (i.e., bank fraud).
I am sympathetic, however, to the second half of your
question with respect to feasibility. The use of SSNs,
legitimate and illegitimate, is so prevalent at this point that
regulation would almost certainly bring a hue and cry from many
honest industries. However, both the legislative and regulatory
processes permit the public to be heard. Indeed, in this
instance, their voices would be critical to the process. The
use of SSNs is not likely to decrease--as it increases, so will
instances of misuse. Only by making the difficult
determinations of which uses will be permitted and which will
not, can we can cull out those uses which facilitate misuse and
criminality.
Certainly before we may outlaw improper uses of the SSN on
a significant scale, appropriate uses would have to be
identified and regulated. In this respect, the Federal Trade
Commission and the Social Security Administration would have to
work in concert. Once these difficult determinations are made,
and proper SSN uses regulated by one or both of those agencies,
it would become a relatively simple matter to provide clear and
enforceable criminal, civil, and administrative sanctions
against those who misuse the SSN either by putting it to uses
that are outside the scope of that regulatory scheme, or by
violating that scheme. Any such legislative amendments to the
Social Security Act would bring violators within the
jurisdiction of this office and the Department of Justice.
While this is by no means an easy task, it becomes more and
more daunting with each passing day and each new use (or
misuse) to which SSNs are subjected. Therefore, immediate
action as contemplated above is critical.
4. GAO testified that many private-sector businesses and
government agencies have adopted voluntary policies aimed at
protecting privacy and reducing SSN misuse. Can self-regulation
be an effective way to reduce SSN misuse?
Although we applaud private-sector businesses and
governments that have been instrumental in facilitating the
recent reform effort of information privacy issues, we do not
believe self-regulation should be considered the definitive
solution in reducing SSN misuse. Our concerns rest with the
inability of self-regulated entities to ensure uniform
implementation of privacy measures and subsequent compliance.
Additionally, we believe it is unlikely that self-regulation by
reputable companies or government organizations that already
have a fiduciary responsibility to protect the public's
interest will significantly curb the current identity fraud
crisis.
5. You note that your office issues a list of the 100 employers
with the most suspended wage items (i.e., wages that do not
match up to an SSN.) What are the reasons why these reported
wages don't match up to an SSN? One of your recommendations to
the Social Security Administration was to implement a
correction action plan for these employers. Has SSA acted on
this recommendation?
Our office issued an audit report in which we discussed
patterns of reporting errors and irregularities by 100
employers with the most suspended wage items. During this
audit, we found that about 55 percent of the wage items in
SSA's suspense file either don't have (1) a name; (2) a SSN;
(3) a name and SSN; or (4) a valid SSN. About 41 percent have
valid SSNs but the names show no relationship to the names on
SSA's master file of issued SSNs. Three industries, bars and
restaurants, services, and agriculture account for 47 percent
of the suspense file. These industries rely on a low skilled,
low wage, and highly transient workforce. Nine states account
for 70 percent of the suspended items. California alone
contributes 31 percent.
Many of the suspense items occur at the earliest point of
the wage reporting process, the time of hiring. Some of the
reasons for these occurrences are as follows:
Employers cannot require new hires to show their
Social Security cards as a condition of employment. Under
present Immigration and Naturalization guidelines, new hires
can choose from a total of 27 documents to prove their identity
and work eligibility. Presently, SSA can only encourage
employers to ask for the Social Security card.
Many employees whose wages are suspended may be
aliens who do not have work authorization from INS and may be
providing fraudulent documents to employers. With 27 documents
for the employee to choose from, it is virtually impossible for
the employer to detect all counterfeit documents.
Employers are not required by either INS or SSA to
verify the validity of documents provided by new hires.
Presently, INS and SSA can only encourage employers to enter
joint SSA/INS pilot programs and SSA verification programs.
Employers have no incentive to follow-up with
employees to ascertain the correct name/SSN, after SSA has
rejected their wage reports. In fact, in many cases it may be
impossible to locate the employees because they are no longer
employed and have left no forwarding address.
SSA does not have authority to sanction employers
who repeatedly submit incorrect wage reports. Only IRS has this
authorization and, to date, the Agency has used this authority
only on an extremely rare basis.
In response to our report, SSA agreed to develop a
corrective action plan for the top 100 employers contributing
to the suspense file. As a part of this plan, SSA has taken or
is in the process of implementing the following actions:
Negotiating with IRS so that 50 of the 100
employers on the OIG list will now be included in IRS' large
case audit program and subject to potential incorrect filing
penalties.
Continuing its efforts, now in its third year, of
contacting employers with large numbers of suspended wage
reports (100 or more items).
Sent notices to employers in February 2000 for tax
year 1999 that included a section informing them about their
responsibilities and employee rights.
6. You mention that it costs SSA 50 cents to post a wage item
when it is originally submitted compared to $300 to correct it
later. Why are the costs to correct wage items so high?
Correcting wage items is a labor-intensive and therefore,
expensive process. For example, about 20 million individual
wage records initially cannot be matched to SSA's name and SSN
records. To resolve these discrepancies, the Agency uses about
27 editing routines in an attempt to properly record wages to
the Master Earnings File (MEF), prevent wage items from ending
up in the Earnings Suspense File (ESF) and reinstate wage items
from the ESF to the MEF.
The Agency uses both manual and electronic validation
routines that manipulate wage earners' Social Security numbers
(SSN) and/or names in efforts to find record matches. When
matches are questionable, researchers use additional wage
earners' records to identify possible matches. Some annual
routines review the current reporting year and specific tax
years. Other routines use the latest system improvements and
validation rules to periodically review the entire ESF dating
back to 1937. These routines find correct matches from
incorrectly reported SSNs or names (or both) when it meets
SSA's validation rules.
It is also costly to notify employees and employers of
discrepancies. When wage items reach the ESF, the system
generates letters, known as Decentralized Correspondence
(DECOR.) The main purpose of DECOR is to query individuals in
an attempt to resolve SSN and/or name discrepancies. SSA must
review responses to these letters to remove items from the ESF
for posting to the individual's MEF record. DECOR annually
generates and mails about 6.5 million letters.
SSA receives about a 20 percent response rate to these
letters and is able to use the information to reinstate
suspended wages in about 40 percent of those cases (that is,
about 8 percent of the overall DECOR mailing). Another 20
percent are returned to SSA unopened as undeliverable mail. For
the remaining 60 percent, there is no recorded response
although some may result from telephone calls or visits to SSA
field offices.
In addition, SSA employees annually have thousands of
contacts with employers to help them report wages correctly.
For example, the Agency estimates it received over 200,000
calls from employers in FY 1999.
Despite the Agency's efforts, approximately 5 million wage
items cannot be posted to individuals' earnings records for any
given year.
7. You mention the Identity Theft Act in your testimony. Are
there any other laws aimed at protecting privacy and preventing
fraud? In your opinion, are existing laws enforced effectively
or do we need new laws to help prevent identity theft and other
types of SSN misuses?
Existing laws, and the Identity Theft Act in particular,
provide some measure of protection. As a whole, however, SSN
misuse represents a significant legislative gap. With some
limited exceptions, the criminal and administrative authority
in the Social Security Act is aimed at protecting against SSN
misuse in terms of misusing the SSN against SSA programs,
rather than misuse in a more global context. To that extent,
legislation has not kept up with the criminal universe.
Certainly in the past, one could argue that SSN misuse was
primarily a crime against SSA programs; that is no longer the
case. The misuse of the SSN in ways never contemplated has
created a situation in which the greater threat is not to SSA
programs, but to private citizens and to commerce. The crimes
against them being committed through misuse of an SSN have
become crimes in which SSA is an unwitting accomplice, in which
the integrity of the SSN is systematically violated for
criminal purposes. And, even when the SSN misuse is not aimed
directly as SSA programs, the misuse still costs SSA in terms
of erroneous record-keeping (such as wage reporting) and
improperly-paid benefits, as well as by corrupting the SSN
itself.
As stated above, it is critical that a universe of
appropriate SSN uses be identified and regulated, and that
legislation providing criminal, civil, and administrative
sanctions for misuse be put in place.
8. Can you please elaborate about the Federal Trade
Commission's specific role in SSN misuse?
The Identity Theft and Assumption Deterrence Act of 1998
designated the Federal Trade Commission (FTC) as the
clearinghouse for identity theft complaints. In this capacity,
FTC indirectly assists identity theft victims by managing
information sharing among public and private entities. The
specific goals of the FTC's information clearinghouse are to
(1) support criminal law enforcement efforts by collecting data
in one central database and making referrals as appropriate;
(2) provide consumers with information to help them prevent or
minimize their risk of identity theft; (3) streamline the
resolution of credit and financial difficulties consumers may
have when they become victims of identity theft; and (4) enable
analysis of the extent of, and factors contributing to,
identity theft in order to enrich policy discussion.
To meet these goals, FTC developed a plan that centers on
three principal components:
A toll-free telephone number that consumers can
call to report incidents of identity theft. Hotline counselors
enter information regarding the consumers' complaints into a
centralized database--the Identity Theft Data Clearinghouse. In
operation since November 1, 1999, the hotline has averaged over
400 calls per week. This information is used to guard against
or resolve problems caused by identity theft, and to assist in
streamlining the process for the consumer wherever possible.
The Identity Theft Complaint Database is designed
to become a comprehensive, government-wide repository of
information collected from victims of identity theft. It will
also incorporate complaints received by other government
agencies, such as SSA. Consumers can also enter their own
complaint information via the public user complaint form at
www.consumer.gov/idtheft. The clearinghouse will be available
to law enforcement agencies at the Federal, State, and local
level through a secure, web-based interface allowing them to
more effectively track down identity thieves and assist
consumers.
Consumer education is provided through both print
publications and a website located at www.consumer.gov/idtheft.
9. One of your recommendations to combat SSN fraud is to
regulate the sale of SSN's. How can this be done? What
exceptions would the law have to include? Would there be any
downside for consumers?
Again, regulation of the sale of SSN's is one part of the
scheme envisioned above, wherein appropriate uses (whether
sale, recordkeeping, banking, etc.) are identified and
regulated. It is not for this office to determine what uses (or
what sales) of an SSN will be appropriate--that is a matter
best left to the expertise of the Social Security
Administration, the Federal Trade Commission, and the
legislative and rulemaking processes. While there may be a
downside for consumers, if the process is conducted properly, I
am confident that any downside would be vastly outweighed by
the greater degree of protection and security that such
legislation would provide to the American public.
10. The widespread use of the SSN creates a lot of
administrative headaches for SSA, such as reissuing SSNs for
people who have been the victims of identity theft. To your
knowledge, has SSA ever developed a proposal that addresses
this issue, especially one that seeks to limit how the SSN is
used by other government agencies and the private sector?
We are not aware of any SSA proposal that would limit how
other government agencies and the private sector use the SSN.
11. One of your recommendations for reducing fraud is that
people should show photo ID when conducting business with SSA.
That seems like a useful suggestion. Still, are there any
arguments that some might make against it? Do you know what
portion of the population do not have a photo ID? Wouldn't this
cut down on fraud in other areas of SSA programs as well?
In proposing this recommendation, we did not intend to
infer that photo identification would be feasible in every
circumstance. In fact, we acknowledge that a number of
exceptions would need to be allowed if SSA adopted this policy.
Specifically, although we are unsure what portion of the
population does not have picture identification, the numbers
could be significant. Those without picture identification may
include children, homeless individuals, and refugees. Opponents
of this proposal might also argue that counterfeit photo
identification is very easily attained and therefore provides
little deterrent value. Nevertheless, where available, we
believe providing photo identification may prevent some forms
of identity fraud.
12. At the same time, SSA is studying conducting certain
services online, such as applications for retirement benefits.
Obviously, at least for now, showing a picture ID won't work in
that setting. How can the trend toward online applications be
reconciled with your suggestion of showing a photo ID to
receive services?
As stated previously, we do not believe that photo
identification is feasible in every situation. Additionally, we
do not believe this measure will be a cure-all for identity
fraud issues. Certainly, as SSA shifts more of its services
online, other identification technologies must be explored. In
the interim, however, we believe requiring photo identification
when available is a small step towards addressing SSN misuse in
SSA programs.
13. One of your recommendations is to legislate statutory law
enforcement authority for your investigators. How would this
authority for your investigators assist in combating SSN fraud?
My office is, first and foremost, a law enforcement
organization. Unfortunately, our authority is not commensurate
with our responsibilities. With no independent law enforcement
authority, we are limited to the terms of a revocable agreement
with the Department of Justice--as a result, many of our
policies and practices are less than they could be. For
example, we are frequently unable to make the most of limited
resources through cross-designation of other law enforcement
personnel, because we have no such authority. We are similarly
hindered in our cooperative enforcement efforts at the State
level because of restrictions in the aforementioned agreement.
Statutory law enforcement authority would enable us to maximize
our resources to combat SSN misuse.
14. You also suggest broadening civil monetary penalty
authority for the sale or misuse of an SSN. Would you provide
more details about this recommendation?
The civil monetary penalty authorities provided by Sections
1129 and 1140 of the Social Security Act have proven invaluable
tools for both deterring and punishing fraud. We are hopeful to
expand that authority beyond false statements and misuse of SSA
words and symbols into several additional areas, including the
sale or misuse of an SSN. As you know, United States Attorneys
are limited in the number of cases they can accept for either
criminal prosecution or civil action. Frequently, in the
context of Social Security crimes, such decisions are made on
the basis of monetary loss to the government. The sale or
misuse of an SSN often results in little or no monetary loss to
the government, but it is certainly not a victimless crime, as
it wreaks havoc with individuals' credit histories and
financial well-being, affects commerce, and causes enormous
financial losses in the private sector.
With civil monetary penalty authority, my office would have
the ability to pursue those offenders that the Department of
Justice does not have the resources to pursue and impose fines
that would punish those who sell or misuse SSNs, deter similar
conduct by others, and at the same time, replenish the Social
Security trust fund to compensate for any monetary losses that
do affect SSA. By delivering a clear message that the sale or
misuse of SSNs is not a crime that goes unpunished, the civil
monetary penalty authority would play a critical role in a
coordinated assault on SSN misuse.
15. You recommend that new technologies and databases be
fostered to help employers, government, and private industry
verify that names and/or SSNs are correct to improve the
identification process. From a practical standpoint, how would
this work? Would opening such a database to employers and
private industry create new opportunities for misuse of this
information? Who would monitor this process?
SSA currently has a voluntary program, the Enumeration
Verification System (EVS) that offers employers a mechanism to
match employee names and SSNs with SSA's records. However,
employers can only submit a request to SSA on magnetic media,
paper, or by telephone. Furthermore, depending on the number of
requests, it can take SSA up to 30 days to verify name and SSN
requests from employers. Only about 3,000 of about 6.5 million
employers nationwide have registered to use EVS and only
between 200 and 500 use it in any given year.
To better assist employers in verifying employee names and
SSNs, SSA plans to begin a pilot project in July 2000 to
provide employers with an on-line employee verification service
(OEVS). This service would give employers two options to assist
them in verifying employees' names and SSNs through the
internet: (1) key in verification requests for an instant
response, and (2) transmit a file and receive it from SSA the
next business day. SSA believes OEVS will provide employers
with quicker name and SSN verification in a more cost-effective
manner.
We do not believe that the current EVS or the planned OEVS
creates new opportunities for misuse of names and SSNs. SSA
currently monitors the process and has various security
features, such as PIN and password features, to prevent misuse
of the data.
We would also propose expanding the use of EVS or OEVS to
permit access to Federal, State, and local law enforcement
agencies. Under current law, such agencies cannot verify the
names and SSNs of individuals under investigation for a crime
except in certain narrow circumstances. We are currently
negotiating with SSA to permit to some extent the ability of
law enforcement to verify names and SSNs, but even this
expanded ability will fall well short of what is permitted by
the Privacy Act (5 U.S.C. 552a). Given the prevalence of SSN
misuse as a factor in so many different crimes, we would
support legislation that would require SSA to comply with the
Privacy Act and provide this limited information upon request
to law enforcement agencies.
16. For the record, please provide a breakdown of the
statistics from the SSA/OIG Hotline for the first six months of
this fiscal year. I would like the total number of allegations
received by the Hotline; the total number of these allegations
related to SSN misuse (of this figure, please break this down
further into the number the related to the programs and
operations of SSA and the number not so related.)
In the first six months of this fiscal year, the SSA/OIG
Hotline received a total of 44,944 allegations. Of these,
37,008 (approximately 82%) involved SSN misuse as the primary
or secondary allegation. In 22,408 of these 37,000 cases, SSN
misuse was the sole basis of the allegation. The remaining
14,600 cases were program fraud allegations involving SSN
misuse.
The hearing is adjourned.
[Whereupon, at 11:59 a.m., the hearing was adjourned.]
USE AND MISUSE OF SOCIAL SECURITY NUMBERS
----------
THURSDAY, MAY 11, 2000
U.S. House of Representatives,
Committee on Ways and Means,
Subcommittee on Social Security,
Washington, D.C.
The Subcommittee met, pursuant to recess, at 2:09 p.m. in
room 1100, Longworth House Office Building, Hon. E. Clay Shaw,
Jr. (Chairman of the Subcommittee) presiding.
Chairman Shaw. Good afternoon, and welcome to the second
day of our two days of hearings about the use and the misuse of
Social Security numbers.
Just about everyone's privacy and financial security
depends on seeing these numbers used as intended and not
misused. As we learned on Tuesday, the Social Security number
misuse is rising fast, with often devastating consequences for
families like the Stevens, who testified before us on Tuesday.
They have spent years trying to get their identities and good
names back. Since Tuesday, people have been calling us from
every corner of the country with similar stories about how
their Social Security numbers were compromised.
Today, we will learn more about the pluses and minuses of
restricting the use of Social Security numbers. First, we will
hear from several Members who have proposals, themselves, that
go to various lengths to restrict the use of Social Security
numbers. After that, we will hear from groups interested in
protecting personal privacy, as well as representatives of
industry and government agencies that regularly use Social
Security numbers in conducting their business.
As I mentioned on Tuesday at our hearing, with the support
of the Administration and our colleagues on this panel, we can
approve legislation to better protect Social Security numbers
from misuse.
Social Security's Inspector General has already made
several recommendations. Today we will learn more about these
ideas and several others. But we also need to carefully
consider the consequences of any actions on this complicated
issue. As we look for ways to better protect privacy and
security, we must be on the lookout for unintended
consequences, which abound in this complex field.
Given the passion on all sides of this issue and the
excellent testimony we will hear today, I trust that we will
have lots of good advice on how to proceed.
We want to be extraordinarily careful that we do not
overreact, but it seems to be very clear, from our hearing of
Tuesday, that definitely something has got to be done. Mr.
Kleczka's points that were in his bill were referred to by one
of our witnesses on Tuesday. It was the Inspector General who
set out several points that I think are in Mr. Kleczka's bill.
We will be very interested in hearing what you gentlemen
have to say today.
Without objection, all Members will have the privilege of
putting opening statements into the record, and at this time we
will proceed as they appear on the agenda, with a member of
this committee, Mr. McDermott of Washington.
STATEMENT OF HON. JIM MCDERMOTT, A REPRESENTATIVE IN CONGRESS
FROM THE STATE OF WASHINGTON
Mr. McDermott. Thank you, Mr. Chairman.
I would ask unanimous consent to have my statement put in
the record.
Chairman Shaw. Without objection.
Mr. McDermott. My interest in this started in 1995, when I
read an article in the ``New York Times'' about a man whose son
had a medical genetic disease called ``Marie-Charcot Tooth
Disease.'' It is a weakness of the upper limbs. The youngster
was examined and the family was tested genetically.
Shortly thereafter, after all the medical things had been
done, the father lost his auto insurance. No moving violations.
No accidents. No nothing. And when he asked, they said, ``Well,
you have this disease, Marie-Charcot Disease.'' And he did not
have it, but it had been gotten through, somehow, the system.
I began working on that and dropped in a privacy bill in
1995. I think that, as we progress down the way toward the
human genome being completed and access to everybody's genetic
information will be on the record, you will have enormous
potential for abuse in terms of insurance and employment and a
whole variety of other things, and the whole issue of privacy
is going to come to a head as the human genome project actually
gets out into the medical field.
Now, there is a second strand to my concern, and that is in
1996 I went to the democratic convention, and when it was over
I came back, and my Secretary said to me, ``How are you going
to pay for this limousine that you used in Chicago?'' And I
said, ``I did not rent any limousine.'' Somebody was
impersonating me, had rented a limousine, had done all kinds of
things all over the city using my name, and they had tried to
get into my credit records. They had done all sorts of things.
The fact is that our information is very much open to the
public if they want to look.
There was an article recently in the ``New York Times'' of
a meeting that occurred in Seattle, and I would like to report
on that in my remaining minutes. It was a meeting of a group
called the ``Agora.'' It was convened by a man who is the
security person for Regions Blue Shield, which is the insurance
company, the Blue Shield plan in Seattle. It includes all the
security officers from all the insurance companies, from the
police department, from the sheriff's department, from the
Federal Government. It was a room of probably 75 people.
Two months before, he had challenged them. He said,
``Here's my name and my birth date. Do anything you can legally
and find out everything you can between now and the next
meeting.''
Well, what happened was they demonstrated everything from
the fact that he was in second grade in a particular school,
and they showed a picture. They showed the fact that he owed
$7.19 to the gas company. They showed his whole driving record.
They showed his divorce decree. They showed some scrapes he had
had as an adolescent with the law. All of this simply by giving
the name and the birth date.
Now, how did they do that? Well, they sent somebody in to
pick up a birth certificate. They sent somebody for a credit
record. They sent something, and they gradually accumulated it
all by using legal methods.
The common thread to most of it was getting his Social
Security number. Once they had his Social Security number, they
could tie into his bank account, they could tie into the gas
company, they could tie into his automobile insurance, they
could tie into everything.
The importance of this issue I think is not well understood
by the average American. I think that the committee is right to
be thinking about this issue. Mr. Kleczka has a bill
specifically on that issue. My bill has more to do with medical
privacy, which I think is an issue that needs to be dealt with.
I think that this whole question of use of Social Security
numbers is central to what we do. My bill on medical privacy
would have prevented the use by any medical establishment of
your Social Security number as your identifier, so when you go
into the hospital, when you go in to apply for your insurance
coverage, or whatever, if you give your Social Security number
you have opened up your whole life. Anybody who has that number
can get into all the places. As the newspaper reported this
morning, the voting card that we have from the House of
Representatives has at the bottom of it our Social Security
number. I mean, it never was intended to be an identification
number, but there it is.
I think that whole issue is something that this committee
ought to take within its purview, and I commend you for having
these hearings. I hope that we can, on a bipartisan basis--
because this is not a republican issue or a democratic issue.
Everybody has a Social Security number.
Chairman Shaw. You are quite correct.
[The prepared statement follows:]
Statement of Hon. Jim McDermott, a Representative in Congress from the
State of Washington
Chairman Shaw, Mr. Matsui, and members of the subcommittee
thank you for allowing me to testify today on a topic that has
long concerned me, the confidentiality of personal identifying
information.
As a practicing psychiatrist for more than 20 years, I can
tell you firsthand that a person's confidence that what he or
she says will remain private is a crucial component of ensuring
he or she fully discloses personal information.
The need to protect the confidentiality of personal
information has become even more important given the many new
technological advances, particularly in the medical and
financial industries. Computers have revolutionized the way
information is collected, stored, and disseminated. Without
adequate, enforceable controls, this information can easily be
used to breach confidentiality and to allow discrimination.
With the passage of legislation like the Health Insurance
Portability Act and the Financial Modernization Act the public
has become increasingly worried that private businesses are
building databases of personal information. Many businesses
require customers to provide their Social Security number as a
condition of doing business. Yet, congress has only imposed
superficial walls around our most personal information with no
more assurance of confidentiality than to say ``trust us.'' I
believe people are right to worry.
Over five years ago I began writing legislation to address
the lack of strong national standards for confidentiality of
medical records. One of the first issues I worked through is
how to identify and de-identify patient information. It was
clear that the Social Security number was not confidential.
And, that using the Social Security number as an identifier was
almost the same as using one's name. I concluded that a Social
Security number, or a derivative of a Social Security account
number, must not be used for any purpose relating to personal
health information or the use or disclosure of such
information.
As you know, Congress has grappled for years with when and
how the Social Security number should be used. When Congress
passed the Privacy Act of 1974 it first attempted to limit the
disclosure and use of the Social Security number.
Unfortunately, Congress' attempts have been largely
unsuccessful.
We have all heard harrowing tales of the misuse of
sensitive medial and financial information. The more we hear
news reports about confidential personal information getting
into the wrong hands the more people will lose confidence in
the security of their personal information. This loss of
confidence is causing people to think closely about the type
and amount of information they disclose as well as how the
information will be used.
I'm sure that you remember your constituents' uproar when
Health and Human Services Secretary Shalala proposed using a
unique health identifier to identify patients. This
unsuccessful effort raised awareness of the issue unlike any
other recent event. Yet, it was not enough to affect change.
Many states, without notification, list the Social Security
number on drivers' licenses. Thus the information from a single
piece of identification provides a criminal with the name,
address, date of birth, and Social Security number of an
individual. This information can easily be used to ``steal'' an
individuals' identity.
Some of you may know, shortly after I visited Chicago for
the Democratic Convention in 1996 a individual in Illinois
began impersonating me. This individual left a trail of bad
checks, scams, and attempts to obtain my credit card
information.
I was informed in 1997 only because one of his victims
recognized my name. Even though this individual did not obtain
my credit information, it took me months to sort out. Luckily,
my schedule is regimented so I had documentation of where I was
and what I was doing on the days in question.
Place yourself in the shoes of your constituents. How would
they learn someone was impersonating them? Most likely, when
they are turned down for credit, contacted by a collection
agency or the authorities. By which time months, if not years,
had passed. Proving who they are, where they were, and what
they bought to retailers, financial institutions, and credit
bureaus would be an enormous undertaking.
The genie is out of the bottle, it is now our job to
mitigate the damage. Clearly, at this point it is impossible to
maintain the confidentiality of Social Security numbers. What
Congress must do is pass strong laws to protect the
confidentiality of medical and financial records.
Thank you.
Chairman Shaw. Mr. Kleczka?
STATEMENT OF HON. GERALD D. KLECZKA, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF WISCONSIN
Mr. Kleczka. Thank you, Mr. Chairman.
Let me thank you for your interest in this subject matter,
for having the hearing, and for permitting me to come before
your subcommittee to share a few comments.
The committee, in yesterday's testimony, heard from the
Stevens family and how their identification was stolen. Someone
ran up a whole bunch of credit. I had a similar situation with
a woman in my District.
The problem that occurs after that fact is the person has
to clear their name, themselves. They have to, through whatever
means, prove that the purchases on the card were not theirs,
and this takes literally hours and years to clean up so finally
their record is clear so they can again apply for credit.
What is the key to identity fraud? Well, as you have been
told probably yesterday and by Mr. McDermott, the key to
establishing fraud or identity in your name is, number one,
your Social Security number. That flings open the door to do
whatever the unsavory person wants to do.
The second bit of information, if he or she has it, is your
mother's maiden name. At that point, not only the door is
thrown open, but the windows are thrown open.
Mr. Chairman, I think that part of the problem in our
society today is that people ask for this number, our Social
Security number, by habit. It has been pointed out that our
voting card has a Social Security number on it. For what
reason, we do not know. But I discovered, along with my friend,
Ron Paul, this was on the card one of the first days of
session, so we wrote a letter to the chief clerk and said,
``Wait a minute. Why are you putting our Social Security number
on our voting card? The voting machine is not going to read
it.''
Well, his initial answer was, ``You gave your okay when you
signed up for the card.'' I said, ``Well, I do not recall
that.'' And so then he rechecked, and there was no box to
check. It was put on there just by habit.
Checking out some toys--not for myself, but for my nieces
and nephews--a Christmas or two ago, I was at the counter and I
was giving a check, and the clerk insisted I give my Social
Security number. For what reason? It links with nothing that
she has at hand to verify that I am the person whose name is on
the check. But, Mr. Chairman, this, I think, is being done by
habit.
I went to a new dentist to have some dental work done. On
the application, ``Give us your Social Security number.'' Well,
what I did at Toys 'R Us, I thought of the first ten numbers
that came to mind, put it on the check. She smiled. I walked
out with a purchase. I did not fill it in for the dentist. I
still got the work done and a $2,400 bill.
Something has to be done. People will say, ``The horse is
out of the barn, Gerry. What are you going to do about it?''
Well, Mr. Chairman, walking over here, talking with you, I
think we agree that it has to start somewhere, and maybe, yes,
these lists are out there, but we have to stop the
dissemination and the abuse of these lists being sold, given
away, or whatever reason.
For the last couple sessions, I have introduced the
Personal Privacy Information Act, PPI Act, H.R. 1450, and it
does a few things that I would ask the committee to look at
when you draft your response to this problem.
Number one, credit bureaus sell header information in their
files. Header information is the information that is most
important to you and I. It is our name, our address, phone
number--listed or otherwise--mother's maiden name, Social
Security number. And so firms come to the credit union and say,
``Okay, I need all the people in California who buy Nike shoes,
or who have a very good credit rating and a ZIP code,'' and
they will sell that header information.
My bill prohibits selling that header information in its
current form. Yes, if you want to sell a person's name,
address, and listed phone number only, but the rest of the
things that you have in your file on this person should not and
cannot be sold without the authorized explicit consent of the
person who is named.
The bill next goes to talk about the use of Social Security
numbers for commercial purposes. It prohibits the sale of any
list which contains your Social Security number. And the bill
further goes on to talk specifically about motor vehicle
departments, but they are the biggest abuser. Insurance firms,
rating firms, all sorts of other commercial firms can purchase
the motor vehicle list from your State motor vehicle
department, and on there will be your Social Security number.
The bill I have introduced disallows that bit of
information being on there. If they want to sell the name and
address, fine, but not the Social Security number.
One of the other things the bill does, which I think is
relatively important, if a person refuses to do business with
an individual who refuses to give their Social Security number,
that is against the law. That would be made a civil crime.
Because I do not give Toys 'R Us my Social Security number or
the dentist or whoever else, I should not be refused service.
Another good example of that is a constituent who called me
saying she is applying for cable service in the city of
Milwaukee, and on there was a request for the Social Security
number. She refused. They denied cable service. Why does a
cable company need your Social Security number?
So, Mr. Chairman, the time has come where, especially with
the Internet and disseminating information much quicker, that
Congress, I think, has a duty and a responsibility to look at
that Social Security number again, restate what the purpose is,
and start some legislation to stop the willy-nilly
dissemination of our Social Security numbers.
Again, Mr. Chairman, thank you.
Chairman Shaw. I look forward to working with you.
[The prepared statement follows:]
Statement of the Hon. Gerald D. Kleczka, a Representative in Congress
from the State of Wisconsin
Amends the Fair Credit Reporting Act to prevent
credit bureaus from giving out identifying information like
Social Security numbers, unlisted phone numbers, past
addresses, and mothers' maiden names.
Prohibits the commercial use of a Social Security
number without the owner's written consent.
Prohibits the use of a Social Security number as
an identifier by persons not already authorized to do so in
current law.
Businesses that refuse to do business with anyone
who does not consent to the use of their Social Security number
will be considered as committing an unfair or deceptive
business practice.
Prohibits a state department of motor vehicles
from selling or transferring Social Security numbers and
photographs.
Prohibits the distribution of a consumer report
for transactions not initiated by the consumer without the
consumer's written authorization.
Prohibits the sale or transfer of a consumer's
transaction or experience information for marketing purposes
without the express written consent of the consumer.
Provides for civil and criminal prosecution for
violations of the act.
Section by Section Analysis of H.R. 1450, the Personal Information
Privacy Act
Section 1.Short Title.
The title of this Act is the ``Personal Information Privacy
Act of 1999.''
Section 2. Confidential Treatment of Credit Header Information
Section 2 would add a sentence to Sec. 603(d) of the Fair
Credit Reporting Act (FCRA), 15 U.S.C. Sec. 1681a(d), which
defines the term ``consumer report'' for purposes of the FCRA.
The term currently means, essentially, any communication of
information by a consumer reporting agency about a consumer
that is used or expected to be used as a factor in establishing
the consumer's eligibility for credit, insurance, employment,
or for any other legitimate business purpose. Under Sec. 604 of
the FCRA, 15 U.S.C. Sec. 1681b, a consumer reporting agency may
not furnish a consumer report except for specified purposes.
The new sentence that Sec. 2 would add to the definition of
``consumer report'' provides: ``The term also includes any
other identifying information of the consumer, except the name,
address, and telephone number of the consumer if listed in a
residential telephone directory available in the locality of
the consumer.'' If this new sentence becomes law, then consumer
reporting agencies would be prohibited from disclosing such
identifying information except for a purpose specified in
Sec. 604.
Section 3. Protecting Privacy by Prohibiting Use of the Social
Security Number for Commercial Purposes Without Consent.
This section would add a new section to the general
administrative provisions of Title 11 of the Social Security
Act, 42 U.S.C. Sec. 1301 et seq., prohibiting persons from
buying or selling any information that includes an individual's
social security account number (``SSN''), without the written
consent of the individual. In addition, no person may use an
individual's SSN for identification purposes without the
written consent of the individual. In order for consent to be
valid, the person desiring to use an individual's SSN must
inform the individual of all the purposes for which the SSN
will be utilized, the persons to whom the number will be known,
and obtain the individual's consent in writing.
These new prohibitions would not affect any statutorily
authorized uses of the SSN under Sec. 205(c)(2) of the Social
Security Act, 42 U.S.C. Sec. 405(c)(2) (SSN used for Social
Security wage records, and for various enumerated purposes by
federal agencies and state and local governments), Sec. 7(a)(2)
of the Privacy Act of 1974 (5 U.S.C. 552a note) (authorizing
state and local governments to require disclosure of an
individual's SSN if required by federal law or if the required
disclosure was pursuant to a system of records in effect prior
to January 1, 1975), or 26 U.S.C. Sec. 6109(d) (an individual's
SSN is used for all identifying purposes specified in the Tax
Code).
Individuals are authorized to bring a civil action seeking
equitable relief and damages in a U.S. District Court for
violations of this section. Damages may include the greater of
actual damages or liquidated damages of $25,000, or, in case of
a willful violation resulting in profit or monetary gain,
$50,000. The court may assess, against the respondent,
reasonable attorney's fees and other litigation costs in cases
where an individual prevails. A statute of limitation of 3
years is provided. The remedies provided by this section are in
addition to any other lawful remedies available to an
individual.
The Commissioner of Social Security is authorized to assess
a civil money penalty of not more than $25,000 for each
violation of this section, or in the case of violations found
to constitute a general business practice, not more than
$500,000. The enforcement procedures for civil money penalties
are the same as set forth in section 1128A of the Social
Security Act, 42 U.S.C. Sec. 1320a097a(d),(e),(g),(k),(l) and
the first sentence of (c). These set forth the criteria for
determining the amount of the civil penalty, the investigation
and injunction authority of the Commissioner, and courts of
appeals review of civil money penalty determinations. Also
applicable are the provisions of section 205(d) and (e) of the
Social Security Act, 42 U.S.C. Sec. 405(d) and (e), which
authorize the Commissioner of Social Security to issue
subpoenas during investigations, and provide for judicial
enforcement of such subpoenas.
The Commissioner of Social Security is directed to
coordinate enforcement of the provisions of this section with
the Justice Department's enforcement of criminal provisions
relating to fraudulent identification documents, and with the
Federal Trade Commission's jurisdiction relating to identity
theft violations.
The provisions of this section do not preclude state laws
relating to protection of privacy that are consistent with this
section. The effective date of this section would be two years
after enactment of this bill.
If a person refuses to do business with an individual
because the individual will not consent to disclosure of his or
her SSN, then such refusal will be considered an unfair or
deceptive act or practice under section 5 of the Federal trade
Commission Act (15 U.S.C. Sec. 45). The Commission may issue a
cease and desist order, violation of which is subject to civil
money penalties of up to $10,000 per violation.
Section 4. Restriction on Use of Social Security Numbers by
State Departments of Motor Vehicles.
18 U.S.C. Sec. 2721(b) sets forth permissible uses of
personal information obtained by a state department of motor
vehicles. This section provides that, with respect to the SSN
of an individual, such personal information may only be
disclosed to a government agency, court or law enforcement
agency in carrying out its functions to the extent permitted or
required under section 205(c)(2) of the Social Security Act, 42
U.S.C. Sec. 405(c)(2), section 7a(2) of the Privacy Act of
1974, 5 U.S.C. Sec. 552a note, section 6109(d) of the Internal
Revenue Code, or any other provision of law specifically
identifying such use. This section would also prohibit the
disclosure of SSNs by state departments of motor vehicles for
bulk distributions for surveys, marketing or solicitations
purposes.
Section 5. Restriction on Use of Photographs by State
Departments of Motor Vehicles.
Section 5(a) would add a new subsection to 18 U.S.C.
Sec. 2721, which currently generally prohibits the release of
certain personal information from state motor vehicle records.
This new subsection would prohibit the release of an
individual's photograph, in any form or format, by a state
department of motor vehicles without the express written
consent of the individual. An exception would be permitted for
disclosure of an individual's photograph to a law enforcement
agency of any government for a civil or criminal law
enforcement activity if authorized by law and pursuant to a
written request.
Section 5(b) would make technical amendments to 18 U.S.C.
Sec. 2721(a) and (b) to conform that section to the new
provisions added by this section. It would also amend 18 U.S.C.
Sec. 2722(a) to reference the new subsection (e) added by this
section.
Section 6. Repeal of Certain Provisions Relating to
Distribution of Consumer Reports in Connection with Certain
Transactions Not Initiated by the Consumer.
Section 6(a) would amend Sec. 604(c) of the Fair Credit
Reporting Act (FCRA), 15 U.S.C. Sec. 1681b(c), which governs
prescreening to determine a consumer's eligibility for credit
or insurance. Prescreening is a practice whereby a user of
consumer reports, such as a lender or insurer, contacts a
consumer reporting agency without having received an
application for credit or insurance from a particular consumer.
The user might submit a list of names and ask the agency to
identify persons on the list who meet criteria that the user
specifies. Or it might ask the consumer reporting agency to
create its own list based on the user's criteria. Section
604(c) currently prohibits prescreening, except in two
situations, to determine a consumer's eligibility for credit or
insurance. It prohibits, in other words, except in two
situations, a consumer reporting agency from furnishing a
report on a consumer who has not applied for credit or
insurance.
The two situations in which it permits prescreening are
when: (1) the consumer authorizes the consumer reporting agency
to provide the report, or (2) the lender or insurer will make a
firm offer to the consumer if prescreening shows the consumer
eligible for credit or insurance, and the consumer has not
previously asked to be excluded from prescreening done by the
consumer reporting agency. Section 6(a) would, in effect,
prohibit prescreening in connection with credit and insurance
except when authorized by the consumer. It would amend
Sec. 604(c)(1) to provide that a consumer reporting agency
would be permitted to furnish a consumer report in connection
with a ``credit or insurance transaction that is not initiated
by consumer only if the consumer provides express written
authorization in accordance with paragraph (2) . . . .''
``Paragraph (2)'' refers to Sec. 604(c)(2) of the FCRA, which
would be rewritten by Sec. 6(b) of the bill.
Section 6(b) would rewrite Sec. 604(c)(2) to provide: ``No
authorization referred to in paragraph (1) [Sec. 604(c)(1)]
with respect to any consumer shall be effective unless the
consumer received a notice before such authorization is
provided which fully and fairly discloses, in accordance with
regulations which the Federal Trade Commission and the Board of
Governors of the Federal Reserve System shall jointly
prescribe, what specifically is being authorized by the
consumer and the potential positive and negative effects the
provision of such authorization will have on the consumer.''
The regulations would have to require that the notice be
prominently displayed on a separate document or, if the notice
appears on a document with other information, that it be clear
and conspicuous.
Section 6(c) would repeal the provision, mentioned above,
that allows consumers to exclude themselves from prescreening
lists. The provision would be unnecessary if prescreening were
prohibited except when a consumer had authorized it.
Section 7. Sale or Transfer of Transaction or Experience
Information Prohibited.
Section 7(a) would add a new Sec. 626 to the FCRA. New
Sec. 626(a) would provide: ``No person doing business with a
consumer may sell, transfer, or otherwise provide to any other
person, for the purpose of marketing such information to any
other person, any transaction or experience information
relating to the consumer, without the consumer's express
written consent.'' A consumer's consent would not be required
for the sale, transfer, or provision of transaction or
experience information for a purpose other than marketing.
New Sec. 626(b) would define ``transaction or experience
information'' as ``any information identifying the content or
subject of 1 or more transactions between the consumer and a
person doing business with a consumer . . . .'' Section 626(c)
would allow six exceptions, where a consumer's consent would
not be required for the provision of transaction or experience
information: (1) communications ``solely among persons related
by common ownership or affiliated by corporate control,'' (2)
information provided pursuant to court order or federal grand
jury subpoena, (3) ``[i]nformation provided in connection with
the licensing or registration by a government agency or
department, or any transfer of such license or registration, of
any personal property bought, sold, or transferred by the
consumer,'' (4) ``[i]nformation required to be provided in
connection with any transaction in real estate,'' (5)
``[i]nformation required to be provided in connection with
perfecting a security interest in personal property,'' and (6)
``[i]nformation relating to the amount of any transaction or
any credit extended in connection with a transaction with a
consumer.''
Section 7(b) would make a technical amendment to
Sec. 603(d)(2)(A) of the FCRA to ensure that it does not
conflict with new Sec. 626, and Sec. 7(c) would make a clerical
amendment to add a reference to new Sec. 626 to the table of
sections for the FCRA.
Chairman Shaw. Mr. Markey?
STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS
Mr. Markey. Thank you, Mr. Chairman, very much, and thank
you for focusing upon this critically important issue.
Points that Mr. McDermott and Mr. Kleczka have already made
are going to, obviously, be further embellished upon by the
other Members of Congress who are going to testify before you
today.
What I would like to do, though, is to just step back here
for a second and look at why it is so important for us to have
this conversation.
We are at the dawn of a new era. It is the Internet era. I
think that is why so many people are so concerned.
But put it in context. In the last quarter of 1999, of the
$875 billion worth of retail sales in the United States, only
$5 billion of that was on line. So at this point it is only 7/
10ths of 1 percent of all commerce in the United States, all
retail commerce.
The concerns which ordinary Americans have are reflected by
the fact that increasingly on line they are asked to put these
identifying numbers into the computer, but without any
guarantees that that information--that Social Security number
or any other information which they are providing--cannot be
reused for other purposes. that is why it becomes so much of a
concern to people.
Now, I happen to believe that one of the things which the
online industry is going to have to do is recognize the fact
that the reason they are only at 5 billion out of 875 billion
in the last quarter of 1999 is that many Americans just do not
want to give out all that information without some guarantee
that it is not going to get compromised.
Yes, we want the new revolution, but we want the new
economy with old values. We want the new technologies animated
by the old values. It is a merger of the old with the new that
ultimately is going to result in the production of this new
economy.
Commerce with a conscience--that is what the American
people want.
Now, if an ordinary American goes up to the ATM machine and
they punch in their little secret number and then they push in
the number for the $50 they are trying to extract, when out
comes their receipt, they do not throw it in the bucket that is
right there because they do not want anyone to know what their
Social Security number might be or what their bank number might
be or how much money they took out. But that very same person,
as a condition of banking with a large financial institution,
has to basically cede the right to have that information used
for purposes that they would never have wanted it to be used--
all the information that is on the check about the illnesses of
your children or your parents or your wife or yourself, or any
financial transaction that you might have engaged in. You might
not even have told your spouse, much less everybody else in the
neighborhood, about one of these transactions.
So most people are naturally quite protective of their
privacy and they want rules put in place to ensure that the
Social Security number does not become a universal identifier
that allows data miners to be able to, with access of your
Social Security number and your mother's maiden name or all the
other clues that you are forced to give up, to be able to go
and find everything that ever happened to you--in fact, a more-
comprehensive compilation of your life than anyone else in your
family might know about you, including a lot of stuff you might
have forgotten, for them to then use this as a product that
they market to hundreds of companies across the globe, in terms
of their ability then to bring those products that are of
interest to them into your home, but using your personal,
private family secrets.
So, Mr. Chairman, you cannot have a more important hearing
than this, because there is a Dickensian quality to this new
technology. It is the best of wires and the worst of wires
simultaneously. It has the ability to enable and to ennoble,
but it also has the power to degrade and to debase.
I think what is going to happen is that the American public
is going to demand that their family's privacy be allowed to be
protected and that this is going to become the number one civil
rights issue of the next 10 years in the United States, and the
concern about the issue will rise concomitantly with the rise
of retail commerce online in our country.
I think we have a chance to engage in a bit of anticipatory
democracy, putting in place today the protections which the
public is going to need in the years ahead to ensure that their
family's most intimate secrets are not made a product that
hundreds of marketers use, regardless of the impact it might
have upon that family's psychological, physical, financial, or
medical well-being.
I cannot compliment you enough, because ultimately the key
to all of this is the Social Security number, because that has
become the way in which the door is opened so all of the other
clues to who we are are able to be found.
I just want to contrast it with the world in which we grew
up in, very briefly, which is the world in which the nurse or
the doctor that we went to when we were children had our
medical record around their neck, and it was just between us,
our mother and father, and the doctor and the nurse. Or we went
into the bank, and all it was was the man behind the counter
who showed us how the miracle of compound interest would help
us if we kept putting money in each month from our paper route,
or the money that we earned doing chores at home for our moms
and our dads.
Well, today those doctors work for HMOs. Those bankers work
for some large conglomerate. They do not protect your privacy
any longer, in the absence of laws being put on the books that
ensure that the privacy keepers are not replaced by the privacy
peepers, the data mining reapers who see us all as just sources
of profit for them rather than individuals with families who
need the protection of their privacy.
I thank you, Mr. Chairman, very much, for holding this
critically important hearing.
Chairman Shaw. Thank you for a very thoughtful
presentation.
[The prepared statement follows:]
Statement of Hon. Edward J. Markey, a Representative in Congress from
the State of Massachusetts
Mr. Chairman and Members of the Subcommittee, thank you for
allowing me to testify before you this afternoon.
What I would like to do is try to put the matter of the
privacy of a consumer's Social Security Number into the broader
context of how consumer information is being used by businesses
as we proceed into the e-commerce era.
We are told that e-commerce is qualitatively different,
qualitatively better than bricks & mortar commerce. Right now,
only $5 Billion of the $860 Billion in annual sales currently
occur over the Internet. But that figure will continue to grow
exponentially in the future. So, the question we must ask, is
how are we going to adjust our laws to deal with that new
reality? What are we going to do about the laws dealing with
privacy, fraud, pornography, pharmaceuticals, alcohol,
gambling, and sales taxes? How do we animate the new economy
with the old values?
The problem that we face today isn't Big Brother; it's Big
Browser. Right now, when it comes to your financial records,
there are very few protections against a financial services
firm from disclosing every check you've ever written, every
credit card charge you've ever made, the medical exam you got
before you received health insurance. And as you surf the Web,
there are no rules in place to prevent various web sites from
collecting information about what sites you are viewing and how
long you are viewing them. If you buy anything over the
Internet, that information can be linked up to other personal
identifiers to create disturbingly detailed digital dossiers
that can profile your lifestyle, your interests, your hobbies,
or your habits.
Clearly, the Social Security number is an important
identifier that many online and offline businesses wish to
obtain about consumers. But consumers who value their privacy,
have a strong interest in not allowing this number to become a
ubiquitous personal identifier and allows companies to tie
together bits and pieces of information in various databases
into an integrated electronic profile of their interests and
behavior that can be zapped around the world in a nanosecond.
There are even more sinister possibilities. If you do a
simple Internet search in which you enter the words ``Social
Security Numbers,'' you will turn up links to dozens of web
sites that offer to provide you, for a fee, with social
security numbers for other citizens, or to link a social
security number that you might have with a name, address and
telephone number. Where are the data-mining firms and private
detective agencies that are offering these services obtaining
these numbers? In all likelihood, they are accessing
information held by credit bureaus, financial services or other
commercial firms.
If someone actually obtains a Social Security number from
one of these sites, they have an important piece of information
that can be used to locate the individual or get access to
information about the individual's personal finances. For
example, if you have a social security number, and can also
obtain access to certain other readily available information
about an individual, such as the individual's mother's maiden
name or their date of birth, you can sometimes get a bank to
provide you with detailed information about the individual's
personal finances over the phone. Now, that practice, known as
pretexting, is already against the law. But that does not mean
that it does not occur, or that unscrupulous individuals are
not obtaining access to Social Security numbers and then using
them to perpetrate identity thefts that can destroy the credit
or reputation of innocent consumers.
Now, last year's banking bill gave consumers the right to
``opt out'' of having their personal, nonpublic financial
information transferred to unaffiliated third parties. The term
``personal, nonpublic financial information'' would include a
consumer's Social Security number. This means that a financial
institution would not be able to provide a social security
number to a nonaffiliated third party who had opted out.
However, there are no limits on disclosures to affiliates.
Furthermore, there's a ``joint marketing agreement'' provision
that allows disclosures of a customer's information (including
a Social Security number) to nonaffiliated third parties with
which the institution has signed a contract. These two
loopholes render the limited ``opt out'' requirements in the
bill a pathetic joke. And this week, we have learned that the
financial regulators have decided to delay full implementation
of even these minimal privacy protections until July, 2001.
We need to do more. Right now, under current law, we have
an ``opt-in'' for a tax preparer transferring your tax return
to any other party. We have an opt-in before drivers license
information can be transferred. We have an opt-in for
information about videocassette rentals. We have an opt-in for
cable TV viewing habits. We have an opt-in for telephone call
records. We have an opt in for information about cell phone
whereabouts. But we do not have an opt-in for sensitive
financial information and for certain medical information.
In order to remedy this situation, Representative Joe
Barton (R09TX) and I have introduced H.R. 3320, the
``Consumer's Right to Financial Privacy Act,'' which would
close the affiliate sharing and joint marketing loopholes and
require an ``opt in'' before a financial institution could
disclose sensitive financial information -including Social
Security numbers. Our bill currently has 71 bipartisan
cosponsors, and has been introduced in the Senate by Senators
Richard Shelby (R09AL) and Richard Bryan. In addition, I have
also joined with Representatives John LaFalce (D09NY) and John
Dingell (D09MI) in introducing the Administration's privacy
proposal, H.R. 4380, which would establish an ``opt in'' for
medical information and sensitive information about a
consumer's spending habits, and an ``opt out'' for the
disclosure of other nonpublic personal information about the
consumer.
I urge the Subcommittee to support these legislative
reforms, and also the proposal by my colleague, the gentleman
from Wisconsin (Mr. Kleczka) to prohibit commercial
distribution or acquisition of Social Security numbers, or
their use as a personal identifier.
Thank you, again, Mr. Chairman, for allowing me to testify
today. I look forward to working with you and other Members of
the Subcommittee to address the current risks to consumer
privacy.
Chairman Shaw. Mr. Hostettler?
STATEMENT OF HON. JOHN N. HOSTETTLER, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF INDIANA
Mr. Hostettler. Mr. Chairman, thank you for this
opportunity to share with you and members of the committee. I
am pleased to come before you today in support of my bill, H.R.
2494, the Children Tax ID Alternative Act. This bipartisan
bill, which currently has 23 cosponsors, would provide a
religious exemption for those who do not wish to obtain a
Social Security number for their children. It would remove the
barriers that exist to those who choose to exercise their
religious beliefs by not attaching Social Security numbers to
their children.
The Children Tax ID Alternative Act would simply provide an
alternative way of claiming dependent tax credits and
deductions for these families.
This subcommittee has been hearing testimony regarding
expanding use of Social Security numbers and the associated use
and abuse that accompanies such an expansion. There are,
however, a significant group of American citizens who are
resisting this progression because it violates their religious
beliefs. These are honest, law-abiding citizens who pay their
taxes and promote the laws and principles of our civil order.
They are the public school teacher in Oregon, the minister in
Washington, the professor of a State university, as well as
State representatives, yet, because they choose to follow the
dictates of their religion, they pay substantially more income
tax than do their neighbors.
The history of the use of Social Security numbers indicates
that this has not always been a problem and need not be a
problem any more. It was not until the Tax Reform Act of 1986
that taxpayers who wished to claim exemptions for dependents
were required to provide Social Security numbers for all
dependents ages five and older. This age requirement was
changed in 1995 to require that any claimed dependent have a
taxpayer identification number, which, under section 6109 of
the IRS code, is an individual's Social Security number.
Finally, in 1996, the IRS was authorized to reject a
dependency exemption if no taxpayer identification number was
supplied.
What are the implications of these laws? As a result of the
changes made by the Tax Reform Act of 1986, the IRS reported
that there were approximately 7.5 million fewer dependents
claimed in 1987 than 1986. Instead of the estimated 77 million
dependency exemptions, the IRS reported that only 69.7 million
such exemptions were claimed. This translated into a revenue
increase of $2.8 billion for the Federal Government in tax year
1987, alone.
The IRS has indicated that the significant drop in claimed
exemptions is, in fact, due to the required use of Social
Security numbers; however, they believe that the exemptions
dropped because the use of the numbers eliminated the potential
for fraud and abuse.
The IRS is unable to conclusively assert this finding
because no study or report has been conducted to determine the
actual reason for this significant drop. Rather, we have every
indication that this drop was due, at least in some degree, to
personal religious objections by parents who do not wish to
attach Social Security numbers to their children.
While there may be disagreements and varying opinions about
the levels of causation concerning these statistics, it cannot
be denied that the drop is due, at some level, to religious
objections. Simply put, families who hold to such religious
beliefs are being forced to pay for their right to exercise
their religion.
I understand that these laws were implemented in order to
curb the use of improper dependency exemptions; however, I
would also like to point out, Mr. Chairman, that my bill does
not add to the potential for tax fraud and abuse. Under the
provisions of this bill, parents seeking to receive a deduction
or credit for children without Social Security numbers would be
required to submit several forms of official documentation.
Only by providing: one, an affidavit describing the religious
belief; two, an affidavit from a knowledgeable third party;
and, three, documentation such as birth records, medical
records, school records, or insurance records to verify the
relationship of the dependent to the taxpayer, would these
families be able to claim the exemptions.
Such an exemption is not without precedent. There are
currently a number of U.S. citizens who are permitted to be
exempt from participation in Social Security based on their
religious beliefs. There is also an allowance for certain
ministers and members of religious orders to be exempt from
self-employment taxes on income for those who are opposed to
these insurance programs. However, there are no exemptions for
those who fail to provide a taxpayer ID number when it is
required on a tax return. This is precisely what my bill seeks
to address.
As our laws stand, many families have voluntarily forfeited
thousands of dollars worth of legitimate dependent deductions
rather than violate their religious beliefs. I find it
unjustifiable that our Government would force its citizens to
make that choice, yet we persist in doing just that.
My bill, H.R. 2494, would restore fairness to our tax code
by doing away with this injustice and protecting the religious
beliefs of all American taxpayers.
Thank you, Mr. Chairman, once again for this opportunity.
Chairman Shaw. Thank you.
[The prepared statement follows:]
Statement of Hon. John Hostettler, a Representative in Congress from
the State of Indiana
Mr. Chairman, I am pleased to come before you today in
support of my bill HR 2494, the Children Tax ID Alternative
Act. This bipartisan bill, which currently has 23 cosponsors,
would provide a religious exemption for those who do not wish
to obtain a Social Security number for their children. It would
remove the barriers that exist to those who choose to exercise
their religious beliefs by not attaching Social Security
numbers to their children. The Children Tax ID Alternative Act
would simply provide an alternative way of claiming dependent
tax credits and deductions to these families.
This subcommittee has been hearing testimony regarding the
expanding use of Social Security numbers and the associated use
and abuse that accompanies such an expansion. There are,
however, a significant group of United States citizens, who are
resisting this progression because it violates their religious
beliefs. These are honest, law-abiding citizens who pay their
taxes and promote the laws and principles of our civil order.
They are the public school teacher in Oregon, the minister in
Washington, the professor of a state university as well as
state representatives. Yet, because they choose to follow the
dictates of their religion they pay substantially more income
tax than their neighbors.
The history of the use of Social Security numbers indicates
that this has not always been a problem and need not be a
problem anymore. It was not until the Tax Reform Act of 1986
that taxpayers who wished to claim exemptions for dependents
were required to provide Social Security numbers for all
dependents age 5 and older. This age requirement was changed in
1995 to require that any claimed dependent have a taxpayer
identification number, which under Section 6109 of the Internal
Revenue Code, is an individual's Social Security number
Finally, in 1996, the IRS was authorized to reject a dependency
exemption if no taxpayer identification number was supplied.
What are the implications of these laws? As a result of the
changes made by the Tax Reform Act of 1986, the IRS reported
that there were approximately 7.5 million fewer dependents
claimed in 1987 than in 1986. Instead of the estimated 77
million dependency exemptions, the IRS reported that only 69.7
million such exemptions were claimed. This translated into a
revenue increase of $2.8 billion for the federal government in
tax year 1987 alone. The IRS has indicated that the significant
drop in claimed exemptions is, in fact, due to the required use
of Social Security numbers. However, they believe that the
exemptions dropped because the use of the numbers eliminated
the potential for fraud and abuse. The IRS is unable to
conclusively assert this finding because no study or report has
been conducted to determine the reason for this significant
drop. Rather, we have every indication that this drop was due,
at least in some degree, to personal religious objections by
parents who do not wish to attach Social Security numbers to
their children. While there may be disagreements and varying
opinions about the levels of causation concerning these
statistics, it can not be denied that the drop is due at some
level to the religious objections. Simply put, families who
hold to such religious beliefs are being forced to pay for
their right to exercise their religion.
I understand that these laws were implemented in order to
curb the use of improper dependency exemptions. However, I
would also like to point out, Mr. Chairman, that my bill does
not add to the potential for tax fraud and abuse. Under the
provisions of this act, parents seeking to receive a deduction
or credit for children without Social Security numbers would be
required to submit several forms of official documentation.
Only by providing 1). an affidavit describing their religious
belief, 2). an affidavit from a knowledgeable third party and
3). documentation, such as birth records, medical records,
school records or insurance records to verify the relationship
of the dependent to the taxpayer, would these families be able
to claim the exemptions.
Such an exemption is not without precedent. There are
currently a number of U.S. citizens who are permitted to be
exempt from participation in Social Security based on religious
belief. There is also an allowance for certain ministers and
members of religious orders to be exempt from self-employment
taxes on income for those who are opposed to these insurance
programs. However, there are no exemptions for those who fail
to provide a taxpayer identification number when it is required
on a tax return. This is precisely what my bill seeks to
address.
As our laws stand, many families have voluntarily forfeited
thousands of dollars worth of legitimate dependent deductions
rather than violate their religious beliefs. I find it
unjustifiable that our government would force its citizens to
make that choice. Yet, we persist in doing just that. My bill,
HR 2494 would restore fairness to our tax code by doing away
with this injustice and protecting the religious beliefs of all
American taxpayers.
Chairman Shaw. Mr. Paul?
STATEMENT OF HON. RON PAUL, A REPRESENTATIVE IN CONGRESS FROM
THE STATE OF TEXAS
Mr. Paul. Thank you, Mr. Chairman.
I would like permission to insert my printed statement in
the record.
Chairman Shaw. Without objection, the full statement of all
the witnesses will be inserted.
Mr. Paul. Along with a statement from the Liberty Study
Committee. Unanimous consent to put that in the record, as
well.
Chairman Shaw. I, too, am grateful that you are holding
these hearings, because I think privacy is a very important
issue, and we are going to hear more and more of it.
I think it came to the attention of the public and to many
in our regulatory bodies when ``know your customer''
regulations were proposed a year or so ago, and, with a little
bit of encouragement, there were over 500,000 comments sent to
the Federal Reserve and the FDIC because these were regulations
that were way over-stepping and ignoring the privacy of the
individual.
I take a little different approach to the issue of privacy
than others, but I think that there is a common thread among us
that the solution is going to be found somewhere in dealing
with the Social Security number, and for that reason I am
encouraged.
In 1974 the Privacy Act was written to combat some of the
things the Bank Secrecy Act did in 1970. The Privacy Act was
designed to say you cannot use the Social Security number as an
identifier. But then, like so often in our legislation, later
on in the bill it said, ``But Congress can make use of the
Social Security number any time they want,'' and we certainly
have been doing that since then. I think that is where the
serious problem is.
But where I disagree with some of my friends who will write
more legislation, I think there is a certain part of privacy
that should be dealt with in the marketplace. For instance, I
do not believe that Congress should write a law compelling the
Sierra Club and the ACLU to deal with their memberships and
have them fill out a form and get permission before they can
rent lists or do anything, because the more information they
collect the more likely it is that information will go to the
Government and then abused by possibly their political enemies.
So I am not in favor of more regulations. For instance, the
bank bill that we passed last year said that the bank would
have to ask questions about privacy--again, accumulation of
more material.
The real problem I see is the Social Security number, the
universal identifier. It is true, in the old days medical
privacy was taken care of much better, but now that we have
government-mandated health care programs and health management,
yes, it is convenient for government to be more efficient. But
the question is, do we want to weigh the two? Can you always
argue the case for efficient government and at the same time
protect privacy? I think there is a conflict there. But our
goal should be the privacy. The goal of privacy should override
the efficiency of government, and I think that sometimes is
where we slip on this.
Just providing new rules I think can be very, very damaging
to us, and we should not just ask the government or ask these
organizations to provide more forms to fill out, because that
invites abuse.
My bill, H.R. 220, addresses this. This is where I am
hoping more of us can come together. It does more or less state
what the law in 1974 states, but it has the force of law, that
you cannot use the Social Security number as a universal
identifier. It was not intended. We never even used Social
Security numbers on our tax forms until the early 1960s. There
is no reason that we cannot pass something like this.
If we are concerned about identity theft, the best thing we
can do for those who steal identities is to have all our
information brought together by the universal identifier.
So the most important thing that we could do to stop
identity theft is to make sure that there is a law on the
books, that we live by it, and that we do not have a universal
identifier. It will be and is the Social Security number. It is
universal. I delivered babies in my professional life, and it
is true, in the last several years we were required--everybody
was getting Social Security numbers before the baby left the
hospital. Everybody wants to know everything about everything,
and the most important way they accumulate this information and
can find out information on us is the Social Security number.
So if it makes government a little less efficient, I think
that might have to come about. I do not believe you can demand
the efficiency that some people would like on government
programs at the same time saying that we will protect our
privacy. There will have to be a choice. Of course, my choice
is for privacy and my choice, of course, would be to pass H.R.
220, and there could be no universal identifier for any of our
programs.
I thank the chairman.
Chairman Shaw. Thank you, Mr. Paul.
[The prepared statement and an attachment follow:]
Statement of Hon. Ron Paul, a Representative in Congress from the State
of Texas
Mr. Chairman, thank you for holding a hearing on the
important issue of the misuse of the Social Security number as
a uniform standard identifier. For all intents and purposes,
the Social Security number has been transformed from an
administrative device used to administer the Social Security
program into a de facto national ID number. Today, most
Americans cannot get a job, get married, open a bank account,
or even get a fishing license without their Social Security
number. Many hospitals require parents to obtain Social
Security numbers for their newborns before the hospital will
discharge the baby. Moreover, many jurisdictions will not issue
a death certificate without obtaining the deceased's Social
Security number.
The Congress that created the Social Security system in no
way intended to create a national identifier. In fact, Congress
never directly authorized the creation of the Social Security
number--they simply authorized the creation of an ``appropriate
record keeping and identification scheme.'' The Social Security
number was actually the creation of the Internal Revenue
Service!
The Social Security Number did not become a popular
identifier until the 1960s. In response to concerns about the
use of the Social Security number, Congress passed the Privacy
Act of 1974, because ``The Congress finds the opportunities for
an individual to secure employment, insurance and credit and
his right to due process and other legal protections are
endangered by the misuse of certain information systems.''
The Privacy Act of 1974 states that ``It shall be unlawful
for any Federal, State or local government agency to deny any
individual any right, benefit or privilege provided by law
because of such individual's refusal to disclose his Social
Security number.'' This is a good and necessary step toward
protecting individual liberty. Unfortunately, the language of
the Privacy Act allows Congress to require the use of the
Social Security number at will. In fact, just two years after
the passage of the Privacy Act, Congress explicitly allowed
state governments to use the Social Security number as an
identifier for tax collection, motor vehicle registration and
drivers' license identification.
Since the passage of the Privacy Act, Congress has been all
too eager to expand the use of the Social Security number as a
uniform identifier. For example, in 1996, Congress required
employers to report the Social Security number of employees as
part of the ``new hires'' database, while in 1998, 210 members
of Congress voted to allow states to force citizens to produce
a Social Security number before they could exercise their right
to vote.
Mr. Chairman, my legislation, the Freedom and Privacy
Restoration Act (HR 220) forbids Federal or State governments
from using the Social Security number for purposes not directly
related to administering the Social Security system.
Since I introduced this legislation on the first day of the
106th Congress, my office has received countless calls, letter,
faxes, and e-mails from Americans around the country who are
tired of having to divulge their national ID number in order to
get a job, open bank account, or go fishing. The strong public
outrage over the federal banking regulators' ``know your
customer'' scheme, as well as the attempt to turn state
drivers' licences into a national ID card, and the Clinton
Administration's so-called ``medical privacy'' proposals all
reveal the extent to which the American people oppose the
``surveillance state.'' These Americans believe that since
Congress created this problem, Congress must fix it.
Certain well-meaning members of Congress are focusing on
the use of the Social Security number by private businesses.
However, this ignores the fact that the private sector was only
following the lead of the federal government in using the
Social Security number as an ID. In many cases, the use of the
Social Security number by private business is directly mandated
by the government, for example, banks use Social Security
numbers as an identifier for their customers because the
federal government required them to use the Social Security
number for tax reporting purposes. Once the federal government
stops using the Social Security number as an identifier, the
majority of private businesses, whose livelihood depends on
pleasing consumers, will respond to their customers demands and
stop using the Social Security number and other standard
identifiers
I hope that we in Congress would not once again allow a
problem Congress created to become an excuse for disregarding
the constitutional limitations of federal police powers or
imposing new mandates on businesses in the name of ``protecting
privacy.'' Federal mandates on private businesses may harm
consumers by preventing business from offering improved
services such as the ability to bring new products that
consumers would be interested in immediately to the consumers'
attention. These mandates will also further interfere with
matters that should be resolved by private contracts.
Furthermore, as we have seen with the administration's so-
called ``medical privacy protection'' proposal, federal
``privacy protection laws'' can actually undermine privacy by
granting certain state-favored interests access to one's
personal information.
Finally, I would remind my colleagues that no private
organization has the power to abuse personal liberty on as
massive a scale as the federal government. After all, consumers
have the right to refuse to do business with any private entity
that asks for a Social Security number, whereas citizens cannot
lawfully refuse to deal with government agencies. Furthermore,
most of the major invasions of privacy, from the abuse of IRS
files to the case of the Medicare clerk who sold the names of
Medicare patients to an HMO, to the abuse of the FBI by
administrations of both parties have occurred by government
agents. Therefore Congress should focus on the threat to
liberty caused by the federal government's use of uniform
identifiers.
In conclusion, I once again thank the Subcommittee for
holding this hearing on the uses and abuses on the Social
Security number. I hope that this hearing is the first step
toward Congressional action designed to stop the use of the
Social Security number as a national ID number.
Liberty Study Committee
Falls Church, VA 22046
May 11, 2000
Ludwig von Mises, economist and true champion of liberty, concluded
that with respect to political and economic systems, one can choose
either totalitarianism or capitalism--there is no middle ground. Few
issues demonstrate the justification for his conclusion so clearly as
does that of privacy protection.
The premise of Mises' argument was that intervention is necessarily
begets interventionism as the negative effects of government's initial
intervention become the justification for each of the subsequent
interventions. For example, when government establishes a minimum wage
above the market wage, that class of employees whose marginal product
is below the artificially established minimum wage become legally
unemployable, and, hence in ``need'' of governmental support. Of
course, government's response to then support every unemployed member
of society at some subsistence level creates yet another incentive for
more intervention when those actually working to achieve that level of
subsistence realize it can be achieved without to achieve that level of
subsistence realize it can be achieved without continuing their
efforts. Of course, this privacy hearing is not exactly about the
minimum wage but rather whether government should intervene yet again
to remedy the negative consequences of its prior, privacy-destructive
intervention or whether they should properly recognize themselves as
the source of the malaise and repeal the prior intervention.
In America's Great Depression, economist Murray Rothbard explains
how massive federal intervention into the monetary sphere (contrary to
the usual tripe proffered regarding ``unbridled capitalism'' causing
the depression) served as the intervention that sent this country into
the throws of the great depression. Among the subsequent and numerous
interventions to remedy the negative effects of governmental monetary
mischief, was the Social Security Act, a bill which after nearly one
hundred and fifty years of history to the contrary, ``relieved''
citizens of the individual responsibility for providing for their own
financial futures and those of their family members. Of course, as
Mises understood and explained, these interventions were the natural
result of the negative consequences triggered by interference in the
monetary sphere.
Because individual and private accounts would no longer be the
means by which most savers provided for their financial futures and as
though money was actually being placed by government into individual
accounts for those without the requisite self-discipline to provide for
their own future financial well-being, every participant in the system
was ultimately issued a Social Security ``Account Number.'' Although
the Congress that created the Social Security system in no way intended
to create a national identifier, a subsequent executive order by
President Roosevelt authorized the use of the Social Security number as
a standard federal identifier.
In the name of ``protecting'' the taxpayer against government
inefficiency and various forms of fraud, government took subsequent
steps to further establish the SSN as a uniform identifier. For
example, where military members once used their military serial number,
this was replaced by the Social Security number as a standard
identifier. Additionally, the Bank Secrecy Act of 1970 generated
regulation requiring the collection of Social Security Numbers by
banking institutions. When, at a minimum, banks were mandated by
government to use at least that number and to preserve scarce data
resources and avoid duplicity of records, financial institutions
naturally adopted the social security number as their record number of
choice.
In response to concerns about the widespread use of the SSN,
Congress passed the Privacy Act of 1974, but, unfortunately, the
language of the Privacy Act allow Congress to require the use of the
Social Security number at will. In fact, just two years after the
passage of the Privacy Act, Congress explicitly allowed state
governments to use the Social Security number as an identifier for tax
collection, motor vehicle registration and drivers' license
identification. The federal government has also compelled extensive
disclosure and use of the Social Security number in its labor, medical,
and education databases.
Given that government, to accommodate its own prior interventions,
has not only facilitated but compelled the creation of a massive tool
for privacy invasion, government is now, of course, presented with the
question of whether to undo at least some of the prior intervention or
use the culmination of negative effects of all these prior
interventions to, yet again, intervene further in the liberty and
private dealings of individuals.
The Liberty Study Committee supports what is the only proper
response to this question: eliminate the proliferation of the
government-instilled, privacy-destroying tool--the Social Security
Account Number. While it certainly does not return government to its
proper role and restore responsibility for saving to individuals, The
Freedom and Privacy Restoration Act, H.R. 220, introduced by
Representative Ron Paul, would limit the use of the Social Security
number to the Social Security system administration, and is an
important step in the right direction of at least protecting the
privacy of individuals. Without question, certain inefficiencies will
necessarily result in limiting the use by government of this number
but, first and foremost, we must not forget that government's primary
role must be to preserve individual liberty rather than ``efficiently''
run government programs, many of which lack constitutionally legitimacy
in any case.
Under no circumstances should the government use their very own
government-created privacy crisis as a justification to restrict what
private individuals do or don't do with their private information (even
to include release of their own Social Security number). As much as
free speech includes the right to be still, inherent to privacy is the
right to share or not share private information with those of one's own
choosing.
Government has, in essence, turned the notion of privacy protection
on it's head with proposals to limit information sharing by private
individuals while compelling disclosure to government by those very
same individuals. I hope this Congress will recognize and, thus, not
fall prey to the ``intervention-begets-intervention'' recognized by
Mises and, as such, not move our nation yet another step further down
the road to totalitarianism.
Kent Snyder
Executive Director
Chairman Shaw. I just have a couple of questions that I
would like to direct, one to Mr. Kleczka and one to Mr. Paul.
Some of the witnesses on the next panel will testify that
restricting the commercial use of the Social Security numbers
will seriously impede their ability to do business. They will
testify that such restrictions will harm consumers, because
Social Security number is often used for law enforcement, fraud
prevention, and to provide services which consumers value.
How would you respond to these criticisms? And how does
your bill ensure that consumers are not harmed by Social
Security number restrictions?
Mr. Kleczka. Well, Mr. Chairman, first of all, I do not
believe there is any basis for indicating that this will impede
anyone's ability to do business.
We found in a GAO report that credit bureaus make tens of
million dollars annually by selling credit header information,
which contains a Social Security number. What it is going to
harm is their ability to increase the bottom line.
So my response to that argument would be you can still
check a consumer or a credit file for accuracy--a name,
address, phone number, and past addresses. If that matches with
the request that has just come in for a credit rating, you will
still sell that information and send it on down.
By virtue of the fact that you are using it as a national
ID number, which it was never intended to do, and no one in
this room or no Member of Congress will agree to that usage, I
am saying is not something that we should try to maintain for
their business purposes.
In fact, the big harm to the consumers, Mr. Chairman, will
be if Congress fails to do anything.
Chairman Shaw. Thank you for that.
My next question is directed to Mr. Paul.
The American Association of Motor Vehicle Administrators
will testify later on that your bill, H.R. 220, will negatively
impact on the ability of States to combat fraud and ensure
public safety.
Would you like to respond to that criticism?
Mr. Paul. Well, I think the opposite would be true. If you
are interested in stopping the fraud of identity theft, since
the Social Security number being used as a universal identifier
enhances the identity theft, I would say we would go a long way
to stopping that.
I guess what they are referring to is the possibility of
putting the Social Security number on our driver's licenses,
and that has been started, and that, of course, is what the
individuals who like the national ID card would like.
Even though I do not happen to believe it would impede the
ability to combat fraud, because it would stop the identity
theft, I would be quite willing to say, even if there was the
slightest benefit, it is still so dangerous to use a universal
identifier, that our freedoms and our liberties and our
privacies--I mean, if we had armed guards every place, of
course, there may be less fraud and less theft, but we would be
living in a police state, so there is an extreme there.
So this is just the introduction of the heavy hand of
government monitoring us, and therefore, even if there can be a
slight justification, I do not think it should be accepted. I
do not believe that is the case, because I think it would be a
tremendous benefit to stop the identity theft.
Chairman Shaw. Mr. Markey?
Mr. Markey. Can I very briefly just say that I do agree
with Representative Paul that we have to be very concerned
about government misuse of private information within our
society, but the big problem today is not Big Brother, it is
Big Browser. It is the ability, not only for the government,
but for private sector companies, together all this
information, which would never have been able to be compiled
before.
While some industries say, ``Well, you know, you are going
to interfere with this revolution,'' I think that is the
greatest fear which we all have. Who would want to be somebody
that is given responsibility for ending the Internet
revolution, as though, by animating this revolution with old
values you are now going to ruin it. My god, just think if
Internet stocks had to be valued on the same basis as the old
economy stocks. They might go down a couple thousand points,
you know. That would be terrible if they had to actually have
profits and have a cash flow. ``You cannot value stocks that
way,'' they say. ``You are foolish.''
Are we going to prohibit fraud on line? Under their
argument, no, that would actually interfere with their ability
to get this thing going.
But right now we have rules that say that you cannot
transfer, as a tax preparer, somebody's private tax information
without their permission. You cannot transfer driver license
information without their permission.
Because of Judge Bork, it is illegal to transfer any
information about any video cassettes which you rent at a video
store. It does not ruin their business, but it allows you to
protect the information about the movies that you rented.
No cable company can sell the information about which
channels you watch and for how long and what time in the middle
of night you might have flipped to that station and been
watching that movie while everybody was upstairs asleep. They
cannot sell that information as to what you were watching to
anybody.
People cannot sell your telephone numbers at the phone
company, even though it would make a lot of money for them.
The cell phone industry cannot use their cell phone as a
tracker to sell to people as to where you go. That is illegal.
Again, it limits these industries, but it gives us some
additional sense of privacy.
All we are saying about the Social Security number is that
it falls into a category which deserves special protection, not
only from the government but also from any industry, as well,
that sees us as nothing more than a product.
Chairman Shaw. If I am reading this panel right, I find Mr.
Markey and Mr. Paul agreeing with each other.
Mr. Markey. When the liberal left and the libertarian right
join up, it does not leave a lot of room in the middle. I think
we are pretty much in agreement in terms of what has to happen
in our country.
Chairman Shaw. Well, we will have to put this down as a
red-letter day.
Mr. Tanner?
Mr. Tanner. Thank you, Mr. Chairman.
I want to thank you all, all of you, for being here. I
really believe that this issue is a sleeping giant; that if
people really stopped to think about the potential
ramifications of this problem, they would be terrified. And it
is our job--and I want to thank Chairman Shaw--to not only hold
these hearings to educate, but also to try to find the answers,
and you all are here to help us do that, and we very, very much
appreciate it.
I think, in listening to you all and the other day, that
the appeal of the Social Security number is that it tends to
give absolute assurance that whomever has asked for it that you
are who you say you are. It is ironic that this very
attractive, appealing practice could be the very thing that
gets us in trouble with that and you are not who you say you
are, because we heard a couple of days ago from Colonel
Stevens--I do not know if you all who are not on the
committee--I know Gerry and Jim were here. This was a heart-
wrenching story.
This retired lieutenant colonel and his wife have had their
identity stolen. They were looking forward to retirement in
South Carolina or Florida with their grandchildren and so on,
and now they cannot leave this area because of recurrent credit
problems and because, as far as they know, it may still be
unfolding.
Now, their lives, if not being ruined physically by
ravaging illness, have been altered to the extent that their
lifetime dreams of their golden years have become unreachable
for them.
Not having heard them, but knowing of the circumstances
that they and others find themselves in, I would like to ask
Mr. Kleczka and Dr. Paul: how does your bill help the situation
that Colonel Stevens and his wife testified to? Gerry?
Mr. Kleczka. Well, hopefully, Congressman Tanner, the bill
would help the next Stevens case, where someone who is trying
to steal someone's identity would not be permitted to do so
because they will not have access to the Social Security
number. So it would help people in that similar situation by
making it almost impossible to get one's Social Security
number. I think that is where we have to start with any bill
that the Ways and Means Committee deals with.
Again, these numbers are disseminated not only through the
websites, on the Internet, motor vehicle departments are
selling them, the credit bureaus are selling them as part of
the header information, and so a person who is out looking for
John Tanner's Social Security number can probably, with
relative ease, find it.
What we tried to do in my legislation is prohibit the sale,
the commercial use of the Social Security number. If, in fact,
your bank has it, fine, but they cannot sell the list, nor do
they, but we know the lists are being sold by such concerns
like the motor vehicle department.
Let me respond at a point to the response from Mr. Paul.
Mr. Tanner. Does your legislation apply to Eddie Bauer and
L.L. Bean and those people, too?
Mr. Kleczka. To who?
Mr. Tanner. L.L. Bean, Eddie Bauer--people I do business
with?
Mr. Kleczka. Right. But they are not the ones selling it.
Usually, they might be buying information that could be
contained on those lists.
But State legislators are also getting the same pressures
and hearing the same problems that we are, and, as time goes
by, less and less number of States are using the Social
Security number as your driver's license number. In fact, if I
am correct, I believe Virginia just passed legislation or
stopped the use of that being on your driver's license. As time
goes on, more and more States are going to be--
Mr. Tanner. If you will yield, does your bill restrict the
usage of the Social Security number by the States and local
jurisdictions?
Mr. Kleczka. No, it does not. That is a State
responsibility. My bill provides that they cannot sell that
information. So if they sell a driver's license file, they
cannot include on there or leave on there a Social Security
number.
Mr. Tanner. Dr. Paul?
Mr. Paul. And, of course, I think that is very important
that States not use these numbers for the sale of State
information.
But my bill I think would go a long way to stopping this
kind of a problem, because it says that you cannot use the
Social Security number for anything other than to identify your
Social Security account. So it does not deal with the sale so
much as it deals with trying to prevent the setup.
So when we talk about commercial interests, it is the fact
that we have--just like our voting card, I mean, we are
lackadaisical about it and we accept it. It is the same way
with corporations. They use it as a convenience. It is
convenient for corporations. It is convenient for everybody. My
bill says you cannot use it in any other government agency. We
cannot universalize it and require it.
Certainly, we would never be able to write the proposed law
that says the States will use the Social Security number and
have it universal as a universal ID card.
Mr. Tanner. Am I correct in then stating that your bill
deals more with the gathering of the information and Gerry's
bill deals more with the dissemination?
Mr. Paul. I think that would be correct.
Mr. Kleczka. I think so.
Mr. Tanner. Is there a way to bring those two together? It
seems to me both have appeal.
Mr. Paul. I think his problem would be lessened if my bill
were passed, in that there would be no accumulation and it
would be less likely to have information to sell.
Mr. Tanner. You have got nothing to disseminate. All right.
Mr. Kleczka. The problem is that those lists and those
numbers are out there. Today we need his bill, yesterday we
need mine to stop it.
Chairman Shaw. Mr. Hayworth?
Mr. Hayworth. Thank you, Mr. Chairman.
As the bells have rung with votes, I just have a couple of
very quick questions, in addition to thanking our colleagues
for coming down and offering their opinions on this. I would
concur with my colleagues here on the subcommittee: this is an
issue of great concern, especially to the people of the 6th
District of Arizona.
First, to our friend from Wisconsin, Mr. Kleczka, your bill
has also been referred to the Committees on Banking and
Financial Services, and also the Committee on the Judiciary.
What has been their reaction to your legislation?
Mr. Kleczka. I have not checked with the chairmen.
Naturally, they have not had a hearing to date. Clearly, there
is joint jurisdiction, because for banking we deal with credit
bureaus. We do have penalties in my bill. So whatever product
this committee comes up with will have to be meshed with those
other committees, also.
Mr. Hayworth. Have you heard anything from either committee
about the plan of any action?
Mr. Kleczka. No, I have not. The last we heard Washington,
on our financial modernization bill, that was the major, major
issue this time around, but two years ago it was not even
debated. that is how important this issue has become in a very
short while.
Mr. Hayworth. Yes, indeed. I would concur. Thank you.
Now I turn to my friend, Dr. Paul, from Texas.
Talking about jurisdiction being shared, your bill has also
been referred to the Committee on Government Reform, and I
would ask the same question: have you gotten a reaction from
the committee? And has there been any action planned or taken
by the Committee on Government Reform?
Mr. Paul. I think Government Reform, if I am not mistaken,
has some hearings scheduled next week on it.
Mr. Hayworth. Good. All right. Very good.
I thank you, Mr. Chairman.
Chairman Shaw. At this point, since Mr. Tanner brought up
the name of Colonel Stevens, we did ask and the representation
had been made that this was, in some way, some requirement in
law for the Social Security number at the base commissaries. We
made an inquiry to the Pentagon, and I would like to read into
the record the answer that we got.
The answers says, ``The Department of Defense directives
governing commissaries and exchange do not require that the
Social Security numbers be used for check cashing purposes.''
Well, something has been misrepresented. ``The commissary and
exchange services have adopted operating procedures that use
the Social Security number for check cashing verification,
since it identifies the authorized patron. The military ID uses
a Social Security number as a service number,'' and that we
determined yesterday by just looking at Mr. Johnson's card. We
may want to do some more inquiring into that particular area.
[The following was subsequently received.]
Statement from the Office of the Deputy Assistant Secretary of Defense
The DoD Directives governing commissary and exchanges do
not require that the Social Security Number be used for check
cashing purposes. The commissary and exchange services have
adopted operating procedures that use the SSN for check cashing
verification since it identifies the authorized patron. (The
military ID card uses the SSN as the ``Service Number''--
according to Sheila Ford in DHRA)
In requesting the SSN, the resale activities must conform
with DoD Directive 5400.11 and DoD 5400.11R (DoD Privacy
Program) and E.O 9397 (dated November 23, 1943).
I have been advised that we have three votes on the floor.
This panel will be dismissed, and I thank you. Each one of you
gave some very fine testimony, and I find myself in agreement
with just about everything that has been said.
We will recess until the conclusion of that vote, and then
we will return to hear our second panel.
Thank you.
[Recess.]
Mr. Hayworth [assuming Chair]. The committee will come to
order.
The second panel consists of: Stuart Pratt, vice president,
government relations, Associated Credit Bureaus, Incorporated;
Edmund Mierzwinski, consumer program director, United States
Public Interest Research Group; Katherine Burke Moore, chair,
international board of directors, American Association of Motor
Vehicle administrators; Marc Rotenberg, executive director,
Electronic Privacy Information Center; and Robert Meyer, senior
counsel, American Council of Life Insurers.
We welcome each of you. You will each have your full
statement entered into the record, and we will proceed.
We will start with you, Mr. Pratt.
STATEMENT OF STUART K. PRATT, VICE PRESIDENT, GOVERNMENT
RELATIONS, ASSOCIATED CREDIT BUREAUS, INC.
Mr. Pratt. Thank you, Mr. Chairman and members of the
subcommittee. My name is Stuart Pratt, and, for the record, I
am vice president, government relations, for the Associated
Credit Bureaus.
ACB, as we are commonly known, is an international trade
association representing over 500 consumer information
companies, and those companies provide fraud prevention and
risk management products, credit mortgage reports, tenant and
employment screening services, check fraud and verification
services, as well as collection services.
Really, our members are an information infrastructure in
our society here that contributes to the safety and soundness
of our banking systems, and does, in fact, escalate the
efficiencies of our secondary mortgage securities marketplace,
which saves consumers as much s 200 basis points on the cost of
mortgage, according to those agencies that administer those
securities programs.
We help e-commerce and bricks-and-mortar businesses to
authenticate applicant data, reducing incidents of fraud, and
we help State and Federal agencies to reduce entitlement fraud
of various types, amongst other products that we offer.
We thank all of you on the committee for choosing to hold
this hearing on such an important subject, the Social Security
number, how it is used in our society, and, in fact, to expand
our understanding and share our thoughts on the circumstances
surrounding misuses of this number.
Before I specifically address how we in our industry do use
the Social Security number, I have always found it helpful in
this type of testimony to review a little bit about the
industry we represent, the types of businesses we have, the
laws that govern us, and this provides a bit of context, I
think, for some of the testimony you have, in fact, heard up to
this point.
Consumer reporting agencies do maintain information on
individual consumer payment patterns associated with various
types of credit obligations. Credit histories are derived from
the voluntary provision of information about consumer payments
on various types of credit accounts and other debts from
thousands of data furnishers, such as credit granters, student
loan guarantee and child support enforcement agencies. A
consumer's file may also contain public record items, such as
bankruptcy filings, judgments, or liens.
For purposes of data accuracy, our members also maintain
information on a consumer's full name, current and previous
addresses, Social Security number, and places of employment.
Perhaps as important as knowing what we have in our files
is also to often clarify what we do not have in a consumer's
file. We do not know what consumers have purchased using
credit. We do not know where they have shopped. We do not know
which bank cards they have used. We do not have a record of
when consumers have been approved or when consumers have been
declined. We do not maintain medical treatment information. No
bank account information of that sort, such as a balance on a
checking account, is available in a traditional consumer
report.
The law that governs this, the Fair Credit Reporting Act,
was enacted in 1970 and was most recently amended in the 104th
Congress with the passage of the Credit Reporting Reform Act.
In fact, here at the table with us are some of the folks who
lived through the years and years of debate on that--Ed, in
particular. We often spent a good amount of time talking about
that law as we evolved it through the Congress, or I should say
several Congresses, at this point.
We believe the FCRA is an effective privacy statute. It
does protect consumers by narrowly limiting the appropriate
uses of the consumer report.
Beyond protecting privacy, the FCRA also accomplishes
another very elemental goal of good privacy policy, and that is
to ensure rights of consumers with regard to access, the right
to dispute, the right to have information corrected in their
file, the right to have a baseline expectation of accuracy. In
fact, one of the advances under the FCRA is the fact that
accuracy is now a responsibility and it is a shared liability
for both the consumer reporting agency and also for the various
data furnishers with whom we share information.
Let me turn to the question of how we use Social Security
numbers, which is more so the subject matter of our hearing
today.
Under the FCRA, one of our liabilities, as I have just
said, is to employ reasonable procedures to ensure the maximum
possible accuracy of the consumer report. We must design these
systems based on exactly the data that has been requested on a
specific individual, and we must accomplish this dual mission
of accuracy and data extraction in the context of a highly
mobile society.
There are some facts that I think are very important for
this committee to consider. For example, about 16 percent of
our Nation's population moves each year, and that generally
translates to about 42 million consumers a year moving from one
location to another, thus addresses are changing for principal
residences.
About 2.4 million marriages and another 1.2 million
divorces occur annually. This, too, results in not only
addresses changing, but also the last names of individuals
changing, in most cases.
These data clearly speak to the challenge our Members face,
where identifying data often changes.
In light of the mobility of our society, the Social
Security number does, in fact, play a very significant role in
ensuring data quality. Where a consumer, for example, has
changed a last name due to marriage or divorce, has moved to a
new address--which is also very common in those cases--the
Social Security number is the most stable identifying element
we would have in the file.
It helps us, first, to be able to identify the consumer's
file with precision during this life transition where this
consumer is very likely to be applying for new credit, perhaps
for making new purchases, for this new home that they are
moving into, seeking approval for utilities--even, in fact,
seeking approval for the loan that is going to allow them to
purchase the residence, itself. The consumer expects to have
that consumer report available, even during this transitional
period.
Secondly, the consumer expects his or her file to be
accurate. The SSN helps us to accomplish this goal of file
accuracy in the midst of these cycles of change occurring with
identifying information.
Beyond the FCRA, we produce a range of other products that
I think it is important for this committee to consider. The
Social Security number is a critical element in locator
services. Our members do produce these types of services, and
they are used by, for example, child support enforcement
agencies to locate non-custodial parents, pension funds to
locate beneficiaries, law enforcement for locating criminals or
witnesses, health care providers to locate individuals who have
chosen not to pay their bills.
Most recently--and this is an advance in the area of
privacy policy--our members have committed ourselves to another
organization that they established voluntarily and negotiated
with the Federal Trade Commission called ``The Individual
Reference Services Group,'' and this has placed limitations on
who should have access and in what contexts. This, in fact,
also applies to the Social Security number therein.
Yes, the Social Security number plays a role in fraud
prevention for us, as well. Where a consumer makes application
for a product or service, it helps businesses to ensure they
are doing business with the right consumer. These
authentication or verification tools are other products that we
do make available.
I am looking to see if I am out of time. How am I doing?
Mr. Hayworth. If you could, Mr. Pratt, kind of wind it down
so we can hear from the other panelists.
Mr. Pratt. Absolutely. Yes, sir.
Mr. Hayworth. Thank you. Your full statement will be
entered into the record.
Mr. Pratt. Let me just suggest that, in the area of fraud
prevention, we have taken one additional step that I hope the
committee will consider, and that is that on March 14th of this
year we added new voluntary initiatives to our own practices to
help the very situation of the victims you heard in the last
round of testimony. Those are in the record for you to review.
In fact, we have launched new software systems and will bring
those on line this year to monitor a consumer's files and make
sure we stay in touch with consumers who have been victimized.
In conclusion, let me urge a message which I have seen in
the press releases associated with this committee, and that is:
it is a question of balance. It is a question of maintaining
viably the kinds of valued programs that we have that are tied
with information products, and, at the same time, ensuring the
appropriate protections for the very sensitive Social Security
number.
I thank you for giving us this opportunity to testify.
Mr. Hayworth. Thank you, sir.
[The prepared statement and attachment follow:]
Statement of Stuart K. Pratt, Vice President, Government Relations,
Associated Credit Bureaus, Inc.
Mr. Chairmen and members of the Subcommittee, my name is
Stuart Pratt and I am vice president, government relations for
the Associated Credit Bureaus, headquartered here in
Washington, D.C. ACB, as we are commonly known, is the
international trade association representing over 500 consumer
information companies that provide fraud prevention and risk
management products, credit and mortgage reports, tenant and
employment screening services, check fraud and verification
services, and collection services.
Our members are the information infrastructure that
contributes to the safety and soundness of our banking and
retail credit systems; which:
allows for the efficiencies of a secondary
mortgage securities market place that saves consumers an
average of 200 basis points on the cost of a mortgage.
helps e-commerce and bricks-and-mortar businesses
to authenticate applicant data thus reducing the incidence of
fraud.
gives child support enforcement agencies the
information tools necessary to meet their mission.
allows states to reduce many forms of entitlement
fraud.
We want to commend you for choosing to hold this hearing on
the importance of the Social Security Account Number in our
society and to expand our understanding of the circumstances
surrounding misuses of this number.
Before I specifically address how the SSN is used by our
industry and the importance of this number, I have found it
helpful to provide a short review of what a consumer reporting
agency is, what is contained in a consumer report, and the law
that governs our industry.
Consumer Reporting Agencies and Consumer Reports
Consumer reporting agencies maintain information on
individual consumer payment patterns associated with various
types of credit obligations.\1\ The data compiled by these
agencies is used by creditors and others permitted under the
strict prescription of the Fair Credit Reporting Act (15 U.S.C.
1681 et seq.) to review the consumer's file.
---------------------------------------------------------------------------
\1\ Our members estimate that there are approximately 180 million
credit active consumers. Since our members operate in competition with
each other, these consumers are likely to have more than one credit
history maintained.
---------------------------------------------------------------------------
Consumer credit histories are derived from, among other
sources, the voluntary provision of information about consumer
payments on various types of credit accounts or other debts
from thousands of data furnishers such as credit grantors,
student loan guarantee and child support enforcement agencies.
A consumer's file may also include public record items such as
a bankruptcy filing, judgment or lien. Note that these types of
data sources often contain SSNs, as well.
For purposes of data accuracy and proper identification,
generally our members maintain information such as a consumer's
full name, current and previous addresses, Social Security
Number (when voluntarily provided by consumers) and places of
employment. This data is loaded into the system on a regular
basis to ensure the completeness and accuracy of data.\2\
---------------------------------------------------------------------------
\2\ Note that there are in fact a number of major credit reporting
systems in this country. Within ACB's membership the three most often
recognized systems would be Equifax, Atlanta, GA; Experian, Orange, CA;
and Trans Union, Chicago, IL. These systems not only manage their own
data, but provide data processing services for the over 400 local
independently-owned automated credit bureaus in the Association's
membership.
---------------------------------------------------------------------------
It is interesting to note that the vast majority of data in
our members' systems simply confirms what most of you would
expect; that consumers pay their bills on time and are
responsible, good credit risks. This contrasts with the
majority of systems maintained in other countries, such as
Japan or Italy, which store only negative data and do not give
consumers recognition for the responsible management of their
finances.
As important as knowing what we have in our files is also
knowing what types of information our members do not maintain
in files used to produce consumer reports. Our members do not
know what consumers have purchased using credit (e.g., a
refrigerator, clothing, etc.) or where they used a particular
bank card (e.g., which stores a consumer frequents). They also
don't have a record of when consumers have been declined for
credit or another benefit based on the use of a consumer
report. Medical treatment data isn't a part of the databases
and no bank account information is available in a consumer
report.
The Fair Credit Reporting Act (FCRA)
In addition to our general discussion of the industry, we
believe it is important for your Subcommittee to have a
baseline understanding of the law which regulates our industry.
Enacted in 1970, the Fair Credit Reporting Act was
significantly amended in the 104th Congress with the passage of
the Credit Reporting Reform Act.\3\
---------------------------------------------------------------------------
\3\ Public Law 10409208, Subtitle D, Chapter 1.
---------------------------------------------------------------------------
Congress, our Association's members, creditors and consumer
groups spent over six years working through the modernization
of what was the first privacy law enacted in this country
(1970). This amendatory process resulted in a complete, current
and forwarding-looking statute. The FCRA serves as an example
of successfully balancing the rights of the individual with the
economic benefits of maintaining a competitive consumer
reporting system so necessary to a market-oriented economy.
The FCRA is an effective privacy statute, which protects
the consumer by narrowly limiting the appropriate uses of a
consumer report (often we call this a credit report) under
Section 604 (15 U.S.C. 1681b), entitled ``Permissible Purposes
of Reports.''
Some of the more common uses of a consumer's file are in
the issuance of credit, subsequent account review and
collection processes. Reports are also, for example, permitted
to be used by child support enforcement agencies when
establishing levels of support.
Beyond protecting the privacy of the information contained
in consumer reports, the FCRA also provides consumers with
certain rights such as the right of access; the right to
dispute any inaccurate information and have it corrected or
removed; and the right to prosecute any person who accesses
their information for an impermissible purpose. The law also
includes a shared liability for data accuracy between consumer
reporting agencies and furnishers of information to the system.
Social Security Number Uses
Let me now turn to the question of how our industry uses
the SSN.
Under the Fair Credit Reporting Act, our industry has a
duty to ``. . .employ reasonable procedures to ensure the
maximum possible accuracy. . .'' of the consumer report.
Further, we must design systems that accurately allow our
customers to extract only the data requested on a specific
individual.
We must accomplish this dual mission of accuracy both in
terms of building databases, but also properly identifying
files in our systems in the context of a highly mobile society.
Consider the following:
Approximately 16% of the nation's population moves
each year according to the U.S. Census Bureau, which means many
addresses change each year. (This equates to approximately 42
million Americans)
Based on National Center for Health Statistics, it
is estimated that there are 2.4 million marriages and 1.2
million divorces annually. This event frequently triggers
changes in addresses as well as last names.
In 1998 there were 6 million homes in the U.S.
that are considered vacation or second homes. Consumers often
switch billing addresses if they stay at such residences for
long periods of time and in some cases maintain billing
addresses for both residences with various creditors. (Source:
U.S. Census Bureau House Vacancy Survey as extrapolated by the
National Association of Realtors)
These data clearly speak to the challenge our members face
where identifying data often changes.
In light of the mobility of our society, the Social
Security Number plays a very significant role in ensuring data
quality. Our members process 2 billion data elements a month.
These elements are a combination of credit history data and
identifying information. Consider the following very real
example.
Where a consumer has changed a last name due to marriage or
divorce and has moved to a new address, which is common in
either case, the SSN is the most stable identifying element in
the file. First, it helps us to identify the consumer's file
with precision during this life transition where he or she is
likely applying for new credit, seeking approval for utilities,
and seeking to rent or purchase a new residence. The consumer
expects that the consumer report will be available for all of
these necessary transactions and the SSN helps our members to
meet this expectation. Second, the consumer expect his or her
file to be accurate and the SSN helps us to maintain the file
accurately even when the consumer is in the midst of updating
creditors with changes in name and address.
The SSN is also a critical element in producing information
products, which are commonly called locator services. Our
members limit access to these products via voluntary
initiatives established by our largest members and others under
an organization called the Individual Reference Services Group.
These services are made available, for example, to child
support enforcement agencies for purposes of locating non-
custodial parents; to pension funds which must locate
beneficiaries; to law enforcement for locating criminals or
witnesses; to healthcare providers that must locate individuals
who have chosen not to pay their bills and for other similar
uses.
Further, the SSN plays a role in fraud prevention products.
Where a consumer makes application for a product or service,
information products that help the business to ensure that they
are doing business with the right consumer use information
products to authenticate or verify the application information.
This is true in both for bricks-and-mortar business and in e-
Commerce. If applicant data doesn't match, then the business
can take additional steps to verify the consumer's identity and
thus prevent fraud.
Fraud Prevention and Identity Theft
In your press release announcing this hearing, you mention
the potential for misuse of the SSN. Our industry has a history
of bringing forward initiatives to address fraud. These efforts
focus on use of new technologies, and better procedures and
education.
Consider the following efforts undertaken during this
decade:
ACB formed a Fraud and Security Task Force in 1993
A ``membership alert form'' was developed to be
used in notifying other ACB credit bureau members of a
customer, which was committing fraud through the misuse of
data. Implemented in 1994.
A ``Universal Fraud Information Form'' was
developed for use by creditors when communicating the incidence
of fraud to national consumer reporting systems.
A generic credit reporting industry presentation
on ACB fraud and security initiatives was developed and
presented to customer segments during 1995.
Minimum standards for data access equipment and
software were announced to industry suppliers in March 1995.
ACB members implement company-specific limitations
on the availability of account numbers, and truncation of
Social Security Numbers on consumer reports sold to certain
customer segments.
Experian, Equifax and Trans Union voluntarily
formed special fraud units with 800 number service and consumer
relations personnel specially trained to work with fraud
victims.
A hardware and software certification program is
created by the industry and administered by a third-party
certification authority for those access products, which have
implemented minimum industry security standards.
Over 150,000 copies of a new customer educational
brochure entitled ``We Need Everyone's Help to Protect Consumer
Privacy and Reduce Fraud'' have been distributed since its
first printing in the last Q.1997. An education program was
also developed for use by ACB members in presenting the
information found in the brochure. 2nd Q. 1998.
On March 14, 2000, the ACB announced new voluntary
initiatives to assist consumers who have been victimized by
identity theft. Following is a description of each initiative
and also attached is our press release.
Advocate the use and improve the effectiveness of
security alerts through the use of codes transmitted to
creditors. These alerts and codes can help creditors avoid
opening additional fraudulent accounts.
Implement victim-assistance best practices to
provide a more uniform experience for victims when working with
personnel from multiple fraud units.
Assist identity theft victims by sending a notice
to creditors and other report users when the victim does not
recognize a recent inquiry on the victim's file.
Execute a three-step uniform response for victims
who call automated telephone systems: automatically adding
security alerts to files, opting the victim out of prescreened
credit offers, and sending a copy of his or her file within
three business days.
Launch new software systems that will monitor the
victim's corrected file for three months, notify the consumer
of any activity, and provide fraud unit contact information.
Fund, through ACB, the development of a series of
consumer education initiatives through ACB to help consumers
understand how to prevent identity theft and also what steps to
take if they are victims.
Conclusion
In conclusion, you can see by our actions that in large
part our uses of the SSN are governed under the Fair Credit
Reporting Act, one of the most extensive privacy laws in the
country. Beyond law, our members have a history of proactively
limiting how SSNs are used outside of the FCRA. No one
particular element of information is the key to identity theft.
The underlying theme in all of this is balance.
Laws that overreach in attempting to limit use of the SSN
are likely to merely take fraud prevention tools out of the
hands of legitimate businesses at the expense of consumers.
Ironically, to prevent fraud you must be able to crosscheck
information. To maintain accurate databases, you must be able
to maintain a range of identifying elements. Absent the
availability of the SSN, we will be less able to build accurate
data bases, to accurately identify records and to help prevent
the very crime through the development of fraud prevention and
authentication tools.
Thank you for this opportunity to testify.
3 Public Law 10409208, Subtitle D, Chapter 1.
NEWS RELEASE
Contact: Norm Magnuson
Vice President of Public Affairs
202/408097406
For Immediate Release
March 14, 2000
Credit Reporting Industry Announces Identity Theft Initiatives
Associated Credit Bureaus, the international trade
association for the consumer reporting industry, announced
today a commitment on behalf of the nation's leading credit
reporting agencies to voluntarily implement a comprehensive
series of initiatives to assist victims of identity theft in a
more timely and effective manner.
``While there is no evidence to show that the credit report
is a source for identity theft, our industry has always taken
an active role in assisting consumers who are fraud victims.
Our members have taken this responsibility seriously, and we're
very proud of these initiatives that help consumers who are
victims of identity theft or fraud,'' noted D. Barry Connelly,
president of Associated Credit Bureaus. ``Designing and
implementing these initiatives is a significant milestone in
the ongoing efforts of our industry to help address the problem
of identity theft. As long as there are criminals who prey on
innocent consumers, we will continue to seek even better ways
to serve consumers and work with law enforcement and our
industry's customers to address this threat.''
Connelly outlined the industry's six-point program to
improve identity theft victim assistance:
Advocate the use and improve the effectiveness of
security alerts through the use of codes transmitted to
creditors. These alerts and codes can help creditors avoid
opening additional fraudulent accounts.
Implement victim-assistance best practices to
provide a more uniform experience for victims when working with
personnel from multiple fraud units.
Assist identity theft victims by sending a notice
to creditors and other report users when the victim does not
recognize a recent inquiry on the victim's file.
Execute a three-step uniform response for victims
who call automated telephone systems: automatically adding
security alerts to files, opting the victim out of prescreened
credit offers, and sending a copy of his or her file within
three business days.
Launch new software systems that will monitor the
victim's corrected file for three months, notify the consumer
of any activity, and provide fraud unit contact information.
Fund, through ACB, the development of a series of
consumer education initiatives through ACB to help consumers
understand how to prevent identity theft and also what steps to
take if they are victims.
ACB's initiatives, to be fully implemented within seven
months of this announcement, resulted from a task force
comprising senior executives from the ACB Board of Directors
and former state Attorney General, M. Jerome Diamond. Diamond
interviewed consumer victims and law enforcement officials,
made on-site visits to credit reporting agency fraud units, and
obtained input from privacy advocates. His counsel was an
integral part of the decision-making process and influenced the
final content of the initiatives.
Connelly said: ``Identity theft is a crime that is deeply
unsettling for the victims. Our initiatives will make it easier
for victims to put their financial lives back together.''
Connelly stressed, though, that the crime extends beyond
individuals to creditors and ACB members and added, ``We must
all work together in the areas of prevention and victim
assistance. We supported the enactment of the Identity Theft
Assumption and Deterrence Act of 1998 and have worked with more
than half of the state legislatures on similar laws. We urge
law enforcement to vigorously investigate and prosecute the
criminals.''
Associated Credit Bureaus, Inc. is an international trade
association representing 500 consumer information companies
that provide fraud prevention and risk management products,
credit and mortgage reports, tenant and employment screening
services, check fraud and verification services, and collection
services.
Source: Associated Credit Bureaus, Inc. Web site: www.acb-
credit.com
Mr. Hayworth. Mr. Mierzwinski?
STATEMENT OF EDMUND MIERZWINSKI, CONSUMER PROGRAM DIRECTOR,
UNITED STATES PUBLIC INTEREST RESEARCH GROUP
Mr. Mierzwinski. Thank you.
Mr. Chairman, members of the committee, I am Ed
Mierzwinski. I am consumer program director with the Public
Interest Research Groups. The State PIRGs are consumer and
environmental and good government reform groups active around
the country. US PIRG serves as their national lobbying office.
I am pleased to be here today to talk about the critical
issues of misuse of the Social Security number and how that
contributes to identity theft. Just last week, the California
Public Interest Research Group and another organization, the
Privacy Rights Clearinghouse, two of the leading organizations
that work with identity theft victims, such as Colonel and Mary
Elizabeth Stevens, the witnesses from Tuesday's hearing, our
organizations released a new report based on a survey of
identity theft victims and the problems they go through.
We found that the average victim has a basic number of
losses. I think the Stevens were up over $100,000. The average
victim is around $18,000 or so and spends 175 hours trying to
solve their problem, so we think identity theft is a very
serious problem that the committee and the Congress need to
continue to work with, and the report, ``Nowhere to Turn,''
documents a strong platform for identity theft solutions.
One of the most important parts of that platform is to
close something that we called a ``credit header loophole.''
Both Congressman Kleczka's bill and a similar piece of
legislation by Representative Hooley of Oregon would close that
loophole.
Who wants access to your credit header, which is a product
sold by the credit bureaus outside of the protection of the
Fair Credit Reporting Act?
First, identity thieves want your credit header, and it is
easy for them to get it. Just this week, I appeared on a Fox TV
News broadcast where I assisted the reporter, who actually
found it was quite easy to do himself, in obtaining the Social
Security number of his boss, with his boss' permission. He was
then able to apply for credit in his boss' name. And, by the
way, he has received credit from at least one bank.
One person spent about $49 to use a locator service on the
Internet. He obtained a Social Security number of someone that
he knew, and he was then able to get credit in their name. That
is how easy it is. That is how scary it is.
The other kind of person who wants to get access to you
through these locator services, through these credit headers--
that include, by the way, your Social Security number and other
sensitive information--are stalkers. And it has been widely
reported recently about the tragic death of Amy Boyer in New
Hampshire. Her stalker, a jilted grammar school acquaintance,
tracked her down through a locator service on the Internet.
We believe that in 1993, when the Federal Trade Commission
said that credit headers which contain your name, address,
Social Security number, telephone number, and other pieces of
information that are not actually associated with your credit
lines, are not part of the credit report, and therefore exempt
from the protection of the act, that the Federal Trade
Commission made a serious mistake. That is one of the easiest
ways for identity thieves to obtain information on the Internet
about your Social Security number is to use a pretext to obtain
your credit header.
So we would urge the committee to take a hard look at Mr.
Kleczka's bill, which includes, by the way, several other
important provisions to prevent the misuse of Social Security
numbers, but I think the most important one is to clear up the
problem caused when the Federal Trade Commission said that your
Social Security number, your name, and your address are not
part of your credit report; therefore, the credit bureaus can
sell them.
Now, they sell them to these companies. Many of the
companies are part of this Industry Self-Regulatory Association
called the IRSG, as Mr. Pratt described. In our view, the IRSG
principles do not meet what we call ``fair information
practices'' designed to protect the uses of information. Even
the Federal Trade Commission, when it agreed to the IRSG
experiment, said the IRSG needed to go further than it has.
The IRSG has not made public its assessments or audits of
its members' uses of information, and I believe that was one of
the principles that they promised the Federal Trade Commission
back when they were founded, so I would encourage the committee
to look into the IRSG.
What other actions would protect Social Security numbers
from misuse? I think there are a number, and I will associate
myself with the remarks of Mr. Rotenberg, who will go into some
other details on how to protect the Social Security number.
In conclusion, I would like to thank the committee for the
opportunity to talk about this very important problem of the
misuse of Social Security numbers and again urge you to take
action to protect identity thieves. It is one of the fastest-
growing crimes out there. There are 500,000 to 700,000
complaints a year. Probably the most significant step we could
take is to limit access to Social Security numbers
indiscriminately.
Thank you.
Mr. Hayworth. Thank you.
[The prepared statement follows:]
Statement of Edmund Mierzwinski, Consumer Program Director, U.S. Public
Interest Research Group
May 11, 2000 Chairman Shaw and members of the committee: We
are pleased to present the views of the U.S. Public Interest
Research Group on the misuses of Social Security numbers. As
you know, U.S. PIRG serves as the national lobbying office for
state Public Interest Research Groups, which are non-profit and
non-partisan consumer and environmental advocacy groups active
around the country.
Summary
U.S. PIRG believes that the widespread availability of the
social security number contributes to identity theft, which is
well-documented as one of the nation's fastest growing white-
collar crimes. The 1999 Shelby amendment to the Drivers Privacy
Protection Act is an excellent start toward protecting Social
Security Numbers, but more needs to be done.\1\ We recommend
that the Congress also enact one of several bills that would
close the so-called ``credit header'' loophole in the Fair
Credit Reporting Act. The credit header loophole has led to the
proliferation of information broker websites on the Internet
that make it easy for identity thieves to obtain Social
Security Numbers and other bits and pieces of a consumer's
identity that are used to build a fraudulent identity in the
victim's name.
---------------------------------------------------------------------------
\1\ The Shelby amendment expanding consumer privacy rights in
information held by state motor vehicle departments is scheduled to be
implemented on 1 June 2000 and would subject social security numbers,
photographs and health and medical information held by motor vehicle
departments to more stringent consumer protection.
---------------------------------------------------------------------------
(1) What Does It Mean To Be An Identity Theft Victim?
Earlier this week the committee heard passionate pleas for
help from Colonel and Mary Elizabeth Stevens, just two of many
victims of identity theft. They are not alone. Current
statistics show that credit bureaus and federal agencies are
receiving as many as 50009700,000 identity theft complaints
annually.
Last week, California PIRG and the Privacy Rights
Clearinghouse released a report \2\ summarizing the results of
a survey of victims. We found that identity theft victims had
labored 2094 years or more to rid themselves of an average of
$18,000 in fraudulent accounts. However, worse than cleaning up
the financial mess is the enormous time commitment victims
spend cleaning up their lives:
---------------------------------------------------------------------------
\2\ ``Nowhere To Turn,'' Benner, Givens and Mierzwinski, CALPIRG
and Privacy Rights Clearinghouse, 1 May 2000. See <http://
www.pirg.org/calpirg/consumer/privacy/idtheft2000/>. We have
released two previous reports on identity theft ``Theft of Identity:
The Consumer X-Files,'' CALPIRG and US PIRG, 1996 and ``Theft of
Identity II: Return to the Consumer X-Files,'' CALPIRG and US PIRG,
1997, as well as four reports on errors by credit reporting agencies
since 1991, most recently ``Mistakes Do Happen,'' 1998.
---------------------------------------------------------------------------
Respondents spent an average of 175 hours actively trying
to resolve problems caused by the theft of their identity. The
victims reported missing several days or weeks of work to put
their lives back together, and two people even reported losing
their jobs due to the time devoted to identity theft
resolution. A victim from California felt that resolving her
problem was ``nearly a full-time job.'' Robin, a victim from
Los Angeles, explains, ``One bill--just ONE BILL--can take 6098
hours to clear up after calling the 800 numbers, waiting on
hold, and dealing with ignorant customer representatives.'' She
concludes, ``The current system is not created for actual
assistance, it is created to perpetuate the illusion of
assistance.'' \3\
---------------------------------------------------------------------------
\3\ See ``Nowhere To Turn,''
---------------------------------------------------------------------------
(2) Who Wants Your Social Security Number?
Identity Thieves: Earlier this week, I appeared on Fox TV
News in a story on identity theft. The piece was designed to
demonstrate how easy it is easy to use a pretext to obtain
Social Security Numbers from on-line information broker
websites, despite supposed limitations on disclosure to
unauthorized persons claimed by the sites. With the permission
of his editor, the TV reporter logged onto the Internet and,
for a fee, was able to obtain his editor's social security
number. He then applied for, and obtained, at least one credit
card in the editor's name. To its credit, at least one bank
suspected fraud and denied the card. He is waiting to hear from
other banks. While identity thieves can also obtain social
security numbers from other sources, such as drivers' licenses
in some states, student IDs, and medical records, why go to the
trouble when you can log onto the Internet? As the Christian
Science Monitor and Nando News explained this week:
So you think your private information is relatively safe?
Think again. For a mere $49, someone can hop on the Internet,
give a company your name, wait a few days, and bingo: up pops
your Social Security number. Want someone's bank account
balance? That costs $45. An unpublished telephone number?
$59.\4\
---------------------------------------------------------------------------
\4\ ``Suit alleges online privacy breach had deadly consequences''
By KRIS AXTMAN, The Christian Science Monitor (May 9, 2000 1:34 a.m.
EDT http://www.nandotimes.com)
---------------------------------------------------------------------------
Stalkers: The reporter in that story wasn't writing about the
``white-collar'' crime of identity theft, however. Actually,
the story was about the brutal stalker murder of Amy Boyer in
New Hampshire. As the story explains:
Her killer, a man obsessed with her since 10th grade, left
evidence that he tracked her down through the online personal-
data service Docusearch.com.
On his own Web site, Liam Youens detailed his plans for
killing Boyer, including how he found her: ``I found an
internet site to do that, and to my surprize everything else
under the Sun. Most importantly: her current employment. It's
accually obsene what you can find out about a person on the
internet.'' After shooting Boyer, Youens turned the gun on
himself.
Stunned that such information could be purchased by anyone,
Boyer's parents, Tim and Helen Remsburg, recently filed a suit
against Docusearch.com. They also testified before a Senate
subcommittee about the killing.\5\
---------------------------------------------------------------------------
\5\ ibid.
(3) What Is The Credit Header Loophole That Allows Easy
---------------------------------------------------------------------------
Availability Of Social Security Numbers?
As part of a 1994 consent decree with TRW (now Experian)
that properly prohibited target marketing\6\ from credit
reports, the Federal Trade Commission (FTC) made a serious
mistake. It defined certain sensitive personal information
contained in consumer credit reports as exempt from the
definition of credit report and therefore exempt from
regulation under the Fair Credit Reporting Act. Under this
loophole, the credit bureaus now traffic widely in ``credit
headers,'' which include the demographic information found in a
credit report that is not associated with a specific credit
trade line or public record.
---------------------------------------------------------------------------
\6\ At the time, Equifax voluntarily agreed to stop target
marketing from credit reports. Trans Union, on the other hand, refused,
and has since led the FTC through eight years of litigation, while it
continues to use credit reports to generate target marketing lists in
defiance of the FTC. Most recently, on 1 March 2000, the FTC again
ordered Trans Union to stop, although it then (30 March 2000) agreed to
stay the ruling while Trans Union appeals yet again. The Act should also be
clarified to ban target marketing explicitly to end Trans Union's
lawsuit.
---------------------------------------------------------------------------
Credit headers may include names, addresses, dates of
birth, previous addresses, telephone numbers (including
unlisted numbers) and Social Security numbers. Credit header
databases are re-sold by the Big Three credit bureaus in bulk
and used for a variety of people-finder and related products.
Many information brokers operate websites that sell credit
headers, along with other public record information.
In 1997, the credit bureaus and several of the firms that
traffic in the credit headers that the credit bureaus sell
formed a so-called ``self-regulatory'' association known as the
Individual References Services Group. The organization says its
``principles impose significant restrictions on the access and
distribution of non-public information, such as non-financial
identifying information in a credit report. For example, Social
Security numbers obtained from non-public sources may not be
displayed to the general public on the Internet by IRSG
companies.\7\
---------------------------------------------------------------------------
\7\ See http://www.irsg.org
---------------------------------------------------------------------------
Despite this assertion, U.S. PIRG, the Privacy Rights
Clearinghouse, other advocates, reporters, and identity thieves
and stalkers have found that SSNs can still be purchased from
websites. We strongly support closing the credit header
loophole because, even if the IRSG's voluntary rules were
effective in halting the sale of SSNs to the general public, it
is easy to use a ``pretext'' to obtain SSNs from one of the
many sites on the Internet that purports to only sell it to
qualified requestors.
We also support Congressional review of the adequacy of the
IRSG's self-regulatory system. While the FTC encouraged the
formation of the IRSG in 1997, it said at the time that the
IRSG Principles did not meet all Fair Information Practices
(see below for discussion of the need for these Practices). The
FTC also said that the IRSG must make public a ``Summary'' of
the results of ``third-party assessments,'' or audits, of its
members. To our knowledge, while the IRSG provided the FTC in
1999 with what we believe to be a highly unsatisfactory letter
\8\ stating that the assessments were completed, no summaries
have ever been made public.
---------------------------------------------------------------------------
\8\ See Letter from IRSG's Ron Plesser to FTC, 28 April 1999,
<http://www.irsg.org/html/letter--to--the--ftc.htm>
---------------------------------------------------------------------------
(4) How Should We Close The Credit Header Loophole?
Several federal proposals would close the credit header
loophole. Among the proposals that we support are the
following, although there may be others. U.S. Senators Dianne
Feinstein (D09CA), Charles Grassley (R09IA) and Jon Kyl (R09AZ)
have proposed'S 2328. Similar companion legislation, HR 4311,
has been proposed by Rep. Darlene Hooley (D09OR). Rep. Jerry
Kleczka (D09WI) has a broader proposal, HR 1450, to close the
credit header loophole and further restrict the use of Social
Security numbers in other ways.
Most of the bills re-define the header exception from the
FCRA so that sensitive information including Social Security
Numbers is protected by the Act rather than exempt from it. For
example, HR 1450 would re-define all information held in credit
files to be protected by the act ``except the name, address,
and telephone number of the consumer if listed in a residential
telephone directory available in the locality of the
consumer.''
(5) What Are Fair Information Practices?
In our view, the credit header loophole is a gross
violation of Fair Information Practices. Collecting information
for one purpose and using it for another without the individual
data subject's consent violates the Fair Information Practices
originally proposed in 1973 and incorporated in the Privacy Act
of 1974. As originally outlined by a Health, Education and
Welfare (HEW) task force in 1973, then codified in U.S.
statutory law in the 1974 Privacy Act and articulated
internationally in the 1980 Organization of Economic
Cooperation and Development (OECD) Guidelines, information use
should be subject to Fair Information Practices that provide
for the following consumer rights: notice, consent, access,
correction, liability for violations.\9\
---------------------------------------------------------------------------
\9\ Noted privacy expert Beth Givens of the Privacy Rights
Clearinghouse has compiled an excellent review of the development of
FIPs, ``A Review of the Fair Information Principles: The Foundation of
Privacy Public Policy.'' October 1997. The document cites the version of FIPs in the
original HEW guidelines, as well as other versions: Fair Information
Practices U.S. Dept. of Health, Education and Welfare, 1973 [From The
Law of Privacy in a Nutshell by Robert Ellis Smith, Privacy Journal,
1993, pp. 500951.]
1.Collection limitation. There must be no personal data record
keeping systems whose very existence is secret.
2.Disclosure. There must be a way for an individual to find out
what information about him is in a record and how it is used.
3.Secondary usage. There must be a way for an individual to prevent
information about him that was obtained for one purpose from being used
or made available for other purposes without his consent.
4.Record correction. There must be a way for an individual to
correct or amend a record of identifiable information about him.
5.Security. Any organization creating, maintaining, using, or
disseminating records of identifiable personal data must assure the
reliability of the data for their intended use and must take
precautions to prevent misuse of the data.
(6) What Other Actions Would Protect Social Security Numbers
---------------------------------------------------------------------------
From Misuse?
Using the Social Security Number as a medical ID or college
student ID or motor vehicle ID leads to identity theft or other
problems. In our strong view, in addition to closing the credit
header loophole, the other most important thing Congress should
do to protect Social Security Numbers is not to repeal or
weaken the 199 Shelby amendment to the Driver's Privacy
Protection Act. Last year, Congress enacted the Shelby
amendment expanding consumer privacy rights in information held
by state motor vehicle departments. It takes effect on 1 June
2000, as enacted by Congress. Direct marketers are currently
campaigning to delay or weaken this amendment, which
substantially strengthens protection of Social Security
Numbers, driver's license photographs and health and medical
information held by motor vehicle departments. Their efforts
should be rejected.
(7) Additional Recommendations To Protect Privacy
While the U.S. has a strong history of privacy protection,
our statutory privacy protections are a patchwork--what
industry prefers to call a ``sector-by-sector'' approach. Yet,
whatever the merits, if there ever were any, of the industry-
prescribed sector-by-sector approach, it is rapidly obsolescing
as industry sectors converge. The names of the videos you rent
are better protected than your not-so-confidential bank account
balances, credit card records and medical history. U.S. PIRG
strongly supports enactment of over-arching privacy legislation
that requires all businesses to protect consumer and customer
information under laws based on Fair Information Practices and
gives consumers enforceable rights if their personal
information is misused. The first step should be enactment of
the Shelby (S. 1903)-Markey (HR 3320) proposals to protect
financial privacy by requiring opt-in consent. U.S. PIRG's new
identity theft report, Nowhere To Turn, makes additional
recommendations to improve both the accuracy and privacy of
credit reports.\10\
---------------------------------------------------------------------------
\10\ See ``Nowhere to Turn.''
---------------------------------------------------------------------------
Conclusion
We want to thank you, Mr. Chairman, for the opportunity to
present our views on the need for strong privacy protections to
protect Social Security Numbers from misuse. We look forward to
working with you on this and other matters to guarantee the
privacy of American citizens. Restricting the widespread
availability of Social Security Numbers is one of the most
important solutions to the identity theft epidemic.
Mr. Hayworth. Ms. Moore?
STATEMENT OF KATHERINE BURKE MOORE, INTERNATIONAL CHAIR, BOARD
OF DIRECTORS, AMERICAN ASSOCIATION OF MOTOR VEHICLE
ADMINISTRATORS
Ms. Moore. Good afternoon, Mr. Chairman and members of the
subcommittee. My name is Katherine Burke Moore. I serve as the
chair of the American Association of Motor Vehicle
Administrators, and as the deputy director in the Department of
Public Safety for the State of Minnesota.
AAMVA is a voluntary association representing the motor
vehicle administrators and chief law enforcement officials in
North America. Our members administer the laws that govern
motor vehicle operations, the driver credentialling process,
and highway safety enforcement.
I appreciate the opportunity to brief the subcommittee on
the use of the SSN by our members. The use of the SSN for
drivers license issuance and motor vehicle registration was
authorized in 1976 in section 405 of title 42, U.S. Code. This
authorization was specifically for the purpose of establishing
the identification of individuals. Congress has consistently
used this authority to mandate State DMVs to carry out a whole
host of Federal objectives.
As you may know, H.R. 220, introduced early in the 106th
Congress, seeks to repeal this authority. Passage of H.R. 220,
as currently written, would severely impact the motor vehicle
and law enforcement communities' ability to combat fraud and
ensure public safety.
The other Federal mandates that DMVs currently work under
would be in direct conflict with H.R. 220. Some of those
mandates include: the Welfare Reform Act, the Illegal
Immigration Reform Act, and the Commercial Motor Vehicle Safety
Act of 1986, or CMVSA. Details of these mandates are included
in our written testimony.
When the SSN is obtained in conjunction with name, date of
birth, and gender, DMVs can positively identify a person on an
agency's driving record. This helps to minimize the possibility
that erroneous information, such as accident or convictions,
would be placed on the wrong person's driving record, or that a
license will be issued to someone who is not qualified to
obtain one.
Today, DMVs maintain the driver history of more than 200
million vehicle operators in the U.S., alone. AAMVA believes
that the use of the SSN as a unique identifier is necessary to
maintain accurate records and to prevent harm to individuals
and businesses as a result of misuse of official credentials.
These credentials include not only documents such as
driver's licenses that are widely used by everyone for personal
identification, but documents that evidence ownership in other
property interests in motor vehicles such as registration and
titles.
The SSN also is used as a common identifier to facilitate
electronic data exchange among DMVs and other authorized users.
Without an effective way to ensure data is correctly applied to
the right driving record, useful data exchange will be
compromised.
The tendency today, particularly with driving record
information, is to institute an even greater exchange of driver
history data to enhance public safety.
The recently-passed Motor Carrier Safety Improvement Act of
1999 mandates that the courts share commercial driver
convictions with DMV, regardless of whether the violation
occurred in a commercial vehicle or passenger vehicle. The
CMVSA mandated the creation of the commercial driver's license
information system, or CDLIS, to provide the electronic means
to share commercial driver histories among States and other
authorized users.
The CMVSA also mandates that the SSN be used as a unique
identifier for commercial driving records in CDLIS. All 51 U.S.
jurisdictions operate CDLIS. All collect the SSN for commercial
drivers, as the Federal law requires.
AAMVA has long supported the one driver/one license
concept. We encourage Congress to support the establishment of
the driver record information verification system. This system
will enable DMVs to verify that a driver does not have more
than one license.
Until we are able to query such a system prior to initial
issuance and renewal of a license, the deceptive practice of
obtaining multiple licenses to unlawfully distribute citations
and violations will continue. Without a standardized, unique
identifier, the ability to electronically transfer driver
record information will fail.
To assist States in the ID verification process, AAMVA's
subsidiary, AAMVAnet, provides an electronic data exchange
application through the Social Security Online Verification
system SSOLV. This online support allows a DMV to instantly
verify an individual's SSN during the driver's license issuance
or renewal process.
In recent years, the public's concern about privacy of
personal information on their driving record has caused many
jurisdictions to change their policies about displaying the SSN
on the license. Today, 49 States either do not display the SSN
or give the public the option of using a State-issued
identifier; however, the SSN remains an important identifier
for record-holder verification.
The Driver Privacy Protection Act also forbids and
prohibits the sale and disclosure of the SSN that is collected
by the DMVs.
In closing, I want to reiterate the importance of using the
SSN for driver's licensing. The public safety benefits of SSN
use are numerous and far outweigh any potential disadvantages.
We urge the Congress to consider these public safety uses and
not restrict the motor vehicle and law enforcement community
from utilizing the SSN as a unique identifier for the millions
of driver records we administer.
I appreciate the opportunity to testify and will answer
questions at the appropriate time.
Mr. Hayworth. Thank you, Ms. Moore.
[The prepared statement follows:]
Statement of Katherine Burke Moore, International Chair, Board of
Directors, American Association of Motor Vehicle Administrators
Good morning Mr. Chairman and esteemed members of the
Subcommittee. My name is Katherine Burke Moore. I serve as
Chair of the International Board of Directors of the American
Association of Motor Vehicle Administrators, and as Deputy
Director of the Office of Traffic Safety, under the Department
of Public Safety for the State of Minnesota.
The American Association of Motor Vehicle Administrators
(AAMVA) is a voluntary association representing the motor
vehicle administrators and chief law enforcement officials in
North America. Our members administer the laws that govern
motor vehicle operation, the driver credentialing process and
highway safety enforcement. We appreciate the opportunity to
brief the Subcommittee on use of the Social Security Number by
our members.
The use of the social security account number (SSN) for
driver's license issuance or motor vehicle registration was
authorized in 1976, in Section 405(c)(2)(C)(i) of title 42,
United States Code. This authorization was specifically for the
purpose of establishing the identification of individuals.
Congress has consistently used this authority to mandate state
motor vehicle agencies carry out a whole host of federal
objectives. At the same time, some members of Congress have
introduced legislation to prohibit this authority. These
conflicting congressional objectives have wreaked havoc at the
state level.
As you may know, H.R. 220, which was introduced early in
the 106th Congress and seeks to repeal motor vehicle agencies'
authority to use the SSN is one of the best examples of this
congressional conflict.
Passage of H.R. 220 would severely impact the motor vehicle
and law enforcement community's ability to combat fraud and to
ensure public safety. The other federal mandates that DMVs
currently work under would be in direct conflict with H.R. 220.
Of particular note, Public Law 10409193, the Personal
Responsibility and Work Opportunity Reconciliation Act of 1996
requires state motor vehicle agencies to collect the SSN for
all drivers to help facilitate the collection of child support
payments. This requirement takes effect on October 1, 2000 and
mandates states to share this data with their state Office of
Child Support Enforcement.
States were also required to collect the SSN under Section
656(b) of Public Law 10409208, the Illegal Immigration Reform
and Immigrant Responsibility Act of 1996. AAMVA supported that
provision because it would have gone a long way in helping to
enhance the security of the credentials our members issue. The
Act required the collection of the SSN but did not require
states to display the SSN on the license.
The public safety and identity protection benefits were
ignored as DMVs were accused of creating a national
identification card. The reality is that because of the
increased fraudulent use of current security features on
falsified documents, states thought it important to upgrade the
minimum security standards of these documents.
Support for Section 656(b) disappeared because of privacy
concerns surrounding the use of the SSN, but the AAMVA
membership has continued the effort to enhance the security of
driver license credentials. It is unfortunate that the benefits
of Section 656(b) were lost because of the SSN component.
When obtained in conjunction with the name, date of birth
and gender, the SSN enables DMVs to positively identify a
person on the agency's driving record files. This helps to
minimize the possibility that erroneous information such as
accidents or convictions will be placed on the wrong person's
driving record.
Today, motor vehicle agencies maintain the driver history
records of more than 200 million vehicle operators in the
United States alone. AAMVA believes that the use of the SSN as
a unique identifier is necessary to maintain accurate records
and to prevent harm to individuals and businesses as a result
of misuse of official credentials. These credentials include
not only documents such as the driver's license that are widely
used and accepted for personal identification, but documents
that evidence ownership and other property interests in motor
vehicles such as registrations and titles.
The SSN also is used as a common identifier to facilitate
electronic data exchange among motor vehicle agencies and other
authorized users. Omitting the social security number as an
identifier could result in inaccuracies in driver information
retained and exchanged among states. Without an effective way
to ensure data is correctly applied to the right driver record,
useful data exchange will be compromised. The tendency today,
particularly with driver record information, is to institute an
even greater exchange of driver history data.
Case in point, the recently passed Motor Carrier Safety
Improvement Act of 1999 mandates that the courts begin sharing
commercial operator conviction data with state motor vehicle
agencies--regardless of whether the violation occurred in a
commercial motor vehicle or a passenger vehicle.
The Commercial Motor Vehicle Safety Act of 1986 (CMVSA)
mandated the creation of the Commercial Drivers License
Information System (CDLIS). CDLIS provides the electronic means
to share commercial driver histories among the states and other
authorized users. The CMVSA also mandates that the SSN be used
as the unique identifier for commercial drivers' records on the
system. All 51 U.S. jurisdictions operate CDLIS. All collect
the SSN for commercial drivers as the federal law requires.
AAMVA has long supported the ``one driver--one license''
concept. We encourage Congress to support the establishment of
the Driver Record Information Verification System (DRIVerS)
that will enable motor vehicle agencies to ensure that a driver
does not have more than one driver license and to accurately
post conviction data to the record associated with that
license. Until we are able to query such a system prior to the
initial issuance of a driving credential or upon renewal, the
deceptive practice of obtaining multiple licenses to unlawfully
distribute traffic citations and violations among them will
continue.
Congress provided funding in TEA0921 to undertake an
assessment of available electronic technologies to improve
access to and exchange of motor vehicle driving records. One of
the elements of the assessment is the review of alternative
unique motor vehicle driver identifiers that would facilitate
accurate matching of drivers and their records. Some unique
identifier is necessary for the states to carry out their
safety mission. The SSN has proved itself to be an effective
tool in uniquely identifying drivers that pose a safety risk.
Without a standardized unique identifier, the ability to
electronically transfer driver record information will fail.
To assist states in the identification verification process
for a driver license credential, AAMVA, through its subsidiary
organization AAMVAnet, provides an electronic data exchange
application through the Social Security Online Verification
system (SSOLV). This system allows DMVs to send an individual's
name, date of birth and SSN to the Social Security
Administration (SSA) and the SSA, in turn, verifies that
information against its Master File and reports back to the
requesting DMV whether or not the DMV information did or did
not match.
This on-line support allows a jurisdiction to
instantaneously verify an individual's SSN during the driver
license issuance or renewal process while the driver is still
at the counter. Currently eight jurisdictions are in production
at this time through a Memorandum of Understanding with the
SSA.
In recent years, the public's concern about privacy of the
personal information stored in their driver's license records
has caused many motor vehicle agencies to change their policies
about displaying the SSN on the driver's license. Today, 49
states either do not display the SSN or give the public the
option of using a state issued alpha-numeric identifier.
However, the SSN remains an important identifier for electronic
driver record exchange and record-holder verification.
The Driver Privacy Protection Act also forbids and
prohibits the sale and disclosure of the SSN that is collected
by the DMVs.
In closing, I want to reiterate the importance of using the
SSN for issuance of driver license credentials and other
property documents. The public safety benefits of SSN use are
numerous and far outweigh any potential disadvantages.
We urge the Congress to consider these invaluable uses and
not restrict the motor vehicle and law enforcement community
from utilizing the SSN as the unique identifier for the
millions of driver records we administer.
I appreciate the opportunity to testify and will respond to
questions at the appropriate time.
Mr. Hayworth. Mr. Rotenberg?
STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC
PRIVACY INFORMATION CENTER, AND ADJUNCT PROFESSOR, GEORGETOWN
UNIVERSITY LAW CENTER
Mr. Rotenberg. Mr. Chairman, Mr. Tanner, members of the
committee, thank you very much for the opportunity to testify
this afternoon. I am the director of the Electronic Privacy
Information Center. I am also an adjunct professor at
Georgetown. I have taught privacy law for 10 years and was
involved in two of the leading privacy cases involving the use
of the Social Security number.
I want to thank you for holding the hearings this week. I
think this is an issue, obviously, of great concern to many
Americans.
I am here mostly to tell you that I think efforts to
establish privacy safeguards for the collection and use of the
Social Security number are completely consistent with the
tradition of U.S. law, both in Congress and also in the courts.
As you know, in 1936, when the nine-digit number was
created, it was solely for the purpose of administering Social
Security benefits. Now, that purpose was expanded in 1961, when
the SSN became a taxpayer identification number. But when the
Government looked closely at the issue of Social Security
number use in the early 1970s and issued this very important
report called, ``Records, Computers, and the Rights of
Citizens''--this was from the Department of Health, Education,
and Welfare--many of the concerns that you are hearing today
were described and addressed in that report more than 25 years
ago--the risk of profiling, of identity theft, the dangers of
building these big computer databases tied to the Social
Security number.
That report specifically recommended a prohibition on the
use of the Social Security number for promotional or commercial
purposes.
Now, Congress, the following year, did not go quite so far
as to prohibit the use of the SSN for these other purposes, but
it did establish a very important privacy provision in the 1974
Privacy Act, and it said that any Federal or State agency that
was collecting this number had to make clear whether that
collection was mandatory or voluntary, how the SSN would be
used, and what the statutory authority was for the collection
of the Social Security number.
Congress also said that no person should be denied the
right or privilege for their decision not to provide a Social
Security number, and I think it was clearly the intent to do
everything short of prohibition to limit the use of the SSN as
much as possible.
Now, it is certainly the case that, since 1974, there has
been an expanded use of the Social Security number, both in the
public sector and in the private sector, and some of those
benefits have been described for you today. But I would also
like to describe for you the views of at least two of the
courts that have looked recently at the Social Security number
and concluded, as Congress did back in 1974, that this is a
very important privacy matter.
For example, Mark Allen Greidinger, who went to register to
vote in the State of Virginia back in 1992, refused to provide
his Social Security number when he learned that that number
would be published in the State voting rolls. Even though the
district court said that the State had the right to collect the
SSN and use it in this fashion, the Federal appeals court
eventually concluded that it was an unreasonable burden on the
right to vote to collect the Social Security number for that
purpose, and Mr. Greidinger was free to vote in the State of
Virginia. The State was required to change its practices
because of the important privacy issues associated with the
SSN.
The Ohio supreme court, even more recently, said that, even
where you have an open record statute, you cannot compel the
disclosure of the SSNs of State employees. The benefit is too
small and the risk to privacy would be too great.
So I believe there is plenty of support, both on the
legislative side and the judicial side, to support the
proposals that were put before the committee today.
I would also like to suggest to you that, while legislation
limiting the use of the Social Security number will not solve
all of the identification problems we face today, I think it
would certainly put us on the right track going forward,
particularly with this new technology and with the Internet,
because, as you may be aware, people using the Internet today,
both the technical experts and the consumers, are very much
concerned about the protection of their privacy. And when
Intel, the world's largest manufacturer of computer chips,
proposed to put a unique processor serial number in their new
chips--this number would be just like a Social Security number,
but literally burned into the microchip--there was such a
protest that Intel had to back off that plan and announced just
recently that their new chips would not contain these Social-
Security-number-like numbers for computers.
So this is a good development, but, at the same time, we
are going to face new challenges, new forms of identification,
and new threats to privacy. And so for that reason I think it
is very important that Congress take this opportunity, when
there is this public support in place, this clear legislative
tradition and this clear judicial tradition, to support those
important safeguards that protect the privacy interests of
American citizens.
I thank you again for the chance to testify and would be
pleased to answer your questions.
Mr. Hayworth. Thank you.
[The prepared statement follows:]
Statement of Marc Rotenberg, Executive Director, Electronic Privacy
Information Center, and Adjunct Professor, Georgetown University Law
Center
My name is Marc Rotenberg and I am the executive director
of the Electronic Privacy Information, a public interest
research organization based here in Washington. I am also on
the faculty of the Georgetown University Law Center where I
have taught the Law of Information Privacy for ten years. I
wrote briefs in two of the leading cases involving the privacy
of the Social Security Number, I helped organize the campaign
against the Intel unique Processor Serial Number, and I have
worked with many technical experts to encourage the development
of identification systems that avoid the flaws of the Social
Security Numbers and other types of Universal Identifiers.
I appreciate the opportunity to testify this morning. I
will briefly review the legal status of efforts to regulate the
use of the SSN, discuss some of the recent problems with
universal unique identifiers, such as the SSN, and make a few
brief recommendations. I believe that legislation to limit the
collection and use of the SSN is appropriate, necessary, and
fully consistent with US law. I also believe that if Congress
fails to act, the problems that consumers will face in the next
few years are likely to increase significantly.
History of the SSN and the Efforts to Regulate
The Social Security Number (SSN) was created in 1936 as a
nine-digit account number assigned by the Secretary of Health
and Human Services for the purpose of administering the Social
Security laws. SSNs were first intended for use exclusively by
the federal government as a means of tracking earnings to
determine the amount of Social Security taxes to credit to each
worker's account. Over time, however, SSNs were permitted to be
used for purposes unrelated to the administration of the Social
Security system. For example, in 1961 Congress authorized the
Internal Revenue Service to use SSNs as taxpayer identification
numbers.\1\
---------------------------------------------------------------------------
\1\ Pub. L. No. 8709397, 75 Stat. 828 (codified as amended at 26
U.S.C. Sec. Sec. 6113, 6676) cited in Greidinger at 270928.
---------------------------------------------------------------------------
A major government report on privacy in 1973 outlined many
of the concerns with the use and misuse of the Social Security
Number that show a striking resemblance to the problems that
witnesses have outlined this week. Although the term ``identify
theft'' was not yet in use, Records Computers and the Rights of
Citizens described the risks of a ``Standard Universal
Identifier,'' how the number was promoting invasive profiling,
and that many of the uses were clearly inconsistent with the
original purpose of the 1936 Act. The report recommended
several limitations on the use of the SSN and specifically said
that legislation should be adopted ``prohibiting use of an SSN,
or any number represented as an SSN for promotional or
commercial purposes.\2\
---------------------------------------------------------------------------
\2\ Records, Computers and the Rights of Citizens at 135.
---------------------------------------------------------------------------
In response to growing concerns over the accumulation of
massive amounts of personal information and the recommendations
contained in the 1973 report, Congress passed the Privacy Act
of 1974. Among other things, this Act makes it unlawful for a
governmental agency to deny a right, benefit, or privilege
merely because the individual refuses to disclose his SSN. This
is a critical principle to keep in mind today because consumers
in the commercial sphere often face the choice of giving up
their privacy, their SSN, to obtain a service or product. The
drafters of the 1974 law tried to prevent citizens from facing
such unfair choices, particularly in the context of government
services. But there is no reason that this principle could not
apply equally to the private sector, and that was clearly the
intent of the authors of the 1973 report.
In addition, Section 7 of the Privacy Act further provides
that any agency requesting an individual to disclose his SSN
must ``inform that individual whether that disclosure is
mandatory or voluntary, by what statutory authority such number
is solicited, and what uses will be made of it.\3\ At the time
of its enactment, Congress recognized the dangers of widespread
use of SSNs as universal identifiers. In its report supporting
the adoption of this provision, the Senate Committee stated
that the widespread use of SSNs as universal identifiers in the
public and private sectors is ``one of the most serious
manifestations of privacy concerns in the Nation.'' \4\ Short
of prohibiting the use of the SSN outright, the provision in
the Privacy Act attempts to limit the use of the number to only
those purposes where there is clear legal authority to collect
the SSN. It was hoped that citizens, fully informed where the
disclosure was not required by law and facing no loss of
opportunity in failing to provide the SSN, would be unlikely to
provide an SSN and institutions would not pursue the SSN as a
form of identification.
---------------------------------------------------------------------------
\3\ (a)(1) It shall be unlawful for any Federal, State, or local
government agency to deny any individual any right, benefit or
privilege provided by law because of such individual's refusal to
disclose his social security account number. (2) the provisions of
paragraph (1) of this subsection shall not apply with respect to -(A)
any disclosure which is required by Federal statute, or (B) the
disclosure of a social security number to any Federal, State, or local
agency maintaining a system of records in existence and operating
before January 1, 1975, if such disclosure was required under statute
or regulation adopted prior to such date to verify the identity of an
individual. (b) Any Federal, State, or local government agency which
requests an individual to disclose his social security account number
shall inform that individual whether that disclosure is mandatory or
voluntary, by what statutory or other authority such number is
solicited, and what uses will be made of it.
See Pub. L. No. 9309579, 7. This provision of the Privacy Act was
never codified, but is instead set out as a historical note to 5
U.S.C.A 552a (West 1996).
\4\ S.Rep. No. 1183, 93d Cong., 2d Sess., reprinted in 1974 U.S.
Code Cong. & Admin. News 6916, 6943, cited in Greidinger at 29.
---------------------------------------------------------------------------
It is certainly true that the use of the SSN has expanded
significantly since the provision was adopted in 1974. This is
particularly clear in the financial services sector. In an
effort to learn and share financial information about
Americans, companies trading in financial information are the
largest private-sector users of SSNs, and it is these companies
that are among the strongest opponents of SSN restrictions. For
example, credit bureaus maintain over 400 million files, with
information on almost ninety percent of the American adult
population. These credit bureau records are keyed to the
individual SSN. Such information is freely sold and traded,
virtually without legal limitations.\5\
---------------------------------------------------------------------------
\5\ Komuves at 557.
---------------------------------------------------------------------------
But it is also critical to understand that the legal
protection to limit the collection and use of the SSN is still
present in the Privacy Act and can be found also in recent
court decisions which recognize that there is a constitutional
basis to limit the collection and use of the Social Security
Number. When a Federal Appeals court was asked to consider
whether the state of Virginia could compel a voter to disclose
an SSN that would subsequently be published in the public
voting rolls, the Court noted the growing concern about the use
and misuse of the SSN, particularly with regard to financial
services. The Fourth Circuit said:
Since the passage of the Privacy Act, an individual's
concern over his SSN's confidentiality and misuse has become
significantly more compelling. For example, armed with one's
SSN, an unscrupulous individual could obtain a person's welfare
benefits or Social Security benefits, order new checks at a new
address on that person's checking account, obtain credit cards,
or even obtain the person's paycheck. . . . Succinctly stated,
the harm that can be inflicted from the disclosure of a SSN to
an unscrupulous individual is alarming and potentially
financially ruinous.\6\
---------------------------------------------------------------------------
\6\ Greidinger at 300931.
---------------------------------------------------------------------------
The Court said that:
The statutes at issue compel a would-be voter in Virginia
to consent to the possibility of a profound invasion of privacy
when exercising the fundamental right to vote. As illustrated
by the examples of the potential harm that the dissemination of
an individual's SSN can inflict, Greidinger's decision not to
provide his SSN is eminently reasonable. In other words,
Greidinger's fundamental right to vote is substantially
burdened to the extent the statutes at issue permit the public
disclosure of his SSN.\7\
---------------------------------------------------------------------------
\7\ Greidinger at 320933.
---------------------------------------------------------------------------
The Court concluded that to the extent the Virginia voting
laws, ``permit the public disclosure of Greidinger's SSN as a
condition of his right to vote, it creates an intolerable
burden on that right as protected by the First and Fourteenth
Amendments.'' \8\
---------------------------------------------------------------------------
\8\ Greidinger at 36.
---------------------------------------------------------------------------
In a second case, testing whether a state could be required
to disclose the SSNs of state employees under a state open
record law where there was a strong presumption in favor of
disclosure, the Ohio Supreme Court held that there were privacy
limitations in the federal Constitution that weighed against
disclosure of the SSN. The court concluded that:
We find today that the high potential for fraud and
victimization caused by the unchecked release of city employee
SSNs outweighs the minimal information about governmental
processes gained through the release of the SSNs. Our holding
is not intended to interfere with meritorious investigations
conducted by the press, but instead is intended to preserve one
of the fundamental principles of American constitutional law--
ours is a government of limited power. We conclude that the
United States Constitution forbids disclosure under the
circumstances of this case. Therefore, reconciling federal
constitutional law with Ohio's Public Records Act, we conclude
that [the provision] does not mandate that the city of Akron
discloses the SSNs of all of its employees upon demand.\9\
---------------------------------------------------------------------------
\9\ Beacon Journal at 17.
---------------------------------------------------------------------------
While it is true that many companies and government
agencies today use the Social Security Number indiscriminately
as a form of identification, it is also clear from the 1936
Act, the 1974 provision, and these two cases -Greidinger v.
Davis and Beacon Journal v. City of Akron -that there is plenty
of legislative and judicial support for limitations on the
collection and use of the SSN. The question is therefore
squarely presented whether the Congress will at this point in
time follow in this tradition, respond to growing public
concern, and establish the safeguards that are necessary to
ensure that the problems associated with the use of the SSN do
not increase.
Problems Beyond the SSN
Efforts to regulate the collection and use of the SSN will
not stop all the problems associated with the use of
identifiers but they will address the most pressing current
problem and could contribute also to future schemes that are
less privacy intrusive.
Internet users are particularly concerned about the
development of ``GUIDs'' or Global Universal Identifiers. Last
year Internet users launched a campaign against Intel, the
largest maker of computer chips in the world, when it proposed
to create a Processor Serial Number, unique for each machine,
that would make it easier to track and monitor the activities
of Internet users. Eventually, under heavy pressure, Intel
agreed to withdraw its plan, and more recently Intel announced
that it would not include the unique identifier in its next
generation of computer chips. This is clearly good news.
But there are also indications that in the absence of
strong privacy laws and strong limitations on the use of new ID
systems, new problems will arise. Experian, the large credit
reporting agency, announced recently a new identification
scheme that will enable tracking on a global scale. According
to Helen McMillan, vice president of technology for Experian,
``Names and addresses are very poor data elements for building
search and match algorithms or for maintaining data integrity
and hygiene on customer databases. Our industry leading PIN
technology delivers the most reliable and accurate consumer
identifier on the market.'' This may be welcome news for
marketers who are trying to uniquely track customers and
potential customers, but I suspect most consumers and users of
the Internet would object strongly to the assignment of such
permanent identification numbers.
Microsoft has raised concerns with the recent news that it
plans to integrate a biometric identification scheme in the
next version of the Windows operating system. A biometric
identifier, such as a fingerprint, can be an effective and
highly accurate way to establish the identity of an individual,
but it can also facilitate a much higher degree of tracking and
profiling than would be appropriate for many transactions.
Should people who enter federal office buildings, for example,
be required to provide biometric identifier, such as a
fingerprint scan? It is not hard to imagine that such a
practice could develop in the next three to five years. Of
course, the problems that will arise when biometric identifiers
are compromised are severe. What will happen at the point that
your biometric identifiers no longer identify you?
These are issues that the Congress might also consider as
it goes forward with legislation to limit the use of the Social
Security Number. Perhaps the National Research Council or a
fully formed privacy agency could be asked to look in more
detail at how best to develop identification schemes that
enable online commerce and promote security, while at the same
time reducing threats to privacy and the loss of control over
identity.
Conclusions
In conclusion, there is clear authority in both legislation
and judicial opinion that supports the enactment of further
laws to limit the collection and use of the Social Security
Number. It is particularly important that such legislation not
force consumers to make unfair or unreasonable ``choices'' that
essentially require trading the privacy interest in the SSN for
some benefit or opportunity.
Legislation in this area will not solve all of the problems
with identity theft or invasive profiling but it will address
the most pressing problem and it could encourage the
development of better techniques in the future.
I am grateful for the opportunity to testify this afternoon
and would be pleased to answer your questions.
References
Electronic Privacy Information Center, ``Social Security
Numbers'' [http://www.epic.org/privacy/ssn/]
Flavio L. Komuves, ``A Perspective on Privacy, Information
Technology an the Internet: We've Got Your Number: An Overview
of Legislation and Decisions to Control the Use of Social
Security Numbers as Personal Identifiers,'' 16 J. Marshall J.
Computer & Info. L. 529 (1998)
Testimony of Marc Rotenberg, Computer Professionals for
Social Responsibility, ``Use of Social Security Number as a
National Identifier,'' Before the Subcomm. on Social Security
of the House Comm. on Ways and Means, 102d Cong., 1st Sess. 71
(February 27, 1991)
Greidinger v. Davis, 988 F.2d 1344 (4th Cir. 1993) and
brief amicus curiae for CPSR (Marc Rotenberg and David Sobel)
(SSN requirement for voter registration) (lead case on privacy
of Social Security number)
Beacon Journal v. City of Akron, 70 Ohio St. 3d 605 (Ohio
1994) and brief amicus curiae for CPSR (Marc Rotenberg and
David Sobel) (SSN disclosure of city employees)
Marc Rotenberg, Privacy Law Sourcebook: United States Law,
International Law, and Recent Developments (EPIC 1999)
Department of Health, Education, and Welfare, Records,
Computers, and the Rights of Citizens 1080935 (MIT 1973)
(Social Security Number as a Standard Universal Identifier and
Recommendations Regarding Use of Social Security Number)
STATEMENT OF ROBERTA MEYER, SENIOR COUNSEL, AMERICAN COUNCIL OF
LIFE INSURERS
Ms. Meyer. Thank you, Mr. Chairman. I am Robbie Meyer, and
I am pleased to be here today on behalf of the American Council
of Life Insurers, the ACLI, to testify about the way in which
life, disability income, and long-term care insurers use
consumers' personal information, including their Social
Security numbers, and to tell you about our position relative
to the maintenance of the confidentiality of that information.
ACLI member companies are strongly committed to the
principle that individuals have a legitimate interest in the
proper collection and handling of their personal information
and that insurers have an obligation to assure individuals of
the confidentiality of that information.
However, our member companies recognize that consumers do
have special concerns about the confidentiality of medical
information, so the ACLI board of directors has developed two
separate policies dealing with confidentiality, one in relation
to the confidentiality of medical information and the other
with respect to the confidentiality of non-public personal
information. Social Security numbers would fall into the
category of non-public personal information.
In developing our policy principles in relation to non-
public personal information, which would include Social
Security numbers, we sought to balance consumers' desire and
legitimate privacy concerns with their concerns for efficient
and prompt service and innovative products. Consequently, our
principles reflect our support for requirements that financial
institutions, including insurers, develop privacy policies and
procedures designed to protect the confidentiality, as well as
the security of consumers' non-public, personal information,
but at the same time our principles reflect our fundamental
need to use consumers' personal information, including their
Social Security numbers, in order to effect, administer, and
carry out our obligations under our insurance contracts with
our customers.
The ACLI strongly supports the privacy protections in title
five of the recently-enacted financial services modernization
bill, the Gramm-Leach-Bliley Act. Title five subjects financial
institutions--again, including all insurers--to one of the most
extensive laws relating to privacy regulation that has ever
been enacted in the United States.
As a result of this law, consumers doing business with
financial institutions will now have clear, comprehensive, and
rigorous privacy protections with respect to non-public,
personal information, again including Social Security numbers.
This new law also is carefully constructed again to balance
consumers' needs to have their privacy protected with the
benefits that they obtain from certain uses of that information
by financial institutions.
Insurance companies must use and share customers' personal
financial information, including, again, their Social Security
numbers, in order to perform legitimate, essential insurance
business functions. In other words, they have to use this
information in order to underwrite applications for coverage,
to administer and service our existing contracts, and to
perform related product or service functions.
I would like to give you a few examples of how insurance
companies actually use Social Security numbers now. They are
used by insurers to find missing or lost policy holders so that
they can pay them death benefits that they are obligated to pay
under existing contracts. Social Security numbers are used to
identify policies for policy-holders who may have lost their
account numbers. Insurers use Social Security numbers in their
call centers in order to authenticate the individuals who call
in for information. Social Security numbers are used by
insurers to help make it possible to transfer assets from one
financial institution to another upon the request of our
customers. We use Social Security numbers as PIN numbers so
that our customers can do business on line. We use them in
connection with our employee group insurance so that
individuals can use payroll deduction plans to pay for their
coverage.
We are also required to make a number of disclosures to
State insurance departments for their regulatory oversight of
insurers, and, as required by the Federal Government, such as
to the Internal Revenue Service, in order to report certain
payments to our customers.
Mr. Chairman, the ACLI would like to thank you for this
opportunity to testify; thank you for calling this hearing.
Life, disability, and long-term care insurers have a long
history of dealing with highly-sensitive, very personal
information. We are very proud of our history in dealing with
this information. We, again, recognize, however, that consumers
have a very legitimate interest in the way in which we handle
this information, and that we have an obligation to them to
ensure them of the confidentiality of that information.
Thank you.
Chairman Shaw [resuming Chair]. Thank you.
[The prepared statement follows:]
Statement of Roberta Meyer, Senior Counsel, American Council of Life
Insurers
Introduction
The American Council of Life Insurers (ACLI) is pleased to
be here today to testify regarding the ways in which life,
disability income, and long term care insurers use consumers'
personal information, including their Social Security Numbers,
and our position on protection of the confidentiality of that
information. The ACLI is a national trade association whose 435
member companies represent approximately 73 percent of the life
insurance and 87 percent of the long term care insurance in
force in the United States. They also represent 71 percent of
the companies that provide disability income insurance.
Life, Disability Income, and Long Term Care Insurance Policies
The fundamental purpose of life, disability income and long
term care insurance is to provide financial security for
individuals and families. Life insurance provides financial
protection to beneficiaries in the event of the insured's
death. Proceeds from a life insurance policy may help a
surviving spouse pay a mortgage or send children to daycare or
college. Disability income insurance replaces lost income when
a person is unable to work due to injury or illness. Long term
care insurance helps protect individuals and families from the
financial hardships associated with the costs of services
required for continuing care, for example, when someone suffers
a catastrophic or disabling illness.
ACLI Policy Position
ACLI member companies are strongly committed to the
principle that individuals have a legitimate interest in the
proper collection and handling of their personal information
and that insurers have an obligation to assure individuals of
the confidentiality of that information. We also recognize that
consumers have special confidentiality concerns in relation to
medical information. Therefore, the ACLI Board has adopted
separate policies regarding first, the confidentiality of
medical information; and second, the confidentiality of other
nonpublic personal information. Social Security Numbers would
fall within the second category -nonpublic personal
information.
ACLI's Confidentiality of Medical Information Principles of
Support and Confidentiality of Nonpublic Personal Information
Principles Support are grounded in the industry's long history
of dealing with highly sensitive information in a professional
and appropriate manner. These principles also acknowledge the
changing horizon of the financial marketplace resulting from
financial services modernization. Copies of the ACLI
``Principles of Support'' are attached.
The ACLI supports strict protections for medical record
confidentiality, including a prohibition on an insurer sharing
medical records with a financial company, such as a bank, for
use in determining eligibility for a loan or other credit -even
if the insurance company and the financial company are commonly
owned. We also support a prohibition on the sharing of medical
information by an insurer for marketing purposes.
Our principles on nonpublic personal information reflect
our attempt to balance consumers' legitimate privacy concerns
with their demands for prompt, efficient service and innovative
products. Among other things, we support a requirement that
financial institutions, including insurers, establish and
maintain policies and practices designed to protect the
confidentiality and security of nonpublic personal information
against anticipated hazards and unauthorized access to or use
of such information. We support a requirement that financial
institutions provide notice to consumers and customers
describing these policies and practices. We also support a
requirement that financial institutions, upon request, provide
customers with access and correction rights regarding nonpublic
personal information collected about them in connection with
applications for life, disability income or long term care
insurance.
At the same time, our principles reflect the fact that in
order for insurers to serve their prospective and existing
customers, they must use and share nonpublic personal
information, including Social Security Numbers, in connection
with the origination, administration, and servicing of
insurance products and services. For example, an insurer may
need to use Social Security Numbers to obtain medical
information, essential to underwriting, from a particular
doctor or hospital, to authenticate consumer callers using a
call center, to locate missing policyholders to whom it owes
death benefits, to investigate fraud, or to report certain
information to the Internal Revenue Service.
The Gramm-Leach-Bliley Act
In line with these principles, the ACLI strongly supports
the privacy provisions set forth in Title V of the recently-
enacted financial services modernization legislation, the
Gramm-Leach-Bliley Act (the Act). Title V of the Act subjects
financial institutions, including insurers, to one of the most
extensive regimes of privacy regulation that has ever been
imposed in the United States. As a result of the Act and other
federal privacy statutes, including the Fair Credit Reporting
Act, consumers doing business with financial institutions now
have clear, comprehensive, and rigorous privacy protections,
which extend to Social Security Numbers, among many other forms
of nonpublic personal information.
Unlike virtually any other types of consumers, financial
institution consumers must receive detailed annual disclosures
regarding a financial institution's policies for collecting and
disclosing their personal information. They must also receive
prior notice and the opportunity to ``opt-out'' of the
institution's transfer of their nonpublic personal information
to nonaffiliated third parties except under certain limited
circumstances. The confidentiality and security of their
personal information will be subject to extensive new standards
that financial regulators are required to impose on financial
institutions.
At the same time, these comprehensive new privacy
protections expressly recognize that consumers benefit from
financial institutions using consumer information for certain
purposes. In short, the new federal privacy law is a carefully
constructed balance between the need to protect the privacy of
a consumer's nonpublic personal information, which would
include Social Security Numbers, and the need to protect the
consumer benefits that result from certain uses of that
information.
The very nature of life, disability income and long term
care insurance involves personal and confidential
relationships. These insurers must be able to obtain, use, and
share their customers' personal health and nonpublic personal
information, including their Social Security Numbers, to
perform legitimate insurance business functions. These
functions are essential to insurers' ability to serve and meet
their contractual obligations to their existing and prospective
customers. ACLI member companies also believe that the use and
responsible sharing of information generally increases
efficiency, reduces costs, and makes it possible to offer
economies and innovative products and services to consumers
that otherwise would not be available.
Industry Fundamentals: Use of Personal Health and Nonpublic Personal
Information by Life, Disability Income, and Long Term Care Insurers
Once a life, disability income, or long term care insurer
has an individual's personal health and nonpublic personal
information, the insurer limits who sees it. However, the
insurer must use and share that information to perform
legitimate, essential insurance business functions -to
underwrite the applications of prospective customers, to
administer and service contracts with existing customers, and
to perform related product or service functions. Life,
disability income, and long term care insurers must use and
disclose personal information in order to comply with various
regulatory/legal mandates and in furtherance of certain public
policy goals (such as the detection and deterrence of fraud).
Activities in connection with ordinary proposed and consummated
business transactions, such as reinsurance treaties and mergers
and acquisitions, also necessitate insurers' use and
responsible sharing of personal information.
Underwriting the Policy
The price of life, disability income, or long term care
insurance is generally based on the proposed insured's gender,
age, present and past state of health, possibly his or her job
or hobby, and the type and amount of coverage sought. Life,
disability income, and long term care insurers gather this
information during the underwriting process. Based on this
information, the insurer groups insureds into pools in order to
share the financial risks presented by dying prematurely,
becoming disabled or needing long term care.
This system of classifying proposed insureds by level of
risk is called risk classification. It enables insurers to
group together people with similar characteristics and to
calculate a premium based on that group's level of risk. Those
with similar risks pay the same premiums. The process of risk
classification provides the fundamental framework for the
current private insurance system in the United States. It is
essential to insurers' ability to determine premiums which are
adequate to pay future claims and fair relative to the risk
posed by the proposed insured.
Insurers must be able to obtain, use, and sometimes share
both medical and nonpublic personal information, including
Social Security Numbers, in order to underwrite applications
for coverage. Social Security Numbers are used in a number of
different ways in connection with this process. Insurers
sometimes must use proposed insureds' Social Security Numbers
in order to obtain medical information about them from doctors
and hospitals which use Social Security Numbers as
identification numbers. Insurers sometimes use motor vehicle
record information in underwriting. In some states, insurers
are required to use Social Security Numbers to obtain this
information from the motor vehicle department. Insurers
sometimes use information from credit reporting agencies in
underwriting. Social Security Numbers are sometimes required to
obtain information from consumer reporting agencies.
Performance of Essential Insurance Business Functions
Once an insurance policy is issued, insurers use their
customers' personal information to perform essential, core
functions associated with an insurance contract, such as claims
evaluations and policy administration. In addition, insurers
also use this information to perform important business
functions, not necessarily directly related to a particular
insurance contract, but essential to the administration or
servicing of insurance policies generally, such as, for
example, development and maintenance of computer systems. The
ability to use this information for these purposes is crucial
to insurers' ability to meet their contractual obligations to
their customers and to perform important related service and
administrative functions.
Many insurers use affiliates or third parties to perform
these business functions which are necessary to effect,
administer, or enforce insurance policies or the related
product or service business of which these policies are a part.
Often these arrangements with affiliates or unaffiliated third
parties provide the most efficient and economical way for an
insurer to serve prospective and existing customers. The
economies and efficiencies devolving from these relationships
inure to the benefit of the insurer's customers.
If an insurer were to be prohibited from using this
information, or if an individual were to be permitted to
withhold consent or to ``opt out'' of a life, disability
income, or long term care insurer's right to use or share his
or her personal information for purposes of performing
insurance business functions, it would be extremely difficult,
if not impossible in some cases, for the insurer to provide
that consumer with the coverage, service, benefits, or
economies that otherwise would be available. Insurers need to
use Social Security Numbers to perform a number of these
functions. Insurers view Social Security Numbers as unique
identifiers and use them in a number of ways which enable them
to better and more efficiently serve their customers and to
protect their interests.
For example, Social Security Numbers are used by insurers
to find missing or lost policyholders to inform them that they
are entitled to life insurance proceeds. Social Security
Numbers are used to identify policies owned by an individual
who does not have the account or policy number available when a
service request is made. Insurer call centers use Social
Security Numbers as part of the data requested to authenticate
customers who call in with requests for service or for product
or account information or status. Social Security Numbers are
often needed to transfer assets from one financial institution
to another, for example, for purposes of transfers between
mutual funds or annuities and life insurance. (Since one
financial institution generally does not know the individual's
account number at the other financial institution, the Social
Security Number is needed to identify the client's identity for
the two institutions. This reduces delay, error, and misplaced
assets in such transfers.) Insurers also use Social Security
Numbers in connection with the administration of pension plans,
as identification numbers. They use them as PIN numbers for
customers' use of on-line services. They use them in reporting
to employer policyholders under employee group insurance plans
and in connection with payroll deductions under these plans.
These activities inure to the benefit of insurers' customers.
Disclosures pursuant to Regulatory/Legal Mandates or to Achieve
Certain Public Policy Goals
Life, disability income, and long term care insurers must
regularly disclose personal health and nonpublic personal
information to: (1) state insurance departments as a result of
their general regulatory oversight of insurers, which includes
regular market conduct and financial examinations of insurers;
(2) self-regulatory organizations, such as the Insurance
Marketplace Standards Association (IMSA), which imposes and
monitors adherence to requirements with respect to member
insurers' conduct in the marketplace; and (3) state insurance
guaranty funds, which seek to satisfy policyholder claims in
the event of impairment or insolvency of an insurer or to
facilitate rehabilitations or liquidations which typically
require broad access to policyholder information.
Any limitation on these disclosures would seem likely to
operate counter to the underlying public policy reasons for
which they were originally mandated -to protect consumers.
Life, disability income, and long term care insurers are
required to make certain disclosures of information by the
federal government. They also need to (and, in fact, in some
states are required to) disclose personal information in order
to protect against or to prevent actual or potential fraud.
Such disclosures are made to law enforcement agencies, state
insurance departments, or the Medical Information Bureau (MIB),
the primary purpose of which is to reduce the cost of insurance
by helping insurers detect (and deter) attempts by insurance
applicants to conceal or misrepresent facts. Any limitation on
insurers' right to make these disclosures would seem likely to
undermine the public policy goal of reducing fraud, the costs
of which are ultimately borne by consumers.
Social Security Numbers are used or disclosed by insurers
for a number of these purposes. Life insurers are required to
use Social Security Numbers to report to the IRS a variety of
payments including, but not limited to, interest payments,
certain dividends, and policy withdrawals and surrenders.
Social Security Numbers are often integral to insurers' fraud
investigations. Social Security Numbers are sometimes used
verify identity in connection with inquiries to the MIB. At
least one state, Rhode Island, requires that insurers match
``deadbeat'' parents data before making payments on claims.
Social Security Numbers are required for that matching.
Ordinary Business Transactions
In the event of a proposed or consummated sale, merger,
transfer, or exchange of all or a portion of an insurance
company, it is often essential that the insurer be able to
disclose company files. Naturally, these files can contain
personal information, including customers' Social Security
Numbers. Such disclosures are often necessary to the due
diligence process which takes place prior to consummation of
the deal and are clearly necessary once the deal is completed
when the newly created entity often must use policyholder files
in order to conduct business.
Insurers also frequently enter into reinsurance contracts
in order to, among other things, increase the amount and volume
of coverage they can provide. These arrangements often
necessitate the disclosure of personal information, which may
include Social Security Numbers, by the primary insurer to the
reinsurer.
Conclusion
Again, the ACLI would like to thank Chairman Shaw for
calling this hearing and giving us an opportunity to testify.
Life, disability income, and long-term care insurers have a
long history of dealing with highly sensitive personal
information. The industry is proud of its record of protecting
the confidentiality of medical information and nonpublic
personal information; the industry is also committed to the
principles that individuals have a legitimate interest in the
proper collection and use of individually identifiable
information and that insurers must continue to handle such
information in a confidential manner.
Confidentiality of Medical Information
Principles of Support
Life, disability income, and long-term care insurers have a
long history of dealing with highly sensitive personal
information, including medical information, in a professional
and appropriate manner. The life insurance industry is proud of
its record of protecting the confidentiality of this
information. The industry believes that individuals have a
legitimate interest in the proper collection and use of
individually identifiable medical information about them and
that insurers must continue to handle such medical information
in a confidential manner. The industry supports the following
principles:
1. Medical information to be collected from third parties
for underwriting life, disability income and long-term care
insurance coverages should be collected only with the
authorization of the individual.
2. In general, any redisclosure of medical information to
third parties should only be made with the authorization of the
individual.
3. Any redisclosure of medical information made without
the individual's authorization should only be made in limited
circumstances, such as when required by law.
4. Medical information will not be shared for marketing
purposes.
5. Under no circumstances will an insurance company share
an individual's medical information with a financial company,
such as a bank, in determining eligibility for a loan or other
credit -even if the insurance company and the financial company
are commonly owned.
6. Upon request, individuals should be entitled to learn
of any redisclosures of medical information pertaining to them
which may have been made to third parties.
7. All permissible redisclosures should contain only such
medical information as was authorized by the individual to be
disclosed or which was otherwise permitted or required by law
to be disclosed. Similarly, the recipient of the medical
information should generally be prohibited from making further
redisclosures without the authorization of the individual.
8. Upon request, individuals should be entitled to have
access and correction rights regarding medical information
collected about them from third parties in connection with any
application they make for life, disability income or long-term
care insurance coverage.
9. Individuals should be entitled to receive, upon
request, a notice which describes the insurer's medical
information confidentiality practices.
10. Insurance companies providing life, disability income
and long-term care coverages should document their medical
information confidentiality policies and adopt internal
operating procedures to restrict access to medical information
to only those who are aware of these internal policies and who
have a legitimate business reason to have access to such
information.
11. If an insurer improperly discloses medical information
about an individual, it could be subject to a civil action for
actual damages in a court of law.
12. State legislation seeking to implement these
principles should be uniform. Any federal legislation to
implement the foregoing principles should preempt all other
state requirements.
Confidentiality of Nonpublic Personal Information
Other Than Medical Information
Principles of Support
Life, disability income, and long term care insurers have a
long and established history of handling their customers'
nonpublic personal information in a professional and
confidential manner. Insurers recognize their affirmative and
continuing obligation to respect their customers' privacy and
to protect the confidentiality and security of their customers'
nonpublic personal information.
Insurers support principles in relation to medical
information which are described in a separate document. This
document sets forth principles which insurers support in
relation to nonpublic personal information other than medical
information.
1) Requirements with respect to the confidentiality and
security of nonpublic personal information should be addressed
separately from those in relation to medical information in
order to more fully address the different concerns that arise
in connection with each type of information.
2) An insurer shall establish and maintain policies and
practices designed to protect the confidentiality of nonpublic
personal information and to protect against unauthorized access
to or use of such information which could result in substantial
harm or inconvenience to any customer.
3) An insurer shall establish and maintain policies and
practices designed to protect the security of nonpublic
personal information against anticipated threats or hazards or
unauthorized access to or use of such information which could
result in substantial harm or inconvenience to any customer.
4) An insurer shall provide its customers with a notice of
the policies it maintains to protect the confidentiality and
security of nonpublic personal information. This notice shall
be provided at the time the insurer enters into an insurance
contract and at least annually thereafter for as long as the
contract is in force.
5) In order to serve its prospective and existing
customers, an insurer may share its customers' nonpublic
personal information in connection with the origination,
administration, or servicing of its products or services or to
engage in other non-marketing business operations. For example,
an insurer may share nonpublic personal information to provide
consolidated statements of an individual's different accounts,
to prevent fraud, or to comply with the law or a civil or
criminal subpoena or summons.
6) An insurer shall not share a customer's nonpublic
personal information within its corporate family for marketing
products or services unless the insurer's notice says that this
information may be shared within its corporate family for this
purpose. An insurer shall not share a customer's nonpublic
personal information outside its corporate family for marketing
unless: (a) the insurer's notice says that nonpublic personal
information may be shared by the insurer outside its corporate
family for this purpose; and either (b) the customer is given
the opportunity to direct that it not be shared; or (c) the
products or services to be marketed are: ((1)) products or
services of the insurer; or ((2)) offered by the insurer and
another financial institution (or institutions) pursuant to a
joint agreement.
8) An insurer shall not share a customer's nonpublic
personal information with another person or entity unless such
party is subject to the same restrictions on disclosure of
nonpublic personal information to which the insurer is subject.
9) Upon request, a customer of an insurer is entitled to
have access and correction rights regarding nonpublic personal
information about the customer collected from third parties in
connection with an application for life, disability income, or
long term care insurance.
10) In order to provide insurers' customers protection that
is as uniform as possible, any legislation or regulation
seeking to impose requirements with respect to the
confidentiality and security of nonpublic personal information
shall be applicable in the same manner to all entities which
collect and maintain such information.
11) State legislation seeking to implement these principles
should be uniform. Any federal legislation implementing these
principles should preempt any state law imposing requirements
with respect to the confidentiality and security of nonpublic
personal information.
Chairman Shaw. I have a couple of questions that I would
like to ask the entire panel.
We just heard some legislative proposals--and I believe all
of you were here--that would restrict the use of a Social
Security number. Some proposals, such as Dr. Paul's bill, would
restrict the use of Social Security numbers by government
agencies. Others, like Mr. Kleczka's proposal, would restrict
commercial use, sale, and exchange of Social Security numbers
unless the entity has the customer's written consent to support
these proposals.
For those of you who oppose the proposals, can you tell us
specifically what provisions you propose and what improvements
can be made?
Mr. Pratt?
Mr. Pratt. Our concern is a general concern, and let me
respond in two ways. With Congressman Paul's proposal, if it
were to remove the use of the Social Security number from, say,
public records, this means that we would have a more difficult
time putting a tax lien into a consumer report that would be
used by credit grantors for safety and soundness or in noting a
bankruptcy, so I think part of the question is the devil of the
details. Does this mean the Social Security number is
completely removed from many different public domains, or is it
just more controlled or more limited? I have not actually read
the entirety of the Congressman's proposal to respond more
specifically than that.
But Congressman Kleczka's proposal in removing the Social
Security number from the commercial domain--and he has
mentioned credit headers several times--one point I would like
to bring up is that we have mentioned already that, outside of
the Fair Credit Reporting Act, which certainly governs and
limits otherwise our use of information, including the Social
Security number, we have established ourselves through the
individual reference services group to further limit the
disclosure of that information called ``header information.''
It is identifying information, and that's a way that we have
attempted to respond to the policy, and to try and restrain and
balance the benefits that we think are out there societally for
this type of data, and, at the same time, to acknowledge I
think what has been said by a number of my co-panelists, and
that is this is not a number that should be out there in the
general marketplace for all purposes.
Chairman Shaw. You, sir?
Mr. Mierzwinski. Mr. Chairman, US PIRG supports the credit
header loophole bill, Mr. Kleczka's bill. We also have an
official position on Mr. Markey's bill on financial privacy to
close the loopholes in title five of the Gramm-Leach-Bliley
Act.
The other three bills, the three specific bills before the
committee, we support in principle, but our board has not yet
taken a formal position on them.
Chairman Shaw. Ms. Moore? If any of you all want me to
repeat the question, I will be glad to do it.
Ms. Moore. I think I have it.
Chairman Shaw. Okay. Go ahead.
Ms. Moore. H.R. 1450, Congressman Kleczka's bill, does not
really affect the DMVs, because the Driver Privacy Protection
Act forbids sale and distribution of the Social Security number
by DMV, so that makes that issue moot for DMVs.
H.R. 220 does impact the motor vehicle agencies and we have
our concerns as far as the SSN has become a unique identifier
for exchanging information into the CDLIS system, the nine
million commercial drivers that we track through there.
The primary concerns would be the inability to
electronically transfer driver history records between
jurisdictions, the cost States would have to incur to modify
the computer systems, and utmost, the increase in fraud or the
inability to verify our drivers.
Chairman Shaw. Thank you.
Mr. Rotenberg. Mr. Chairman, let me say, just as a matter
of U.S. privacy law, I think it is very consistent with the
original purpose of the Social Security number, which is that
it would be used solely to administer the benefits of the
program, as well as the language in the 1974 privacy act, to
support the proposals that have been put forward today.
I should also point out, in a very recent opinion from the
U.S. Supreme Court, an opinion upholding the Drivers Privacy
Protection Act, even after it had been challenged in several of
the States, the court made quite clear that, to the extent that
personal information has been sold in interstate commerce, then
it clearly could be regulated by the Congress, so I do not
think there is any question, particularly where you have
services that are literally selling a person's Social Security
number and enabling identity theft and other problems, that
that would be appropriate legislation and that it would be
upheld by the courts.
Chairman Shaw. I believe we had information last Tuesday
about who owns those numbers, and I think that the testimony
that we have says that the numbers are, indeed, the property of
the Federal Government. We have not researched that,
ourselves--at least I do not believe we have--but those numbers
are the property of the United States Government and the Social
Security Administration, and we certainly would have the right
to regulate how they are used or how they are distributed.
Ms. Meyer, I think you answered the question--you mentioned
in your testimony that the Social Security numbers are useful
in the administration of service of the account. I have great
doubt about that, except when you got to the point of reporting
earnings to the Internal Revenue Service. Then that does become
a point that I think that would be well taken in that area.
But the other areas that you mention, I have some--I doubt
that that is actually needed. I mean, we go through the policy
number and everything else. But I am particularly curious, in
your situation, if I were to want to buy a life insurance
policy and I said, ``No, I do not want to give you my Social
Security number,'' would it be then the salesman would say,
``Then you are not going to get this life insurance policy?''
Ms. Meyer. That's a--
Chairman Shaw. Is that a truthful statement? Can you buy
life insurance without divulging your Social Security number?
Ms. Meyer. To my knowledge, Social Security numbers--and I
would have to check this and see--that information is not
required information. But I will confirm that. I think the
concern is that it is so integral, because of the list of
services or different things that we use it for, it is so
integral to our ability to provide products and services to our
customers, that it would be very difficult for us to do lots of
things for that individual--
Chairman Shaw. Why?
Ms. Meyer.--that we could not do otherwise.
Chairman Shaw. Why?
Ms. Meyer. Well, for example, I am told by our member
companies that, in underwriting an application for a life
insurance policy, for example, it is often very important that
we obtain medical information in order to determine the rate at
which we should insure the individual.
Often, we have to get information from doctors and
hospitals relative to the individual's medical condition. We
are told that in some circumstances doctors and hospitals will
not release that information to us unless we have the
individual's Social Security number.
Chairman Shaw. Well, you have to get a consent form signed
by that individual, anyway, do you not?
Ms. Meyer. Absolutely. We do get a consent form to get that
information for purposes of underwriting; however, as I said
before, there are a number of other purposes that we use the
Social Security number for in order to administer the contract.
One problem we have is that there are literally millions of
contracts out there with Social Security numbers that are part
of the file, so if individuals revoke our ability to use Social
Security numbers, then we would literally have to go through
millions of files to delete the Social Security numbers out of
the files; so we have problems, both from a practice standpoint
and for getting information. I understand that there are still
some States that require use of Social Security numbers to get
motor vehicle information that we would need to investigate
applications for coverage, as well. So we would have problems
getting information, plus I am told that we use these Social
Security numbers in our call service centers to make sure that
we are giving out information to the correct individual, you
know, to help them locate policies that they may have lost.
So we might need it to get information, as well as to
perform service functions. Also, I am told that State insurance
departments use Social Security numbers to help people identify
coverage that they may not be aware of.
So I think the use of the numbers as identifiers, to be
sure that we are getting information to the correct individuals
and also to help consumers, is built into the system right now.
Chairman Shaw. Is your industry in any way prohibited from
selling that information or sharing it with other agencies?
Ms. Meyer. Right now our industry is now subject to the
rules of title five of the Gramm-Leach-Bliley Act. That would
include, in our view, non-public personal information. It would
include Social Security numbers within the definition of non-
public personal information, which would mean that we could not
share, which would include selling information with a non-
affiliated third party, without giving the individual the
opportunity of telling them, giving them notice of what we are
doing, and also the opportunity to opt out, except if the
sharing fell within one of the stated exceptions of the Gramm-
Leach-Bliley Act.
Chairman Shaw. Speaking of that act, you have the ability
to share, sell, transfer personal information to third parties
who are not regulated by these laws. How is this information
protected once it is sold or transferred to third parties?
Ms. Meyer. Actually, title five does place restrictions on
third parties who receive information from us. Those third
parties would be subject to the provisions of title five that
say that a third party recipient of the information cannot use
the information in any way in which the financial institution
could not use it. So a third party recipient would be subject
to the same constraints as the financial institution, as I
understand the law.
Chairman Shaw. Mr. Tanner?
Mr. Tanner. Thank you very much, Mr. Chairman. I wish we
had more time. This is a fascinating discussion. In the
interest of time, I am going to read all of your statements,
but I want to ask Mr. Pratt--a couple of days ago Colonel
Stevens testified that, notwithstanding his best efforts to
notify various credit bureaus that this was fraudulent activity
going on on his Social Security number, he testified that every
four to six months it was recycled and reappeared.
What, if anything, is your organization doing to stop that?
And do not you feel that there is some obligation to verify the
information and this repeated publication, knowing it to be
false, or someone knowing it to be false may be legally
actionable?
Mr. Pratt. Congressman, I think part of the response is
found in the--we agree with you that we need to be doing more
in the area of helping victims of identity theft, and I think
that is thematically something you will hear across the board.
The initiatives that we announced in March were really also
then announced at the Identity Theft Summit, where we presented
those, and that was the summit sponsored by the Treasury
Department, along with other agencies--Secret Service and so
on.
One of the areas of response is to acknowledge that very
problem of information showing back up in the file.
Part of the answer is found in the Fair Credit Reporting
Act. Under the 1996 amendments, if data goes back into the
file, we are obligated to send a letter to the consumer asking
them to confirm the information if it does go back in, and
that's part of the accuracy standard that we have to live by.
Part of the step is a new software product that we are
going to launch this year, because it is true that when you
hear a consumer who says, ``I have been a victim of identity
theft,'' it appears to go on and on and on.
The way the FCRA is structured, at a point in time we have
to reinvestigated and take care of the problems on the file,
and there is a limited time frame in which to do that, but the
question is: what do you do after that file has been brought
whole? Is that it? Is the crime over or does it go on?
In our estimation, we have another responsibility, and
that's a responsibility we have put into our voluntary
initiatives. We are going to keep track of that file. We are
going to look at file activity. We are going to notify
consumers of unusual activity in that file to make sure that we
stay in touch with that consumer to keep the information from,
if you will, polluting the consumer's credit history on a long-
term basis.
So we think we are tracking in the right direction to try
to build the right technologies in place and to create a better
linkage between us and the consumer, not just between us and
the credit grantor, so that is part of our response.
Mr. Mierzwinski. Congressman, could I add very briefly to
that?
Chairman Shaw. Yes.
Mr. Mierzwinski. US PIRG believes that some of the steps
that the credit bureaus are taking are good first steps, but I
just want to point out that some of the problems are not the
credit bureaus' fault, and I am not totally agreeing that the
credit bureaus should not be blamed for part of this, of
course.
Mr. Pratt. But I am writing this down that you said that.
Mr. Mierzwinski. But he is writing this down.
We feel and other privacy groups feel that part of the
blame has to be laid at the feet of the banks, department
stores, and other creditors that, in fact, issue credit without
adequately verifying that the consumer is the actual consumer,
and they will often, even though there is perhaps a fraud flag
on a report, issue credit.
We think that that is part of the problem that Congress
needs to look into in strengthening the Identity Theft
Deterrence Act of 1998.
So it is the credit bureaus and the creditors who we think
are both part of the problem.
Mr. Pratt. Part of our effort, Congressman, was to, in
fact, launch a better program to make sure our customers, in
partnership with us, understand the security alert--this alert
that Mr. Mierzwinski is referencing--and to make sure they know
where to look for it in the, if you will, data transmission,
and then how to then respond to it.
We also have products that have been brought on line which
notify our customers where there's differences in incoming
applicant data and the data we have on file.
As I said in the testimony, there are 42 million consumers
who move every year. Clearly, some of the address change
activity on the files is legitimate.
One of the products we have informs our customers, though,
that, in fact, there is a difference between what you have sent
us, to some extent, and what we have on file, and this is
another way for us to partner with our customers and to cue
them that something is different about the data, giving them
that opportunity to investigate it further.
Mr. Tanner. I have some more questions, but, in the
interest of time, Mr. Chairman, I have got to go. Thank you. I
thank all of you.
Chairman Shaw. I would like to just raise one more question
with you, Mr. Pratt, and that is the question of what good is
it or what usefulness is it to have your Social Security number
put on the back of a check when you are cashing a check? You
heard Mr. Kleczka say that he gave one to Toys 'R Us and he
made up a Social Security number because he did not want to put
it on there. What good is it?
Mr. Pratt. Well, I can answer that in part because our
trade association does represent some companies that produce a
specific type of FCRA governed database generically called a
``check services database.'' Check fraud is an enormous problem
in this country. It always has been, for many, many years, and
it continues to be a problem.
One way for us to cross check and provide products for a
retailer or grocery store to make sure that they minimize check
fraud is to use that number, at least in this case, for a
matching purpose, to make sure that we are matching back into
this check database to determine whether or not we have had
fraudulent--
Chairman Shaw. At what point is the match made?
Mr. Pratt. Well, for us the match would be made between the
point of sale terminal, which is the register, as we used to
call it, and the system that we have in place, which could be
anywhere in the country and just a resident database.
Why it is written on the check versus just simply entered
in, if you will, to use as a match, I really cannot deal with
that element of it. I do not know if that is more of a retail
question that might have to be addressed. But for us it is a
matching question.
Chairman Shaw. Well, you mean this matching is done while
the customer is still standing there at the register?
Mr. Pratt. Yes, sir.
Chairman Shaw. And they need the Social Security number in
order to do that?
Mr. Pratt. That would be one element of how we are able to
make sure that we are not, first of all, falsely registering
and saying this consumer's check should not be processed, if
you will, so it is a more precise way for us to achieve the
match, make sure that we deliver accurately.
One of the standards under the Fair Credit Reporting Act is
to make sure that we match the request for information with the
correct record internally. In most cases with a check database
of this type, the records is going to come back ``no record
found,'' meaning the majority of citizens are not bouncing
checks or having a problem with check fraud. So that's one of
the ways that we reduce the problem of consumers being
inconvenienced.
Chairman Shaw. What does a cashier do? How do they transmit
that number while they are in the checkout line?
Mr. Pratt. That number is entered in at the register, I
believe.
Chairman Shaw. They enter the Social Security number
instead of the name and bank?
Mr. Pratt. Well, that might be one way for us to check, but
there might be other fraudulent accounts that are not listed
under that bank name, so these databases cross check name and
information against other accounts to make sure we are not
opening up or processing an additional check against an account
which has already been registered as opened fraudulently.
I do not think I made sense.
Chairman Shaw. Well, it did not sink in at this end. Go
ahead.
Mr. Pratt. In other words, if I were the criminal and I was
perpetrating bank fraud, if you will, by opening up falsified
checking accounts, there might be more than one checking
account in play, and so, as one checking account becomes
designated as fraudulent and is registered, I might want to try
to flip, if you will, to the next checking account I have
opened up in order to perpetrate the crime all over again.
So, in order to reduce the incidence of that type of check
fraud, these databases can cross check and say--
Chairman Shaw. Well, when I open a checking account, they
will get my Social Security number. But they just ask me to
give it to them. They do not ask to see a Social Security card
or any type of identification that has a Social Security number
on it. So if I wanted to get involved in that, just borrow
somebody else's Social Security number and put it in there.
Mr. Pratt. In terms of what the security procedures are
with the lending institutions, it is harder for me to answer
that part of the question.
Chairman Shaw. Do they verify that they got the right
Social Security number?
Mr. Pratt. I believe they do, but, again, I think there are
others who might be better able to respond to that part of the
question.
Chairman Shaw. How do they do that? Can I get in touch with
the Social Security Administration and say, ``Is John Dokes'
number such and such''?
Mr. Pratt. I do not think the Social Security
Administration allows private industry to do that.
Chairman Shaw. I hope not. So how do they verify that they
have the right number?
Mr. Pratt. One way is to access a consumer report to
determine whether or not it matches against a consumer report.
Chairman Shaw. So the consumer report has the Social
Security number on it. Where did the consumer report get the
number?
Mr. Pratt. These numbers are added into the system based on
applicant data coming in and the regular cycle of data
reporting into the consumer reporting Social Security. Social
Security number is often an element of the information we
receive from what are called ``data furnishers.''
Chairman Shaw. But if that name and Social Security number
is not in your database, then they put it in the database, and
all of the sudden they are in there with that number that is
fraudulent.
Mr. Pratt. Well, it is certainly one of the problems of
identity theft is that it can result in inaccurate, fraudulent
information being loaded into the system. In this case, we do
not keep checking account information, so that would not be in
the system.
It is true--one of our challenges is to keep the fraudulent
data out and to keep the accurate and correct information in.
Chairman Shaw. Okay. Well, thank you all for being here. We
have got our work cut out for us, that's for sure.
I have two things I am told for the record, two inserts,
the opening statement of Mr. Matsui, which I had already said
for all of the Members who have an opening statement, and a
letter from the Social Security Administration Inspector
General supporting the Kleczka bill.
[The information follows:]
James G. Huse, Jr.
The Honorable Jerry Kleczka
House of Representatives
Washington, D.C. 20515
Dear Mr. Kleczka:
Social Security number (SSN) misuse is a critical issue that
impacts greatly on the lives of American citizens. From the beginning,
our office has taken a proactive stance to work with other Federal
organizations to reduce the incidents and impact of SSN misuse.
However, given the current proliferation of the SSN in both
governmental and private transactions, our task appears to be
increasing with each passing day.
As I stated in my May 9, 2000, testimony before the Social Security
Subcommittee's hearing on SSN misuse, I believe H.R. 1450 is an
excellent start at legislatively protecting the integrity of the SSN
and restoring the confidence of the American people in the security of
their personal identifying information.
I appreciate your support for the IG community. If I can be of
further assistance to you or your staff, please do not hesitate to
contact me at 41009966098385.
Sincerely,
James G. Huse, Jr.
Inspector General of Social Security
Chairman Shaw. Thank you again. We appreciate your
attendance and your testimony.
[Questions submitted by Chairman Shaw to Mr. Rotenburg, Mr.
Huse, Ms. Burke Moore, Mr. Pratt, Ms. Bovbjerg, Mrs. Meyer and
Mr. Mierzwinski, and their respective answers, follow:]
May 31, 2000
The Honorable James G. Huse, Jr.
Inspector General
Social Security Administration
6401 Security Boulevard
Suite 300
Baltimore, MD 21235
Dear Mr. Huse:
Thank you for testifying before our Subcommittee regarding the use
and misuse of the Social Security number (SSN). In order to complete
our hearing record, I would appreciate your answering the following
questions:
1.You mention that a good deal of SSN misuse creates a cost to the
Social Security program because people fraudulently apply for benefits.
Has anyone estimated the cost of SSN misuse to the Social Security
Trust Funds? Has anyone estimated the cost of SSN misuse to private-
sector businesses?
2. What are the key vulnerabilities in SSA's business processes
relating to the issuance of SSNs? What recommendations have you made
and how has the agency responded?
3. GAO testified before you that there is no federal law that
regulates the overall use of SSNs. Is such a law needed? Is it feasible
to enact, administer, and enforce such a law?
4. GAO testified that many private-sector businesses and government
agencies have adopted voluntary policies aimed at protecting privacy
and reducing SSN misuse. Can self-regulation be an effective way to
reduce SSN misuse?
5. You note that your office issues a list of the 100 employers
with the most suspended wage items (i.e., wages that do not match up to
an SSN.) What are the reasons why these reported wages don't match up
to an SSN? One of your recommendations to the Social Security
Administration was to implement a correction action plan for these
employers. Has SSA acted on this recommendation?
6. You mention that it costs SSA 50 cents to post a wage item when
it is originally submitted compared to $300 to correct it later. Why
are the costs to correct wage items so high?
7. You mention the Identity Theft Act in your testimony. Are there
any other laws aimed at protecting privacy and preventing fraud? In
your opinion, are existing laws enforced effectively or do we need new
laws to help prevent identity theft and other types of SSN misuses?
8. Can you please elaborate about the Federal Trade Commission's
specific role in SSN misuse?
9. One of your recommendations to combat SSN fraud is to regulate
the sale of SSNs. How can this be done? What exceptions would the law
have to include? Would there be any downside for consumers?
10. The widespread use of the SSN creates a lot of administrative
headaches for SSA, such as reissuing SSNs for people who have been the
victims of identity theft. To your knowledge, has SSA ever developed a
proposal that addresses this issue, especially one that seeks to limit
how the SSN is used by other government agencies and the private
sector?
11. One of your recommendations for reducing fraud is that people
should show photo ID when conducting business with SSA. That seems like
a useful suggestion. Still, are there any arguments that some might
make against it? Do you know what portion of the population do not have
a photo ID? Wouldn't this cut down on fraud in other areas of SSA
programs as well?
12. At the same time, SSA is studying conducting certain services
online, such as applications for retirement benefits. Obviously, at
least for now, showing a picture ID won't work in that setting. How can
the trend toward online applications be reconciled with your suggestion
of showing a photo ID to receive services?
13. One of your recommendations is to legislate statutory law
enforcement authority for your investigators. How would this authority
for your investigators assist in combating SSN fraud?
14. You also suggest broadening civil monetary penalty authority
for the sale or misuse of an SSN. Would you provide more details about
this recommendation?
15. You recommend that new technologies and databases be fostered
to help employers, government, and private industry verify that names
and/or SSNs are correct to improve the identification process. From a
practical standpoint, how would this work? Would opening such a
database to employers and private industry create new opportunities for
misuse of this information? Who would monitor this process?
16. For the record, please provide a breakdown of the statistics
from the SSA/OIG Hotline for the first six months of this fiscal year.
I would like the total number of allegations received by the Hotline;
the total number of these allegations related to SSN misuse (of this
figure, please break this down further into the number related to the
programs and operations of SSA and the number not so related).
I thank you for taking the time to answer these questions for the
record and would appreciate your response by no later than June 23,
2000. In addition to a hard copy of your response, please submit your
response on an IBM compatible 3.5-inch diskette in WordPerfect or
Microsoft Word format. If you have any questions concerning this
request, please feel free to contact Kim Hildred, Staff Director,
Subcommittee on Social Security at (202) 225099263.
Sincerely,
E. Clay Shaw, Jr.
Chairman
May 31, 2000
Ms. Katherine Burke Moore
Chair, International Board of Directors
American Association of Motor Vehicle Administrators
c/o Linda Lewis
4301 Wilson Blvd.
Suite 400
Arlington, VA 22203
Dear Ms. Burke Moore:
Thank you for testifying before our Subcommittee regarding the use
and misuse of the Social Security number (SSN). In order to complete
our hearing record, I would appreciate your answering the following
questions:
1. Many people are annoyed by the fact that they have to give up
their SSN for practically any business transaction. How would you feel
about a proposal that would prohibit businesses from denying services
to customers who refuse to disclose their SSNs?
2. The fact that SSNs are so widely used indicates that there is a
need for a unique personal identifier. If the use of SSNs is
restricted, do you think another personal identifier will take its
place?
3. In the next 10 or 20 years, what do you think will be used to
identify people who apply for credit or other commercial services? Will
it be the SSN? Some other number? Biometrics? Will the debate over the
privacy and security of SSNs eventually be overtaken by new
technologies that are more accurate, more personalized, and more secure
from abuse? Does your industry anticipate and support such
developments?
5. Stories of identity theft and SSN misuse highlight the negative
consequences of widespread SSN use. However, does the widespread use of
SSNs benefit consumers in certain ways? Can you give us examples? If
SSN use were restricted, what would be the downside for consumers? If
the use of SSNs was restricted by Federal law, what impact would it
have on your members? M
6. Most states give people the option of displaying their SSN on
their driver's license or using a different number issued by the DMV.
Has this option created administrative difficulties for States? Has it
reduced accuracy or the ability to correctly identify people?
7. Your testimony indicated that States need to collect SSNs for a
variety of law enforcement and public safety reasons. What are States
doing to protect this information once it is collected? How do States
ensure that the information is correct and not fraudulent? Do States
collect SSN information solely for law enforcement and public safety
reasons? Are SSNs used by the States for any other purposes?
8. Do States transfer, sell, or share SSN data to third parties
under any circumstances? How many pieces of identifying information do
States collect (for example, name, gender, age, address, etc.) With so
many pieces of identifying information, why is the SSN needed to
positively identify an individual?
9. You indicated that your members have continued their efforts to
enhance the security of driver license credentials. Could you describe
these efforts?
10. In your testimony you indicated that 49 states allow
individuals to have a number on their drivers license other than the
SSN. However, SSNs are used for checking information across state lines
and with SSA. If you stopped using the SSNs for that purpose, wouldn't
the DMV-issued numbers that actually appears on the license become in
effect a new national identifier, putting us back in the same place we
started? Why do some States (Hawaii and Washington, DC) still require
the SSN to be displayed on driver's licenses? Why don't they use their
own internal identifying numbers?
I thank you for taking the time to answer these questions for the
record and would appreciate your response by no later than June 23,
2000. In addition to a hard copy of your response, please submit your
response on an IBM compatible 3.5-inch diskette in WordPerfect or
Microsoft Word format. If you have any questions concerning this
request, please feel free to contact Kim Hildred, Staff Director,
Subcommittee on Social Security at (202) 225099263.
Sincerely,
E. Clay Shaw, Jr.
Chairman
May 31, 2000
Mr. Stuart K. Pratt
Vice President, Government Relations
Associated Credit Bureaus, Inc.
1090 Vermont Avenue, N.W.
Suite 200
Washington, DC 20005
Dear Mr. Pratt:
Thank you for testifying before our Subcommittee regarding the use
and misuse of the Social Security number (SSN). In order to complete
our hearing record, I would appreciate your answering the following
questions:
1. Many people are annoyed by the fact that they have to give up
their SSN for practically any business transaction. How would you feel
about a proposal that would prohibit businesses from denying services
to customers who refuse to disclose their SSNs?
2. The fact that SSNs are so widely used indicates that there is a
need for a unique personal identifier. If the use of SSNs is
restricted, do you think another personal identifier will take its
place?
3. In the next 10 or 20 years, what do you think will be used to
identify people who apply for credit or other commercial services? Will
it be the SSN? Some other number? Biometrics?
4. Will the debate over the privacy and security of SSNs eventually
be overtaken by new technologies that are more accurate, more
personalized, and more secure from abuse? Does your industry anticipate
and support such developments?
5. Stories of identity theft and SSN misuse highlight the negative
consequences of widespread SSN use. However, does the widespread use of
SSNs benefit consumers in certain ways? Can you give us examples? If
SSN use were restricted, what would be the downside for consumers?
6. If the use of SSNs was restricted by Federal law, what impact
would it have on your operations?
7. On May 9, we heard testimony from a couple (Lt. Col. Stevens and
Mrs. Stevens) who have had their identities stolen. Their story raised
several troubling issues.
First, the Stevens told us that fraudulent accounts were opened
using their SSNs even though all of the information on the applications
was incorrect, including their names, addresses and birth dates. The
SSN was the only piece of information that was correct on the
applications.
A second troubling issue is that credit-reporting agencies verified
this incorrect information. Variations of a name, address, place of
employment, age, or spouse's name were not questioned -if the SSN
matched up, the information was verified and the fraudulent application
was approved.
--Can you explain how these fraudulent applications could have been
verified and approved?
--Why did the credit-reporting system fail in this case?
--Under current law, are creditors and credit-reporting agencies
accountable when their negligence contributes to identity theft and
other SSN misuses? Do you think that creditors and credit-reporting
agencies should share responsibility in such cases?
8. One of the disturbing items from the testimony by the Stevens
was their statement that the collection agencies did not believe them.
They had to prove they were victims of identity theft. What would you
say to the Stevens? Should the burden of proof fall on the victims of
identity theft?
9. The Stevens explained that they have been prevented from buying
a home, establishing credit accounts, or making normal purchases
because their credit was ruined by no fault of their own. How do credit
reporting agencies assist identity theft victims today?
10. When someone's credit is ruined because of the identity theft,
how long does it take to clear the bad credit from the victim's credit
report? The Stevens complained that bad accounts are recycled through
the same collection agency or they are turned over to other collection
agencies so that the same bad debt keeps reappearing on the credit
report. Can you explain to us how the process works?
11. You noted in your written testimony that your members collect
SSNs only when they are voluntarily provided by consumers. But isn't it
true that in many cases, consumers must provide their SSNs to receive
credit? For example, can a customer be approved for a mortgage without
giving his or her SSN? If consumers must provide SSNs to receive
services, how voluntary is this disclosure?
12. Your members' use of the SSN is governed by the Fair Credit
Reporting Act. In addition, you have a long list of voluntary
initiatives your members have undertaken to combat identity theft and
SSN misuse. Do all of your members follow these initiatives? What
happens to them if they don't? Despite these efforts, fraudulent uses
of SSNs is on the rise. Does this indicate that existing laws are not
being enforced effectively or perhaps self-regulation is not working?
What recommendations do you have to reduce SSN misuse?
13. How does a consumer reporting agency get its information? How
does it determine what information to place in a record and what
information not exclude? How is the authenticity of the information
verified to ensure that incorrect information is not being posted?
I thank you for taking the time to answer these questions for the
record and would appreciate your response by no later than June 23,
2000. In addition to a hard copy of your response, please submit your
response on an IBM compatible 3.5-inch diskette in WordPerfect or
Microsoft Word format. If you have any questions concerning this
request, please feel free to contact Kim Hildred, Staff Director,
Subcommittee on Social Security at (202) 225099263.
Sincerely,
E. Clay Shaw, Jr.
Chairman
May 31, 2000
Ms. Barbara D. Bovbjerg
Associate Director
Education, Workforce and Income Security Issues
Health, Education and Human Services Division
U.S. General Accounting Office
441 G Street, N.W.
Washington, DC 20548
Dear Ms. Bovbjerg:
Thank you for testifying before our Subcommittee regarding the use
and misuse of the Social Security number (SSN). In order to complete
our hearing record, I would appreciate your answering the following
questions:
1. The term ``national identifier'' has a very bad connotation for
many people. In your opinion, has the Social Security number become a
national identifier?
2. In your testimony, you indicated that there is no federal law
that regulates the overall use of SSNs. In your view, is such a law
needed? Is it feasible to enact, administer, and enforce such a law?
3. As you pointed out in your testimony, the Social Security number
was created as a means of tracking workers' earnings and eligibility
for Social Security benefits. It was never intended to serve as a
personal identification document. Only certain information is
maintained by SSA as part of its Social Security number database. What
information is available? What proof is required to obtain a Social
Security number? How have these proof requirements changed over time?
4. Despite public concerns about sharing personal information in
today's electronic world, does the public benefit from the widespread
use of SSNs and the sharing of personal information? Can you provide
some examples?
5. If someone refuses to disclose their SSN to a private business,
can the business, by law, decline to provide the service? For example,
if someone refuses to provide their SSN on a loan application, can the
bank deny the loan?
6. What are the possible effects on businesses of restricting their
use of SSNs?
7. You mentioned in your testimony that many businesses and
agencies are voluntarily restricting the use of SSNs to help protect
their customers' privacy and reduce SSN misuse. Can you please
elaborate on some of these self-regulatory policies?
8. One area not discussed in your written testimony is e-commerce.
How has the high-tech economy affected SSN use? In general, can people
conduct business on the internet without providing their SSNs? How
would restricting the use of SSNs affect e-commerce?
9. You indicated that ``information brokers'' collect SSNs for the
sole purpose of selling them. What exactly is an information broker?
How are consumers served by this industry? What is the downside of
limiting their activities? Why do information brokers need peoples'
SSNs?
10. According to your testimony, the Social Security Act declares
that SSNs obtained by authorized individuals afer October 1, 1990 are
confidential and cannot be disclosed. If the Social Security Act
prohibits the disclosure of SSNs, why is their use so widespread and
why are businesses allowed to ask for the SSN?
11. If the use of the SSN were restricted by federal law, is it
likely that another personal identifier would take its place?
I thank you for taking the time to answer these questions for the
record and would appreciate your response by no later than June 23,
2000. In addition to a hard copy of your response, please submit your
response on an IBM compatible 3.5-inch diskette in WordPerfect or
Microsoft Word format. If you have any questions concerning this
request, please feel free to contact Kim Hildred, Staff Director,
Subcommittee on Social Security at (202) 225099263.
Sincerely,
E. Clay Shaw, Jr.
Chairman
May 31, 2000
Mrs. Roberta Meyer
Senior Counsel
American Council of Life Insurers
1001 Pennsylvania Avenue, NW
Washington, DC 20004
Dear Mrs. Meyer:
Thank you for testifying before our Subcommittee regarding the use
and misuse of the Social Security number (SSN). In order to complete
our hearing record, I would appreciate your answering the following
questions:
1. Are there any legitimate uses of the SSN that you think should
be allowed (such as law enforcement)?
2.Many people are annoyed by the fact that they have to give up
their SSN for practically any business transaction. How would you feel
about a proposal that would prohibit businesses from denying services
to customers who refuse to disclose their SSNs?
3. The fact that SSNs are so widely used indicates that there is a
need for a unique personal identifier. If the use of SSNs is
restricted, do you think another personal identifier will take its
place?
4. In the next 10 or 20 years, what do you think will be used to
identify people who apply for credit or other commercial services? Will
it be the SSN? Some other number? Biometrics? Will the debate over the
privacy and security of SSNs eventually be overtaken by new
technologies that are more accurate, more personalized, and more secure
from abuse? Does your industry anticipate and support such
developments?
5. Stories of identity theft and SSN misuse highlight the negative
consequences of widespread SSN use. However, does the widespread use of
SSNs benefit consumers in certain ways? Can you give us examples?
6. If SSN use were restricted, what would be the downside for
consumers? If the use of SSNs was restricted by Federal law, what
impact would it have on your operations?
7. Your testimony indicates that you often share personal
information with third parties who administer, serve, or enforce
insurance policies. Do these third parties, in turn, share or sell the
information to others? Do you know how these third parties protect the
information which you give them?
8. If sharing personal information is necessary in the insurance
business, do you disclose to your customers who the information is
shared with and how it is used?
9. You note that the privacy provisions in the recently enacted
Gramm-Leach-Bliley Act subject insurers to the most stringent privacy
regulations ever imposed in the United States. When you share personal
information with third parties, are these third parties subject to the
same privacy provisions or do you lose control of what happens to the
information once it is given to a third party?
10. You note that prohibiting the use or sharing of SSNs would make
it almost impossible to provide consumers with certain services. How
were these services provided before the widespread use of SSNs? Has the
SSN always been the primary identifier in the insurance industry?
I thank you for taking the time to answer these questions for the
record and would appreciate your response by no later than June 23,
2000. In addition to a hard copy of your response, please submit your
response on an IBM compatible 3.5-inch diskette in WordPerfect or
Microsoft Word format. If you have any questions concerning this
request, please feel free to contact Kim Hildred, Staff Director,
Subcommittee on Social Security at (202) 225099263.
Sincerely,
E. Clay Shaw, Jr.
Chairman
May 31, 2000
Mr. Edmund Mierzwinski
Consumer Program Director
U.S. Public Interest Research Group
218 D Street SE
Washington, DC 20003
Dear Mr. Mierzwinski:
Thank you for testifying before our Subcommittee regarding the use
and misuse of the Social Security number (SSN). In order to complete
our hearing record, I would appreciate your answering the following
questions:
1. Are there any legitimate uses of the SSN that you think should
be allowed (such as law enforcement)?
2. Many people are annoyed by the fact that they have to give up
their SSN for practically any business transaction. How would you feel
about a proposal that would prohibit businesses from denying services
to customers who refuse to disclose their SSNs?
3. The fact that SSNs are so widely used indicates that there is a
need for a unique personal identifier. If the use of SSNs is
restricted, do you think another personal identifier will take its
place?
4. In the next 10 or 20 years, what do you think will be used to
identify people who apply for credit or other commercial services? Will
it be the SSN? Some other number? Biometrics? Will the debate over the
privacy and security of SSNs eventually be overtaken by new
technologies that are more accurate, more personalized, and more secure
from abuse? Does your industry anticipate and support such
developments?
5. Stories of identity theft and SSN misuse highlight the negative
consequences of widespread SSN use. However, does the widespread use of
SSNs benefit consumers in certain ways? Can you give us examples? If
SSN use were restricted, what would be the downside for consumers?
6. Your testimony mentioned the fact that anyone can purchase
someone else's personal information, including SSNs. Can you tell us
more about the sale of SSNs? Who is allowed to sell SSN's? Who is
allowed to buy them? Why is this information sold and bought? Are there
any laws which currently regulate the sale of SSNs?
7. The widespread use of SSNs definitely contributes to identity
theft. However, it can also protect consumers by improving the accuracy
of record keeping. For example, if John Smith is wanted for child
support payments, having his SSN may make it easier to find the right
John Smith. Are you concerned that restricting the use of SSNs may make
it more difficult to track down the right person for legitimate
reasons?
8. If I understood your testimony correctly, credit bureaus often
collect personal information about consumers. Some of that information
is then sold to third parties for various reasons. In your opinion, the
practice of collecting information for one reason and then using it for
another without the consumer's consent is unfair. Are you proposing
that credit bureaus obtain the customer's consent before selling
personal data, or are you opposed to the practice of selling personal
information altogether?
9. We all agree that stories of identity theft, such as the
Stevens' story, are atrocious. However, would you agree that unique
identifiers do serve a purpose within the business community?
I thank you for taking the time to answer these questions for the
record and would appreciate your response by no later than June 23,
2000. In addition to a hard copy of your response, please submit your
response on an IBM compatible 3.5-inch diskette in WordPerfect or
Microsoft Word format. If you have any questions concerning this
request, please feel free to contact Kim Hildred, Staff Director,
Subcommittee on Social Security at (202) 225099263.
Sincerely,
E. Clay Shaw, Jr.
Chairman
Statement of American Association of Motor Vehicle Administrators
1. Many people are annoyed by the fact that they have to give
up their SSN for practically any business transaction. How
would you feel a bout a proposal that would prohibit businesses
from denying services to customers who refuse to disclose their
SSNs?
AAMVA believes that the collection and use of the SSN has
become widespread and, perhaps, over-used for business
transactions. However, there are some business transactions
that require unique identification of individuals with whom
they do business, i.e., financial services, mortgage lending,
health care services, law enforcement and motor vehicle
licensing to name a few. In all of these cases, there is a
bonafide reason for requiring the collection of this unique
identifier.
The driver's license is the primary form of identification
in the United States. Federal, state, and local governments as
well as every business establishment in this country rely on
their motor vehicle agency to conduct the necessary identity
verification of the individual holding that drivers license
prior to its receipt.
Once the license is received, its validity is rarely
questioned when used as an identification document. It is
presumed to be a valid, authentic official document, authorized
by the administering agency.
If motor vehicle agencies were not permitted to collect the
Social Security Number for identification purposes, the
consequence of fraud or identity theft would be more far-
reaching in this country.
2. The fact that SSNs are so widely used indicates that there
is a need for a unique personal identifier. If the use of SSNs
is restricted, do you think another personal identifier will
take its place?
Yes, if the use of the SSN is restricted, another unique
identifier will take its place. AAMVA supports the concept of a
national driver license number as it would increase the ability
to track repeat DUI offenders and at-risk drivers. It will give
states greater flexibility when drivers relocate to another
state, particularly during the time of license renewal. Today,
the Social Security Number has proven to be the most effective
unique identifier for enhancing the effectiveness of driver
control records. Were another identifier established, it would
have to be national in scope and administered by one
congressionally authorized body.
The Association believes it would take between 50910 years
for states to be able to use such an identifier effectively.
Requisite computer changes and varied license/registration
renewal cycles among the states, would result in a lengthy and
costly implementation period.
In a sense, it would create a driver's license
identification number that would remain with the individual for
a lifetime, regardless of where the individual lived in the
United States. This process would be similar to the one used to
identify vehicles through the one-time issuance of a vehicle
identification number or VIN.
3. In the next 10 to 20 years, what do you think will be used
to identify people who apply for credit or other commercial
services? Will it be the SSN? Some other number? Biometrics?
Will the debate over the privacy and security of SSNs be
eventually overtaken by new technologies that are more
accurate, more personalized, and more secure from abuse? Does
your industry anticipate and support such developments?
AAMVA and a majority of states support the concept of using
biometric technology for identification purposes. Biometric
technology may replace the SSN as a means of identification for
most business transactions. The private sector is taking the
lead in this initiative and is continually offering new
technology. As the public grows more accustomed to credit card
companies and banks requiring biometric identifiers for their
transactions, we believe the public will be more likely to
support government agencies using them as well.
Unfortunately, we do believe that the underlying privacy
debate will probably remain the same regardless of how
accurate, personalized or secure that new technology is.
4. Paragraph missing in original letter.
5. Stories of identity theft and SSN misuse highlight the
negative consequences of widespread SSN use. However, does the
widespread use of SSNs benefit consumers in certain ways? Can
you give us examples? If SSN use were restricted, what would be
the downside for consumers?
Yes, the widespread use of the SSN does benefit consumers
in certain ways. The use of the SSN as an identifier can help
reduce identity fraud, ensure that driver control records are
accurate, and helps the law enforcement officer on the road to
more accurately identifier the driver behind the wheel.
Many people have the same name and date of birth, but only
one SSN, according to the federal government. Because of this,
the SSN, when used as a primary or secondary identifier,
benefits citizens by restricting the number of licenses issued
to any one individual. Eliminating the use of the SSN by motor
vehicle agencies would make it much easier for imposters,
identity thieves, and scofflaws to obtain fraudulent documents
and spread motor vehicle violations out among multiple
licenses.
Consumers also benefit from the use of the SSN in the area
of reciprocity. Were states unable to use the SSN to positively
identify people, traffic violations and/or convictions from a
nonresident jurisdiction could be misapplied to a driver's
record.
The State of Delaware provided an excellent example as
well. A few years ago, a driver attempted to renew his Delaware
driver's license. The law enforcement network showed the
applicant was an escaped prisoner and potentially dangerous.
The name, date of birth and other identifying features of the
driver license applicant exactly matched the person who escaped
from jail. The social security data was not on file. The police
arrested him. The gentleman spent the next six hours trying to
clear his name.
If the SSN were available, the entire matter would not have
occurred. Unfortunately, similar problems occur daily at motor
vehicle agencies.
6. Is the use of SSNs was restricted by Federal law, what
impact would it have on your members?
As we have mentioned previously, restriction on the use of
the SSN by motor vehicle agencies would have a profound effect
on the way our members do business. The SSN is the only cross-
jurisdictional number that allows states to transfer accurate
data to one another. Without the SSN, multiple matches for
license holders will occur and make it much more difficult to
transfer violations and convictions to the correct record
holder or to get dangerous drivers off the road. This
restriction would diminish DMVs' ability to fulfill their
mission as public safety agencies. Without the use of the SSN
as a primary or secondary unique identifier, the customer wait
times at DMV counters or other service centers would increase
dramatically due to the review of additional documentation for
identification verification purposes.
7. Most states give people the option of displaying their SSN
on their driver's license or using a different number issued by
the DMV. Has this option created administrative difficulties
for States? Has it reduced accuracy or the ability to correctly
identify people?
Many states give their residents the option of choosing
whether to display their SSN on the face of the license or an
alternate number. It is important to note that the SSN is used
as a primary or a secondary unique identifier. Even though
jurisdictions allow individuals to conceal their SSN, the
number is retained on file to uniquely identify individuals
when matches arise. Without it, DMV error rates would increase
dramatically.
Under federal law, states must use the SSN as the license
number for all commercial drivers. Congress mandated the use of
the SSN as a means to enhance oversight of the commercial
driving public. Prior to use of the SSN, it was easy for
commercial drivers to get multiple licenses in a number of
states to spread violations and convictions among them to avoid
losing driving privileges. AAMVA supports the ``one driver--one
driver control record'' concept. Using the SSN has proved to be
very effective in limiting the number of commercial licenses
issued, thereby ensuring that bad drivers do not continue to
jeopardize highway safety.
8. Your testimony indicated that states need to collect SSNs
for a variety of law enforcement and public safety reasons.
What are states doing to protect this information once it is
collected? How do states ensure that the information is correct
and not fraudulent?
Under the federal Driver's Privacy Protection Act (18
U.S.C. Sec. 2721092725), states are prohibited from releasing
SSNs from their records with the exception of law enforcement,
the courts, CDL employers (also required by federal law), and
insurance companies for purposes of rate setting. In addition,
this information is released to the Office of Child Support
Enforcement, and other state agencies.
A significant amount of time is spent training document
examiners in state DMVs with experts from the FBI and
Immigration and Naturalization Service on document and identity
fraud. AAMVA has developed a Fraudulent Identification
Prevention Program (FIPP) in conjunction with the National
Highway Traffic Safety Administration (NHTSA) aimed at training
motor vehicle employees on fraud, document examination,
forgeries, and correct identification of documents presented to
establish identity. It is important for us to point out that
motor vehicle agencies stop customers every day for fraudulent
documents and prosecute offenders to the fullest extent of
their state laws. AAMVA members are also frequently called to
serve as expert witnesses at fraud trials based on their
significant expertise in document examination and fraud
detection.
9. Do States collect SSN information solely for law enforcement
and public safety reasons? Are SSNs used by the States for any
other purposes? Do states transfer, sell, or share SSN data to
third partied under any circumstances?
As we mentioned in our answer to the previous question, the
federal Driver's Privacy Protection Act bars state motor
vehicle agencies from disclosing, releasing, or selling SSNs to
anyone. It is permissible to release this data to law
enforcement agencies, courts, insurance companies, and
companies seeking to employ commercial drivers. Within the
state, SSNs are shared with other state agencies, but only for
the purposes of law enforcement, public safety, and child
support.
10. How many pieces of identifying information do states
collect (for example, name, gender, age, address, etc.). With
so many pieces of identifying information, why is the SSN
needed to positively identify an individual?
The number of pieces of identifying information required by
states varies according to state law. AAMVA has developed a
policy statement (DLC Policy 05.10, copy attached) that
outlines acceptable identification documents as a guideline for
the states, and this policy statement has been adopted by the
AAMVA membership. This policy statement recommends that at
least one primary and one secondary document be required from
the applicant for identity verification. Aside from the
identifying information you mention, states also collect
telephone numbers, addresses, height, weight, vision
restrictions, gender, eye color, hair color, SSN, and
photograph, etc.
The SSN is a cross-jurisdictional number that uniquely
identifies the holder of the number and is used behind the
scenes to break ties between multiple matches. The image and
signature have limited usefulness. Signatures and even pictures
can sometimes uniquely identify individuals, but not those who
have a close resemblance or similar handwriting. Without the
ability to use an SSN to uniquely identify an individual, DMV
databases will retrieve multiple matches on common names and it
will not be possible to guarantee that the correct record will
be queried or updated. Commonality in names, particularly in
the Latino community, makes this problem particularly
troublesome in states with large populations.
11. You indicated that your members have continued their
efforts to enhance the security of driver license credentials.
Could you describe these efforts?
In addition to the acceptable identification documents
policy, AAMVA has also developed a policy statement (DLC Policy
02.7) that defines acceptable physical security features to be
incorporated on the license or identification card and
encourages jurisdictions to use at least one overt and covert
security feature in the design of their license to reduce fraud
and counterfeiting. A copy of this policy statement is also
attached.
The initiative to create driver license standards has been
underway within the AAMVA community for decades. Since early
1997, AAMVA has worked with the American National Standards
Institute (ANSI) to publish a standard for the driver license
and identification card.
Due to the overwhelming need for immediate direction in
this area, effective June 30, AAMVA will electronically publish
the first AAMVA National Standard for the driver license/
identification card (DL/ID). The Association continues to
pursue American National Standards Institute approval. The
standard contains detailed specifications on what a DL/ID
should contain and how the information would be encoded in
various machine readable technologies. In addition, the
Standard also gives guidance in the area of security: physical
(features like holographics), data (encryption), and personal
(biometrics like finger imaging).
12. In your testimony you indicated that 49 states allow
individuals to have a number on their driver's license other
than the SSN. However, SSNs are used for checking information
across state lines and with SSA. If you stopped using the SSNs
for that purpose, wouldn't the DMV-issued number that actually
appears on the license become in effect a new national
identifier, putting us back in the same place we started?
That would be the case only if the drivers license number
is nationally administered in conjunction with federally
authorized standards. Currently, each state issues a different
unique identifier and since there is no uniformity at the state
level, it would be impossible to consider the state issued
alternate identifier as a ``national'' identifier. The non-
uniform alternative would create havoc for the many data
exchange systems such as the Commercial Drivers License
Information System (CDLIS) or the Problem Driver Pointer System
(PDPS) mandated by Congress and utilized by DMVs to ensure that
drivers only hold one license, that bad drivers are taken off
the road, and that violations and convictions are recorded on
the correct driving record. The ability to uniquely identify
individuals is of paramount importance to DMVs and law
enforcement officers as well. Without a standardized approach,
AAMVA believes the incidence of identity theft and fraud would
increase greatly.
13. Why do some states (Hawaii and Washington, D.C.) still
require the SSN to be displayed on driver's licenses? Why don't
they use their own internal identifying numbers?
Following the recent hearing, we updated our information on
which jurisdictions offer their residents the option to display
their SSN or an alternate number on the license. We learned
that the District of Columbia does provide residents with an
option. So currently, 50 jurisdictions allow citizens to use
another number as the driver license number. We have also
learned that the State of Hawaii will plan to make the use of
the SSN optional as of January 1, 2001, bringing every state on
board as either prohibiting the SSN from being displayed or
giving consumers the option. The use of the SSN behind the
scenes will continue to be an important tool for our members to
fulfill their missions and to enhance public safety. Our next
step is to determine what percentage of citizens have opted to
not use the SSN.
10. ACCEPTABLE IDENTIFICATION DOCUMENTS
Any applicant for an original or initial driver license or
identification card shall be required to submit at least one
primary document and one secondary document as approved by the
Driver Licensing and Control Committee. A primary document must
contain the applicant's full name and date of birth and must be
verifiable.
Additional documentation may be required by the licensing
agency if the documentation provided is questionable.
Licensing agencies shall publish information which contains
identification procedures and lists acceptable documents.
Primary Documents
U.S. Canadian photo driver license
U.S. or Canadian photo ID card
Microfilm / copy of a driver license or ID card
certified by the issuing agency
Certificate of birth (U.S. or Canadian issued).
Must be original or certified copy, have a seal and be issued
by an authorized government agency such as the Bureau of Vital
Statistics or State Board of Health. Hospital issued
certificates and baptismal certificates are not acceptable.
INS documents (must be a valid unexpired document)
as follows:
--Certificate of Naturalization (N09550, N09570, or N09578)
--Certificate of Citizenship (N09560, N09561 or N09645)
--Northern Mariana Card
--American Indian Card
--U.S. Citizen Identification Card (I09179 or I09197)
--Resident Alien Card (I09551)
--Temporary Resident Identification Card (I09688)
--Record of Arrival and Departure (in a valid Foreign
Passport) (I0994)
--Valid foreign Passport containing an I09551 stamp
--U.S. Re-entry Permit (I09327)
--Refugee Travel Document (I09571)
--Employment Authorization card (I09688A, I09688B, I09766)
--Record of Arrival and Departure, stamped ``Refugee''
(I0994) (Refugee I'94's will likely not be in a foreign
passport)
Canadian Immigration Record and Visa or Record of
Landing (IMM 100)
Active Duty, Retiree or Reservist military ID card
Valid Passport, U.S. or Canadian. If foreign
passport, appropriate INS document is also required.
U.S. or Canadian issued learner's permit. An out-
of-state or province issued permit is acceptable only if it
contains a photo.
Canadian Department of Indian Affairs issued ID
card. Tribal issued card is not acceptable. U.S. issued
Department of Indian Affairs card is not acceptable.
Secondary Documents
All primary documents
Court order. Must contain full name, date of birth
and court seal. Examples include adoption document, name change
document, gender change document, etc. Does not include
abstract of criminal or civil conviction.
INS documents listed above, under Primary
Documents, which are expired one year or less
Bureau of Indian Affairs Card/Indian Treaty Card.
Tribal ID card is NOT acceptable. NOTE: Some Tribal ID Cards
are actually more reliable than the BIA card. Motor vehicle
agencies should make a determination on whether to accept the
card based on their own research of what is acceptable.
Employer photo ID card
Foreign birth certificate. Must be translated by
approved translator.
Health insurance card, i.e., Blue Cross/Blue
Shield, Kaiser, HMO.
IRS/state tax form. W092 NOT acceptable.
Marriage certificate/license
Medical records from doctor/hospital
Military dependent ID card
Military discharge/separation papers
Parent/guardian affidavit. Parent/guardian must
appear in person, prove his/her identity and submit a
certified/notarized affidavit regarding the child's identity.
Applies only to minors.
Gun permit
Pilots license
School record/transcript. Must be certified.
Social security card. Metal card is NOT
acceptable.
Social insurance card (for Canadian residents
only).
Student ID card. Must contain photo.
Vehicle title. Vehicle registration NOT
acceptable.
Photo public assistance card
Prison release document.
Additional documentation may be required at the
jurisdiction's discretion if documentation submitted is
questionable or if the issuing agency has reason to believe the
person is not who s/he claims to be.
In exceptional circumstances where a primary/secondary
document contained on this list is not available, personnel
authorized by the licensing agency may accept alternative
documents to verify a person's identity. [Amended 1997]
July 7, 2000
The Honorable E. Clay Shaw, Jr., Chairman
Subcommittee on Social Security
Committee on Ways and Means
U.S. House of Representatives
Washington, DC 20515
Re: Questions in relation to Social Security Numbers
Dear Chairman Shaw:
I am writing on behalf of the American Council of Life Insurers
(ACLI) in response to your letter of May 31, 2000, posing several
questions in relation to the use and misuse of Social Security numbers
(SSNs). The ACLI is pleased to have the opportunity to elaborate on our
testimony of May 11, 2000. The questions and our responses are as
follows:
1. Are there any legitimate uses of the SSN that you think should be
allowed (such as law enforcement)?
Yes, in fact , the ACLI strongly believes that there are a number
of legitimate uses of SSN that greatly benefit American insurance
consumers. As indicated in our testimony before your subcommittee, the
very nature of life, disability income and long term care insurance
involves personal and confidential relationships. However, insurers
which sell these products must be able to obtain, use, and share their
customers' health and nonpublic personal information, including their
social security numbers, to perform legitimate insurance business
functions. These functions are essential to insurers' ability to serve
and meet their contractual obligations to their existing and
prospective customers.
Insurers sometimes must use proposed insureds' SSNs in order to
obtain medical information, essential to underwriting, from doctors and
hospitals which use SSNs as identification numbers. Insurers may also
use SSNs to obtain motor vehicle record information relevant to an
application for coverage. (Motor vehicle information is sometimes used
by insurers as one factor in assessing risk.)
Once an insurance policy is issued, insurers use their customers'
personal information, including SSNs, to perform essential, core
functions associated with an insurance contract, such as claims
evaluations and policy administration. In addition, insurers also use
this information to perform important business functions, not
necessarily directly related to a particular insurance contract, but
essential to the administration or servicing of insurance policies
generally, such as, for example, development and maintenance of
computer systems. The ability to use this information for these
purposes is crucial. Service and administration are fundamental parts
of insurers' relationship with their customers.
Insurers use SSNs to verify the identity of policyholders. They
use them to authenticate the identity of individuals who call into call
centers in order to get information about a particular policy or
policies. SSNs are also used to help a customer locate lost policies or
verify all of the policies they may have with a particular insurer.
SSNs are used by insurers to locate missing policyholders to whom they
may owe money. Insurers use SSNs in connection with the administration
of pension plans, as identification numbers. They use them as PIN
numbers for customers' use of on-line services. They use them in
connection with payroll deduction under group insurance coverage
provided by an employer to its employees.
Life, disability income, and long term care insurers must
regularly disclose personal health and financial information, which is
likely to include SSNs, to: (1) state insurance departments as a result
of their general regulatory oversight of insurers, which includes
regular market conduct and financial examinations of insurers; (2)
self-regulatory organizations, such as the Insurance Marketplace
Standards Association (IMSA), which imposes and monitors adherence to
requirements with respect to member insurers' conduct in the
marketplace; and (3) state insurance guaranty funds, which seek to
satisfy policyholder claims in the event of impairment or insolvency of
an insurer or to facilitate rehabilitations or liquidations which
typically require broad access to policyholder information.
Life, disability income, and long term care insurers need to (and,
in fact, in some states are required to) disclose personal information,
including SSNs, in order to protect against or to prevent actual or
potential fraud. Such disclosures are made to law enforcement agencies,
state insurance departments, the Medical Information Bureau (MIB), or
outside attorneys or investigators, which work for the insurer.
Insurers are required to use SSNs to report to the IRS a variety
of payments including, but not limited to, interest payments, certain
dividends, and policy investigations. At least one state, Rhode Island,
requires that insurers match ``deadbeat'' parents data before making
payments on claims. SSNs are required for that matching.
In the event of a proposed or consummated sale, merger, transfer,
or exchange of all or a portion of an insurance company, it is often
essential that the insurer be able to disclose company files.
Naturally, these files can contain personal information, including
SSNs. Such disclosures are often necessary to the due diligence process
which takes place prior to consummation of the deal and are clearly
necessary once the deal is completed when the newly created entity
often must use policyholder files in order to conduct business.
Insurers also frequently enter into reinsurance contracts in order to,
among other things, increase the amount and volume of coverage they can
provide. These arrangements, too, necessitate the disclosure of
personal information, including SSNs, by the primary insurer to the
reinsurer.
2. Many people are annoyed by the fact that they have to give up their
SSN for practically any business transaction. How would you feel about
a proposal that would prohibit businesses from denying services to
customers who refuse to disclose their SSNs?
ACLI member companies would be strongly opposed to a proposal that
would prohibit businesses from denying services to customers who refuse
to disclose their SSNs. As indicated above, insurers must be able to
use consumers' personal information, including their SSNs in order to
perform essential business functions, as described above. If consumers
were to be permitted to withhold SSNs, it would be
extremely difficult, if not impossible, for insurers to provide
consumers with the coverage, service, benefits, and economies that
otherwise would be available. As also noted above, there are a number
of disclosures of SSNs which insurers are required to make by law, such
as disclosures to the IRS and law enforcement agencies.
3. The fact that SSNs are so widely used indicates that there is a need
for a unique personal identifier. If the use of SSNs is restricted, do
you think another personal identifier will take its place?
The ACLI has no policy with respect to use of personal identifiers
other than SSNs.
4. In the next 10 or 20 years, what do you think will be used to
identify people who apply for credit or other commercial services? Will
it be the SSN? Some other number? Biometrics? Will the debate over the
privacy and security of SSNs eventually be overtaken by new
technologies that are more accurate, more personalized, and more secure
from abuse? Does your industry anticipate and support such
developments?
The ACLI is not in a position to anticipate what types of personal
identifiers will be used in the future and has no policy regarding
future development of alternative personal identifiers.
5. Stories of identity theft and SSN misuse highlight the negative
consequences of widespread SSN use. However, does the widespread use of
SSNs benefit consumers in certain ways? Can you give us examples? If
SSN use were restricted, what would be the downside for consumer?
As stated in our response to question #1, insurers use SSNs in a
multitude of ways to benefit consumers. If insurers' use of SSNs were
to be restricted, the downside to consumers would include the
following, among other things: (1) fraud investigations would be
impaired, the ultimate cost of which would be borne by consumers; (2)
if insurers were to be prohibited from using SSNs to obtain medical
information necessary to underwriting, the risk classification process
would be jeopardized, which, in a nut shell, could jeopardize insurers'
ability to pay consumer customers' future claims and insurers' ability
to keep their products widely available at affordable prices, as they
are now in this country; (3) it would make it difficult, if not
impossible, for insurers to authenticate and quickly serve customers
who phone into call-in centers and to locate missing customers to whom
they may owe monies; (4) it would make it more difficult for insurers
to administer employee benefit plans, likely to result in increased
administrative costs which, again, ultimately are likely to be borne by
consumers; (5) it would jeopardize market oversight activities by state
insurance departments and insurance self-regulatory organizations,
jeopardizing the consumer protections devolving from these activities;
and (6) it would make more difficult the operation of state guaranty
funds which seek to pay consumer claims in the event of an insurer's
insolvency or impairment.
6. If the use of SSNs was restricted by Federal law, what impact would
it have on your operations?
Our responses to questions #'s 1 and 5 address the importance of
insurers' use of SSNs to insurers' day to day operations and their
ability to serve their existing and prospective customers. In general,
restrictions on insurers' ability to use SSNs would make it much more
difficult for them to issue new insurance policies, to service and
fulfill their contractual obligations under existing insurance
contracts, and to engage in other ordinary business transactions. It
would make it virtually impossible for insurers to make required
reports to the IRS and other government agencies, including law
enforcement agencies and state insurance departments.
7. Your testimony indicates that you often share personal information
with third parties who administer, serve, or enforce insurance
policies. Do these third parties, in turn, share or sell the
information to others? Do you know how these third parties protect the
information which you give them?
Third parties to whom insurer financial institutions disclose
nonpublic personal information, including SSNs, are bound by the Gramm-
Leach-Bliley Act (GLBA)
Title V privacy provisions. Under Section 502(c) of the GLBA,
third parties recipients of information from financial institutions may
only disclose nonpublic personal information to a nonaffiliate of the
financial institution or the receiving third party the same extent to
which the GLBA permits the financial institution to disclose the
information.
Section 502 of the GLBA provides that, subject to specific,
limited exceptions, a financial institution may not disclose nonpublic
personal information, including SSNs, to a nonaffiliated third party
unless: (a) the financial institution has clearly and conspicuously
disclosed to the consumer that such information may be disclosed; (b)
the consumer is given the opportunity, before the information is
disclosed, to direct that the information not be disclosed; and (c) the
consumer is given an explanation of how the consumer can exercise that
nondisclosure (or ``opt-out'') option. (Attachment A -copy of Title V
of the GLBA)
8. If sharing personal information is necessary in the insurance
business, do you disclose to your customers who the information is
shared with and how it is used?
Insurer financial institutions are subject to the extensive GLBA
notice requirements. Section 503(a) of the GLBA requires that at the
time of establishing a customer relationship and not less than annually
during the continuation of such relationship, a financial institution
shall provide clear and conspicuous disclosure to such consumer of such
financial institution's policies and practices with respect to: (a)
disclosing nonpublic personal information, including SSNs, to
affiliates and nonaffiliated third parties, including the categories of
information that may be disclosed; (b) disclosing nonpublic personal
information of persons who have ceased to be customers of the financial
institution; and (c) protecting the nonpublic personal information of
consumers.
Section 503(b) elaborates on the information that must be included
in these notices and requires that they also include descriptions of:
(a) the categories of persons to whom the information is or may be
disclosed; (b) the categories of nonpublic personal information
collected by the financial institution; (c) the policies that the
institution maintains to protect the confidentiality and security of
the information; and (d) the disclosures required, if any, under the
Fair Credit Reporting Act.
9. You note that the privacy provisions in the recently enacted Gramm-
Leach-Bliley Act subject insurers to the most stringent privacy
regulations ever imposed in the United States. When you share personal
information with third parties, are these third parties subject to the
same privacy provisions or do you lose control of what happens to the
information once it is given to a third party?
Our response to question #7 also addresses this question.
10. You note that prohibiting the use or sharing of SSNs would make it
almost impossible to provide consumers with certain services. How were
these services provided before the widespread use of SSNs? Has the SSN
always been the primary identifier in the insurance industry?
Given the length of time SSNs have been used by insurers and the
multitude of ways in which insurers now use them, a prohibition or
restriction on the use of SSNs would make it almost impossible to
provide consumers with many of the services currently available.
Moreover, the many changes in the insurance industry and technology
over the last few years, make it questionable whether practices that
worked successfully twenty five or thirty years will work today. Many
of the purposes for which SSNs are now used did not exist years ago.
Moreover, a requirement that insurers return to their previous
practices, whatever they were, would involve extensive and expensive
changes in current practices.
We appreciate your continued consideration of our views and would
be glad to respond to any additional questions that you may have in
relation to this very important issue.
Sincerely,
Roberta B. Meyer
Associated Credit Bureaus, Inc.
1090 Vermont Avenue, N.W.
Suite 200
Washington, DC 20005094905
November 17, 2000
The Honorable Clay Shaw
Committee on Ways and Means
Subcommittee on Social Security
U.S. House of Representatives
Washington, D.C. 20515
Dear Chairman Shaw:
I was contacted by George Penn on your staff regarding a letter you
submitted to the Associated Credit Bureaus in May of this year which
outlined a series of questions in follow up to our testimony before
your Committee. Below are answers to your questions.
Q.1 Many people are annoyed by the fact that they have to give up
their SSN for practically any business transaction. How would you feel
about a proposal that would prohibit businesses from denying services
to customers who refuse to disclose their SSNs?
A.1 Consistent with our testimony, the SSN plays a vital role in
both the consumer reporting agency's ability to build accurate data
bases and to extract data from these data bases.
Where, as a result of this proposal, data furnishers such as
creditors are providing data to consumer reporting agencies without an
SSN, our members will likely not load data with the same degree of
precision. This is particularly true where a new account has been
opened and is being added to the consumer's file for the first time.
Consumer reporting agencies of all types have, under the Fair Credit
Reporting Act, a duty to maintain reasonable procedures to ensure the
maximum possible accuracy of the file. The absence of an SSN will
diminish the ability of the agency to meet this requirement of current
law.
Another likely unintended consequence of this proposal would be
diminished ability to identify the proper file of the consumer where
he/she has applied for credit. If a consumer reporting agency cannot,
with precision, identify the proper file of the consumer it returns a
message to the creditor indicating that no record was found. This
result would likely lead to far higher credit denials for consumers due
to the inability of the creditor to review the consumer's credit
history. Said differently, the Fair Credit Reporting Act certainly does
not contemplate the consumer reporting agency ``taking a guess'' as to
which consumer's file must be accessed and thus this current liability
coupled with the absence of the SSN would seriously impinge on the way
in which credit is granted in this country today.
As we stated in our testimony, according to the U.S. Census Bureau,
42 million consumers move every year. Added to this are millions of
marriages and divorces. Other traditional items of identifying
information are not always stable and thus the SSN is extremely
important to our industry's ability to comply with current law.
Q.2 The fact that the SSN is so widely used indicates that there is
a need for a unique personal identifier. If the use of SSNs is
restricted, do you think another personal identifier will take its
place.
A.2 Clearly the market would have to attempt to find alternative
methods of identification.
If unique identifiers are not consistent across various systems,
however, then child support enforcement efforts, for example, will
diminish. In fact, all systems of location, which are used today to
locate heirs to estates, stock holders for proxy votes, debtors who
haven't paid their bills, organ or blood donors, and for other
purposes, would be greatly diminished in effectiveness. Further, fraud
prevention systems that are used to reduce the incidence of identity
theft, or to authenticate consumers in an e-commerce or bricks-and-
mortar context will be rendered less effective, as well.
Said differently, after having verified that a consumer is
legitimate, a bank, for example, can then create a unique identifier
such as a customer or PIN number. But as long as the bank is dependent
on third-party sources to cross check applicant data, unique
identifiers must cut across external data sources.
Q.3 In the next 10 or 20 years, what do you think will be used to
identify people who apply for credit or other commercial services? Will
it be the SSN? Some other number? Biometrics? Will the debate over the
privacy and security of SSNs eventually be overtaken by new
technologies that are more accurate, more personalized, and more secure
from abuse? Does your industry anticipate and support such
developments.
A.3 Our industry clearly supports and expects the continued
evolution of technologies that allow for crime-free consumer-to-
business and even business-to-business transactions. It is difficult
for us to hypothesize about which technologies will be effective and
acceptable to consumers. Consistent with our answer to question 2,
there will continue to be a need for systems of identification that cut
across industries and data bases to assure fraud prevention, location
and more.
Q.4 Stories of identity theft and SSN misuse highlight the negative
consequences of widespread SSN use. However, does the widespread use of
SSNs benefit consumers in certain ways? Can you give us examples? If
SSN use were restricted, what would be the downside for consumers?
A.4 The SSN allows for consistency across various systems and data
bases. The benefits are manifold for consumers and society in general.
Child Support--For example, child support enforcement efforts are
far more effective in accomplishing their mission where the SSN is
used. One agency reports that they are able to locate fully 80% more
delinquent non-custodial parents when the SSN is available.
Locator Services--The SSN increases the effectiveness of all
locator/skip tracing systems, which are used today to locate heirs to
estates, stock holders for proxy votes, debtors who haven't paid their
bills, organ or blood donors, and for other purposes, would be greatly
diminished in effectiveness. Further a number of states report that use
of SSNs to match across data bases has greatly reduced entitlement
fraud.
Fraud Prevention--The SSN also helps businesses to prevent fraud by
cross-checking applicant data against various other data sources in
order to authenticate the consumers identity. Absent the use of an SSN,
these systems will be far less likely to trigger security protocols,
which prevent the crime of identity theft.
Q.5 If the use of SSNs was restricted by Federal law, what impact
would it have on your operations.
A.5 In part our answer would have to be predicated on the
restrictions imposed. In general our answers to the questions above
provide a good overview of the consequences of a very broad
restriction.
Q.6 On May 9, we heard testimony from a couple (Lt. Col. Stevens
and Mrs. Stevens) who have had their identities stolen. Their story
raised several troubling issues.
First, the Stevens told us that fraudulent accounts were opened
using their SSNs even though all of the information on the applications
was incorrect, including their names, addresses and birth dates. The
SSN was the only piece of information that was correct on the
applications.
A second troubling issue is that credit reporting agencies verified
this incorrect information. Variations of a name, address, place of
employment, age, or spouse's name were not questioned -if the SSN
matched up, the information was verified and the fraudulent application
was approved.
a. Can you explain how these fraudulent applications could have
been verified and approved?
A.a This question is best answered by the business that approved
the application.
b. Why did the credit reporting system fail in this case?
A.b Since ACB does not have access to the Stevens' file, nor to the
particulars of the situation, we cannot provide any answer other than
to say that our systems are designed to accurately identify a
consumer's record when correct identifying information is submitted.
c. Under current law, are creditors and credit reporting agencies
accountable when their negligence contributes to identity theft and
other SSN misuses? Do you think that creditors and credit reporting
agencies should share responsibility in such cases.
A.c Identity theft is a crime that affects consumers, credits and
consumer reporting agencies. The consumer reporting industry has
voluntarily established initiatives to help victims of identity theft.
Further, the industry is already regulated by extensive law (15 U.S.C.
1681 et seq.) which creates duties for consumer reporting agencies to
build accurate files, limit the uses of such data and ensure files are
properly identified. Criminals who perpetrate this crime should be
punished and ensure that there is a deterrent for others who might
otherwise consider perpetrating identity theft.
Q.7 One of the disturbing items from the testimony by the Stevens
was their statement that the collection agencies did not believe them.
They had to prove they were victims of identity theft. What would you
say to the Stevens? Should the burden of proof fall on the victims of
identity theft?
A.7 Under the Fair Debt Collection Practices Act a consumer has the
right to request that the debt collector validate the account in
question. We encourage the committee to review the duties and consumer
protections in this law as you evaluate the Stevens' situation.
Q.8 The Stevens explained that they have been prevented from buying
a home, establishing credit accounts, or making normal purchases
because their credit was ruined by no fault of their own. How do credit
reporting agencies assist identity theft victims today?
A.8 In addition to the duties a consumer reporting agency has under
the Fair Credit Reporting Act, see the attached initiatives which the
industry announced in March of this year.
Q.9 When someone's credit is ruined because of the identity theft,
how long does it take to clear the bad credit from the victim's credit
report? The Stevens complained that bad accounts are recycled through
the same collection agency or they are turned over to the other
collection agencies so that the same bad debt keeps reappearing on the
credit report. Can you explain to us how the process works?
A.9 It is difficult to make a general statement about the time
frame for clearing a file. The Fair Credit Reporting Act requires that
a reinvestigation of disputed data be resolved within 30 days. The
extent of the crime is the key factor in clearing a consumer's record.
We cannot comment on the practices of other industry segments with
regard to an account being transferred to multiple collection agencies.
Q.10 You note in your written testimony that your members collect
SSNs only when they are voluntarily provided by consumers. But isn't it
true that in many cases, consumers must provide their SSNs to receive
credit? For example, can a customer be approved for a mortgage without
giving his or her SSN? If consumers must provide SSNs to receive
services, how voluntary is this disclosure?
A.10 It is likely true that many creditors, in order to properly
identify the consumer, prevent fraud and ultimately approve credit, do
need the SSN. It would be best to explore this question further with
the creditor community.
Q.11 Your members' use of the SSN is governed by the Fair Credit
Reporting Act. In addition, you have a long list of voluntary
initiatives your members have undertaken to combat identity theft and
SSN misuse. Do all of your members follow these initiatives? What
happens to them if they don't? Despite these efforts, fraudulent uses
of SSNs is on the rise. Does this indicate that existing laws are not
being enforced effectively or perhaps self-regulation is not working?
What recommendations do you have to reduce SSN misues?
A.11 Our largest members, which operate nationwide consumer
reporting systems, are implementing the initiatives discussed in our
testimony. Due to the nature of our industry, the implementation of the
initiatives by the nationwide systems will effectively extend them to
our other members as well. We do believe that self-regulatory programs
are an essential component of the solution to the problem of identity
theft. We also agree that the laws that are on the books must be
enforced and in particular the newly enacted Identity Theft Assumption
and Deterrence Act of 1998 as well as Title V, Subtitle (b) of Gramm-
Leach-Bliley, which prohibits the practice of pretext calling.
Regarding SSN misuse, we believe consumer education can be an essential
component of the solution. ACB is working towards consumer education
efforts that should help consumers make better decisions about
protecting sensitive information.
Q.12 How does a consumer reporting agency get its information? How
does it determine what information to place in a record and what
information not exclude [sic]? How is the authenticity of the
information verified to ensure that incorrect information is not being
posted?
A.12 Our testimony generally addresses the types of information we
gather and the sources from which we receive it. Creditors, collection
agencies and other data sources including the Department of Education
report data on regular cycles. The market place generally determines
what information is of value and thus what data is included in a
consumer report. The definition of a ``consumer report'' under the FCRA
is purposely broad to ensure that a wide range of information sources
are in fact governed by the Act and thus consumers are protected in
terms of rights and an expectation that duties will be fulfilled. In
terms of authenticity, data furnishers must first be evaluated to
ensure that they are legitimate businesses, and that they can provide
accurate information for data is accepted.
We look forward to working with you to ensure that consumer's
Social Security Numbers are used responsibly and appreciate the efforts
of your staff to understand our industry's practices and concerns.
Sincerely,
Stuart K. Pratt
Vice President
Government Relations
This hearing is adjourned.
[Whereupon, at 4:52 p.m., the hearing was adjourned.]
[Submissions for the record follow:]
American Target Advertising, Inc.
Manassas, Virginia 20110
May 10, 2000
The Honorable E. Clay Shaw
Chairman
Subcommittee on Social Security
2408 Rayburn HOB
Washington, D.C. 20515
Re: Hearings on Social Security Number Misuse
Dear Chairman Shaw:
I became aware of your hearings on social security number misuse
only last evening when watching C-Span, so I apologize for not getting
these comments to you earlier.
I am President of Operations and General Counsel for American
Target Advertising, Inc. (``ATA''). ATA is a direct marketing agency
whose only office is in Manassas, Virginia. ATA's marketing services
include a variety of fundraising-related activities, including advising
and counseling clients about the use of direct mail and preparing
direct mail letters for its clients. ATA's clients include political
campaigns as well as nonprofit organizations under Internal Revenue
Code sections 501(c)(3) and 501(c)(4). Recently, ATA began to expand
its fundraising activities for its various political clients by
providing a small telemarketing operation to both supplement the direct
mail fundraising messages and to raise additional funds from active
supporters.
When acting in a capacity for its nonprofit clients' direct mail,
ATA must register as a fundraising counsel (or consultant, as it is
also called) in a number of states that have what are known as
charitable solicitation laws. ATA is obligated to register in many
states before its nonprofit clients may mail letters into those states
even though ATA does not conduct business in those states.\1\ A growing
number of counties and cities are enacting similar laws. Pinellas
County, Florida is one of those counties. As part of its licensing
application, Pinellas County requires the drivers license number of
various employees of the applicants for a professional fundraising
consultant's license. See Attachment A.
---------------------------------------------------------------------------
\1\ ATA has challenged the constitutionality of such laws under
First Amendment, Commerce Clause and Due Process grounds, and has
recently filed a petition with the United States Supreme Court to ask
the Court to determine whether such licensing laws are constitutional.
---------------------------------------------------------------------------
I notified the appropriate officials in Pinellas County that the
Virginia drivers license number is actually the same as one's social
security number. I informed those officials that under the Federal
Privacy Act, it is unlawful to require the submission of one's social
security number as a condition for the issuance of a separate state
license. I was informed by those officials that they would not heed the
Federal Privacy Act. ATA refused to provide those numbers in its
application for a fundraising counsel license, and Pinellas County
rejected ATA's license application.\2\
---------------------------------------------------------------------------
\2\ The state of Utah's licensing application also required the
listing of the social security number of the registered agent of a
fundraising counsel. However, such part of the application was added at
the discretion of the Director of the Division of Consumer Affairs. The
portion of the Utah Charitable Solicitations Act which gave the
Director such discretion was declared unconstitutional on its face in
American Target Advertising, Inc. v. Giani, 199 F.3d 1241 (10th Cir.
2000).
---------------------------------------------------------------------------
On May 19, 1999, I wrote to the General Counsel of the Social
Security Administration, noting that Pinellas County required the
drivers license numbers of employees (and thus their social security
numbers) on licensing application forms in violation of the Federal
Privacy Act. I asked for the assistance of the Social Security
Administration in enforcing the protection of social security numbers
in light of the Pinellas County application form. See Attachment B. I
received a reply dated October 18, 1999 from Associate General Counsel
Michael Hoover noting that the SSA has no authority to enforce the
Federal Privacy Act. See Attachment C.
Since then, ATA has reviewed the applications required to register
to conduct telephone solicitations into various states under various
charitable solicitation laws. In its review thus far, ATA has found
that a number of states require either the drivers license numbers or
social security numbers of ATA's employees as a condition to obtain a
license to make solicitation calls on behalf of ATA's nonprofit
clients. Some of those states, their statutes, and the corresponding
license application forms are as follows: Alabama (Alabama Code section
13A0990971), Attachment D at item 13; Illinois (Illinois Charitable
Organization Laws Ch. 23, par. 5108), Attachment E at item 6;
Mississippi (Regulation of Charitable Solicitations section
79091109517), Attachment F at item 2; New York (Article 7-A of the
Executive Law Solicitation and Collection of Funds for Charitable
Purposes section 173-b), Attachment G at Item 7; South Carolina
(Solicitations of Charitable Funds Act section 33095609110), Attachment
H item 3; Tennessee (Tennessee Charitable Solicitations Act section
480910109507), Attachment I item 5.
With the concerns that the Subcommittee has with regard to the
misuse of social security number, I ask that the Subcommittee consider
the deplorable fact that states and their principal law enforcement
officials (typically the attorneys general) require the public
disclosure of individuals' social security number. These license
applications are made available to the public. See, e.g., South
Carolina's statute, section 3309560980, which reads in relevant part,
``Registration statements and applications . . . and information
required to be filed under this chapter . . . are public records in the
Office of the Secretary of state and are open to the general public for
inspection at such time and under such conditions as the Secretary of
State may prescribe.''
In other words, states, counties and cities, and their highest
ranking law enforcement officials are inviting the misuse of social
security numbers under laws and/or licensing application forms that
already violate the Federal Privacy Act. This is doubly troubling, and
in my opinion even more egregious than any misuse of social security
numbers by private firms that may not be aware of such misuse of social
security numbers. The ironic part about this whole situation is that
the states claim that they need these licensing laws to prevent fraud.
In fact, they open the doors to consumer fraud by requiring these
numbers for public inspection.
It is incumbent on government officials to apply the laws
correctly. As with Pinellas County, which was warned that their
licensing application form violates the Federal Privacy Act and
increases the chances of misuse of social security laws, many of the
state officials to whom I have addressed these facts have not been
merely complacent, but have been defiant.
I hope that the Subcommittee will look into this matter. While I am
aware of these laws as they affect agencies like ATA, which is an
admittedly small segment of businesses, this is a problem the nature of
which I am relatively certain is more expansive than just within my
particular industry.
I thank you for the opportunity to submit these comments. I
apologize for their haste in the making, but I would be willing to
answer more questions at the Subcommittee's request.
Very truly yours,
Mark J. Fitzgibbons
President of Operations and
General Counsel
Enclosures
[Attachments are being retained in the Committee files.]
Mineral, Virginia
May 11, 2000
Committee On Ways and Means
Subcommittee On Social Security
Hearings of May 9, 2000 and May 11, 2000
The following is a prepared written testimony to be recorded with
the hearings on Tuesday May 9 and Thursday May 11, 2000 regarding ``
Use and Misuse of Social Security Numbers.'' This written testimony is
submitted by Robert J. Anderson of Mineral Virginia, a private citizen.
What Social Security Means to Me
I am a victim of Social Security number misuse. Last year,
it was my privilege to testify before the Joint Commerce
Committee's on April 22, 1999 (Serial 1060916 Cong. Record)
regarding the issue of the new criminal law HR 4151 (18 U.S.C.
1028) and Identity Theft. I deeply regret that I was out of
town when your office called me to testify in person, but
nonetheless, want to submit this written update to my previous
Congressional Record testimony.
In prior testimony, Identity Theft: Is There Another You?
(April 22, 1999 1060916 Cong. Record pg. 140915) I submitted an
account of what has occurred over the past several years of my
life dating back to 1995 regarding SSAN misuse and erroneous
enumeration, to others, by the Social Security Administration.
SSA advised me by letter on Dec. 7, 1995 that SSA had issued my
SSAN five different times to a person in California. That
person than used the number for credit fraud. I was in constant
contact with the Social Security Administration Office of
Inspector General from February 1996 until last year. I got no
results until I contacted the United States Congress with a
complaint.
Following my Congressional testimony on April 22, 1999, I
received the attached letter from the Social Security
Administration OIG. I understand that Congressman Shaw was also
sent a copy of the letter dated April 28, 1999. (Attach. A)
Basically, SSA/OIG Baltimore, Md. took the position that
administrative error took place on the part of their SSA
District Offices in California, and this had caused the severe
problems I experienced, and that there was no finding of
criminal wrongdoing on the part of the person in California. Of
course, this negated any legal or law enforcement action under
the new Criminal law. Since Civil action is nearly impossible,
this left the person in California off the hook.
Subsequently, following a meeting with the local District
Office here in Virginia, I received a kind letter apologizing
for the multiple errors of the Administration, and offering to
issue a new Social Security Number to myself. After checking
with a number of financial institutions, including a major CRA,
I found that in today's information world, changing the SSAN
would not accomplish anything since there are too many cross
references and they would certainly cross reference the credit
file to the new SSAN. Pervasive use of the SSAN has resulted in
a very tangled web. Thus I remain victimized by misfeasance on
the part of several SSA California District Offices.
Review of Social Security Earnings Reports
When credit fraud and other misuse of my SSAN began, strange things
showed up on my SSA earnings record. During my years as a Federal
Employee there was no record of SSA tax, being paid, rather I paid
about 10 % of earnings into the Civil Service Retirement Fund. Thus,
erroneous SSA earnings reported would have been obvious on my SSA
earnings record. There were no errors. However, from 1988 thru 1992
after leaving Civil Service, I posted earnings in excess of the SSA
taxable limits, and thus, small amounts posted to my account did not
show. It is impossible for me to tell if the California person had been
avoiding tax, or reporting on my SSAN. When I finally retired from
private industry, it became obvious that small earnings were being
reported to my SSA earnings account by the person in California.
As I previously testified, all of this activity occurred in a small
area of California and seemingly should have been easy for the Social
Security Administration to fix, given the amount of well documented
evidence I provided, to the SSA/OIG. It is incomprehensible that the
Federal Government could not fix the problem. Earnings report errors
still occur. As recently as April, 10, 2000 there are still erroneous
earnings for 1998 showing up on my report. My local SSA Office has
quickly and kindly corrected the intrusion, but I still must wait for a
formal correction from Office of Central Records, (OCRO) in Baltimore
to verify the error. I have no idea what happened in 1999 as earnings
are not yes posted. My local SSA office tells me, nothing yet.
As a retired Civil Service Federal Employee devoting a career to
the Federal Government,
I will never see Social Security benefits under current law, even
though I am a widower (Survivors) and have paid into Social Security
(Taxable earnings) for 17 years. This is due to the Windfall
Elimination Provision (WEP)-AND the Government Pension Offset (GPO)
laws.
The major questions in my mind are: how could this happen five
times if the Privacy Act protected systems of records held by Social
Security are secure ? Why didn't the SSA Offices in California
positively identify the person ? The name and date of birth were
different. I don't need apologies for mistakes. I would just like to
see the system work, even If I shall never benefit. If all this
happened thru walk in, accidents/mistakes, I shudder to think what
would occur with increased access and online access.
Something seems to be broken, and I submit that tightening issuance
controls, and restricting access to Social Security numbers would go a
long ways towards fixing the problem.
You have my sincere thanks for inviting me to submit testimony in
this hearing and I look forward to reviewing the Record.
Robert J. Anderson
[The attachment is being retained in the Committee files.]
Statement of Christopher J. Klicka, Esq., The Home School Legal Defense
Association, Purcellville, Virginia
My name is Christopher J. Klicka, and I presently serve as
Senior Counsel of the Home School Legal Defense Association and
Executive Director of the National Center for Home Education.
For the last 15 years, I have worked in the area of
constitutional and education law--in the courts, state
legislatures, and Congress. I have litigated many cases
involving the Free Exercise of religion of parents. I have
drafted state legislation and testified before state
legislative committees regarding registration, religious
freedom, and tax issues. I have worked with dozens of state
boards and departments of education and thousands of local
school districts to resolve problems over educational issues
involving the religious convictions of home school families. I
also assisted in drafting H.R. 2494.
The Home School Legal Defense Association is a nonprofit
legal advocacy organization dedicated to protecting religious
and parental freedom generally and promoting home schooling
specifically. We have almost 70,000 member families in all 50
states at present.
One of the Home School Legal Defense Association's goals is
to protect the religious freedom and privacy of home schoolers
throughout the country. Since 1996, innocent families with
sincerely-held religious convictions against getting a social
security number for their children are being forced to pay for
the exercise of those religious convictions. These families are
being assessed thousands of dollars in taxes even though they
have dependent children legitimately qualifying them for
various tax deductions.
1996 Amendment to IRS Code Punishes Parents with Sincerely-held
Religious Convictions
Due to a change in federal law in 1996, a parent is
required to submit a taxpayer identification number (TIN) for
each minor being claimed for a deduction or a tax credit on his
federal income taxes. Because the TIN for an individual is a
social security number (SSN), this law essentially requires all
parents to obtain a SSN for their newborn children if they want
to receive the dependent deduction, the child tax credit, or
other credits.
Some families have religious convictions against obtaining
such a government-issued number (TIN) for a dependent.
Section 1615 (a)(1) of The Small Business Job Protection
Act of 1996 amended 26 U.S.C. Sec. 151 authorizing the IRS to
completely deny the dependency exemption if the dependent's TIN
is not included on the tax return. The relevant language
states:
(e) Identifying information required. No exemption shall be
allowed under this section with respect to any individual
unless the TIN of such individual is included on the return
claiming the exemption. [26 U.S.C. Sec. 151 (e) (1998)].
Before the addition of this section, a taxpayer who failed
to supply a dependent's TIN was served a deficiency notice,
which could be appealed. Now, however, a failure to provide a
correct TIN is treated like a mathematical or clerical error,
which cannot be appealed. The taxpayer is simply assessed the
tax and required to pay without appeal.
Many innocent families are suffering severe financial
hardship as a result.
Why Congress Should Enact the Religious Exemption Created by H.R. 2494
There are several compelling reasons to support
congressional action to create a religious exemption from
providing identifying numbers for dependents. These include the
following:
1. A minority of law-abiding families with sincerely held
religious beliefs that make them opposed to obtaining a
government issued number for their minor children, are
suffering severe financial hardship.
Many families have voluntarily forfeited thousands of
dollars worth of legitimate dependent deductions, rather than
violate their religious beliefs. These families, who have
children, are not taking the deductions they are entitled to in
order to be true to their religious convictions. Other families
are listing their children on their federal income tax form but
not obtaining social security numbers for them. These families
are claiming their legitimate deductions but are being assessed
thousands of dollars as the IRS disallows their deductions.
Taxpayers with these sincerely-held religious beliefs are
being forced to pay for their right to exercise their religious
beliefs. Thus, the current federal law prohibits these families
from freely exercising their religion--a fundamental right
protected by the First Amendment.
One family with sincerely-held religious convictions was
forced to take out a second mortgage on their home to pay for
the taxes assessed against them for the last three years simply
because the IRS has disallowed their deductions and credits for
their children. See their personal testimony attached in
Appendix I). Many innocent families are experiencing nightmares
has as they are hounded by the IRS for not obtaining social
security numbers. Other families are not listing their children
on their income tax and forfeiting their legitimate tax
deductions and credits.
We have record of over 150 families being penalized by the
IRS simply because they have sincerely-held religious
convictions making it impossible for them to get social
security numbers for their children.
Here are excerpts from some of their testimonies collected
by HSLDA in the last few weeks:
``Because of no social security numbers for our eight
dependent children, the IRS assessed additional tax of $3100.''
--Nathan and Lisa Bach
Marshall, TX
``We live in fear continually that the IRS will send us a
notice at any time that they will be seizing our hard-earned
property, or that we will end up in a tax court dominated by
one-sided legal procedures. . . . We expect that our total
liability claimed by the IRS will shortly be approaching $3500,
which would be nearly 20% of our total annual familial income.
. . . We remain committed to following the Lord rather than the
dictates of man.''
--Stephen Martin North
Amity, Maine.''
``We are deeply troubled that our religious beliefs
concerning our children receiving Social Security Numbers are
being violated by the government. We are being forced to
compromise our beliefs or pay an exorbitant tax bill which
amounts to over $7,000 a year for our family. We have paid an
additional $30,000 in taxes thus far to avoid getting Social
Security numbers for our children. This is certainly an added
hardship for our family of seven.
``We feel strongly that the requirement demanding we obtain
numbers for our minor children is both unconstitutional and
discriminatory in a country which has an heritage of religious
and personal freedoms. We believe, as Christians, our children
have been entrusted into our care and that God holds us
personally responsible for their well-being. It is our belief
that to number our children marks them as government property
and forces us to register them in a tracking system as minors.
We, as parents, believe we have a God-given role to oversee our
children and provide for them. This is not the role nor
function of government. Our religious freedoms and personal
freedoms have been disregarded and violated in this coercion.
``We would welcome the opportunity to prove the legitimacy
of our claim for child exemptions by presentation of birth
certificates or other means. This is clearly not an issue of
fraud, but rather deeply held convictions which have been
overlooked by government policies.''
--Gary and Drenda Keesee
Mt Vernon, OH
``We have two adopted children. They were claimed without
exception in 1994 and 1995 successfully. However, in 1996 and
1997 our income tax refund was withheld because they did not
have social security numbers.
``The financial hardship we have suffered from this is over
since we had to relinquish our beliefs and submit to having our
children receive numbers. Due to an illness that incapacitated
my husband we had to get numbers for our kids in order to get
the necessary funds being withheld by the IRS. This was to
assist us financially due to his inability to work.
``At the time of our compromise the IRS was holding
$3,040.38 and we received it once we submitted to having
numbers issued to our children.(We don't understand how these
numbers prove dependency since the other documents we presented
were of greater proof).''
--Joe and Sharon Tadlock
Las Vegas, NV
``Close to $3500 is at stake for 1998, and we still don't
know what is going to happen for 1999.''
--Efrain & Gail Rivera
Bronx, NY
``My wife and I have been married 21 years and have been
blessed by the hand of God with 7 children. . . . Over the past
four years, it has cost our family over $16,000 in additional
taxes, not to mention the additional insult of interest
penalties. For 1999 alone the increased tax impact was nearly
$6,400 with the projection for year 2000 being even greater. We
are not independently wealthy and could use this money as we
raise the children the Lord has given us.''
--Scott Weurding
Conklin, MI
``Because of our religious convictions, we have not applied
for social security numbers for our eight children. . . .
Without the deductions, the IRS requires us to pay $15,200 in
taxes plus $1,400 in penalties and interest. In addition, at
the end of March, the IRS levied our checking and savings
accounts for the entire $16,600 they calculate that we owe. We
did not have nearly that much. The entire balance of our
checking and savings accounts were seized, leaving us nothing
with which to pay our mortgage, groceries, and utility bills.
We have struggled these past two months to rebuild our credit
and catch up on our bills, pay all our 'non-sufficient funds'
fees, and repay those checks that bounced.''
--Andrew and Lynne Spear
Mesa, AZ
``We are pleased to be the parents of ten children. Our
children have been given to us as blessings from God. We have
willingly accepted these blessings and the responsibilities
that come with raising them. We have chosen not to get social
security numbers for our children because this would seem to be
taking a precious gift given to us by God and transferring it
to the government.
``Although we have experienced various difficulties related
to our decision to avoid social security numbers, probably the
harshest punishment is being taxed as if we were childless.
Since we believe God expects parents, not baby-sitters or day-
care, to raise children, we live on only one income.
Fortunately we are able to be quite frugal, but the extra taxes
we must pay are a definite financial liability.
``We calculated the amount of money we have lost since 1996
and found it to be approximately $21,640. This figure does not
include the extra taxes we have paid on the state level since
our state bases exemptions solely on the number claimed on our
federal return. Such a large amount of money would easily
replace our aging, rusting family van. Or it could go toward
the college expenses that are rapidly approaching. We would
appreciate the passage of-H.R. 2494 as that would allow us to
obey God and also relieve some of our heavy tax burden as we
seek to provide for our family.''
--Mr. and Mrs. Richard Derby
Flint, MI
As Roman Catholics we are morally opposed to obtaining a
universal identification number for our children. Because the
IRS has denied the dependency exemption for our children we
have paid in excess of $22,000.00 in additional tax over the
past four years.
--David and Claudia Drew
York, PA
We agonized as a family over this issue for years. The
filing of our taxes each year brought stress, wondering at the
repercussions of again challenging the state system. Our 1996
tax return was changed by the IRS to indicate that we owed an
additional $2,292.96, because our children were disallowed as
deductions, simply because they were not numbered. We were put
in anguish over what to do to resolve our struggle. Some
anonymous friends left money for us that was used to pay the
balance.
--Mark and Pam Holden
Wampsville, NY
``Due to the fact that we are taking a faith stand, it has
cost us approximately $ 3000.00 per year in lost refunds owed
to us. Over the last 4 years that adds up to $ 12,000.00 lost
revenue. . . . The government will count our children for
census purposes, but will not count our children for our
refunds just because they don't have social security numbers.''
--Craig and Mary Prena
Attica, MI
Our additional tax burden amounts to $2000 per year that we
cannot claim because we have chosen to not have SS numbers and
have been unable to obtain any alternative form of
identification.
--Michael and Evelyn Williams
Akron, OH
2. Courts already allow similar religious exemptions for federal aid
programs.
Some federal aid programs require recipients to submit the social
security numbers of dependents in order to receive the aid. However,
courts have ruled that individuals who otherwise qualify for these
benefits could not be denied funds solely because they were religiously
opposed to obtaining social security numbers for their children. See
Stevens v. Berger, 428 F.Supp. 896 (E.D.N.Y., 1977), and Callahan v.
Woods, 736 F.2d 1269 (9th Cir., 1984). Congress should all the more
allow a religious exemption for families filing their income tax
returns to keep money that they rightfully earned.
3. A religious exemption would not revoke the current fraud protection
mechanism.
The religious exemption proposed in H.R. 2494 would not revoke the
fraud protection mechanism established in 26 U.S.C. Sec. 151 (e). Any
taxpayer seeking the religious exemption would be required to include
birth certificates and medical records to prove the existence of his
children. In addition, he would be required to submit a sworn affidavit
with his tax return, explaining his sincerely held religious beliefs.
Here is one religious family's description of their desire to prove
the identity of their children and abide by the law.
``We have always filed our taxes as accurately, honestly and
quickly as possible (usually by the first week of February). When we
discovered that the I.R.S. was no longer considering our children
dependents for tax purposes we tried everything to satisfy them that we
were not trying to deceive the government about the number of
dependents in our home. We sent notarized, certified copies of the
children's birth certificates to the IRS, only to have them mailed back
to us. We offered to meet with IRS agents anywhere anytime with our
complete family so that they could interview us and see that our four
children truly do exist and that they truly have lived with us for each
of the 12-month periods in question. The IRS has not responded to this
offer. . . . Despite all our fear and frustration, we believe that the
'system' can still work.''
--Stephen Martin North
Amity, Maine
The Solution: The Children Tax ID Alternative Act (H.R. 2494)
HSLDA helped draft a bill to correct this problem, the
Children Tax ID Alternative Act, H.R. 2494 which is sponsored
by Congressmen John Hostettler (R09IN) and Bill Goodling
(R09PA). Under this legislation, families with a religious
objection will no longer be required to obtain a SSN for their
children in order to claim them as dependents.
In lieu of a government-issued number, this bill requires a
religious objector to produce several items:
1. A sworn affidavit from the parents describing their own
religious belief;
2. An affidavit from a non-relative vouching that the
children being claimed as dependents are indeed the parent's
children;
3. Two other articles showing the relationship of the
dependent to the taxpayer. The article choices include a birth
certificate, medical records, insurance records or school
records.
Other Reasons This Amendment (H.R. 2494) Should Be Enacted
1. The religious objector retains the burden of proof.
2. Granting this religious exemption will not cause the
loss of legitimate government revenue. These families have
children and are entitled to money that is rightfully theirs--
not the government's.
Conclusion
Families who qualify for a dependent deduction should be
allowed to take this deduction even though they have an
objection to the assignment of SSNs to their minor children.
The policy of the United States should be to grant tax
deductions on the basis of physical children in a family--not
on the basis of identifying numbers in a family. The IRS is
always able to challenge the truthfulness of any deduction.
Should fraud be found, stiff penalties should be assessed.
Supporting H.R. 2494 will advance religious freedom and
provide a minority of families the legitimate tax relief to
which they are entitled. We need to stop making families pay to
protect their religious beliefs.
APPENDIX A
It is my conviction that children are the God-given
responsibility of their parents; that they do not have an
independent status in relationship to the state; and that an
identification number assigns control over our children in a
way that compromises the separation of secular and parental
authority, causing us to relinquish part of our accountability
to answer to God for our children. The identification number
foreshadows intrusive government action, and also echoes the
horrible history of political regimes of totalitarianism. God
expects us to protect our children and interpose ourselves for
them, for example, by mediating the role of government in their
lives as minor children.
The hardship of consistency to these convictions is
extreme. It is very difficult to try to live up to both our
responsibility of paying taxes in obeying the law, and our
responsibility to what conscience decrees toward the children.
The stress that we endure financially is troubling, as well.
Here is the pertinent financial situation:
1997.............................................................. Calculated ta$161.00d
Adjusted tax bill owed $2,340.56
1998.............................................................. Calculated ta$511.00d
Adjusted bill $7,872.49
1999.............................................................. Calculated ta$720.00
Adjusted bill $7,000.00
(estimated)
Total additional tax.............................................. (excluding the refunds, $17,213.05
interest, etc.)
Last November, we took a second mortgage on our home; one
of the main reasons was to become current and pay in full our
1997 and 1998 taxes. Please help us by passing this
legislation.
Rinnie Lind
Respectfully Submitted
Christopher J. Klicka
Senior Counsel
Home School Legal Defense Association
PO Box 3000
Purcellville, VA 20134
Statement of Gil Hyatt, Las Vegas, Nevada
Thank you for this opportunity to present a written
statement for the record of hearings before the House Ways and
Means Subcommittee on Social Security on the ``use and misuse
of social security numbers.'' While there are many aspects to
this issue and many examples of violations of safeguards to
protect social security numbers, I would like to highlight for
the subcommittee a growing and potentially out of control
problem dealing with State taxing agencies. Across the country
there is a growing problem with inappropriate disclosure and
misuse of social security numbers, as well as other private
information, by State taxing agencies, like the California
Franchise Tax Board (``FTB'').
I. State Taxing Agencies are Indiscrimnately Disclosing and Misusing
Taxpayer's Social Security Numbers
The task of keeping one's social security number private is
much more difficult in today's world where the number is used
for a myriad of purposes. As a universal identification number,
the social security number has taken on a role much greater
than that for which it was ever intended. While individuals can
choose whether or not to disclose their social security numbers
to businesses or other individuals, these same individuals
cannot control a state taxing agency's use and disclosure of
their social security number as well as any other Federal tax
information. In the past, Congress has passed legislation
intended to ensure that steps be taken to ensure that a
taxpayer's Federal tax information (most relevantly, a
taxpayer's social security number) is kept confidential by all
who receive such information. Under existing law, the IRS can
share its taxpayer information with state tax agencies and
others so long as those agencies abide by certain rules that
protect confidential taxpayer information.
Even though Congress reformed the IRS with the Internal
Revenue Service Restructuring and Reform Act of 1998 to protect
taxpayers' rights and confidentiality, state taxing agencies,
guilty of similar types of abuses that provoked Congressional
reform of the IRS, have nevertheless resisted such reform
measures. Many states use the same type of abusive tactics for
which their federal counterpart--the IRS--was reprimanded by
Congress. The state taxing agencies, however, have gone even
further than the IRS ever dared to go by exacting revenue from
non-residents using tax assessments that are significantly
increased by ill-supported penalties. In making such
assessments, state taxing agencies use Federal tax return
information (including a taxpayer's social security number)
without regard for its confidentiality. In a recently published
study, the Joint Committee on Taxation highlighted the growing
problem of breaches of confidentiality of Federal tax returns
and return information by state tax agencies.\1\
---------------------------------------------------------------------------
\1\ See Joint Committee on Taxation ``Study of Present-Law Taxpayer
Confidentiality and Disclosure Provisions as required by Section 3802
of the Internal Revenue Service Restructuring and Reform Act of 1998,''
January 28, 2000.
---------------------------------------------------------------------------
As the Joint Committee on Taxation report clearly shows,
state and local tax agencies have little if any respect for the
safeguards put into place by Congress to protect the
confidentiality of a taxpayer's social security number. No
state taxing agency is more guilty of wrongful disclosure of a
taxpayers' social security numbers than the California
Franchise Tax Board (``FTB'').\2\ Set forth below is a
description of personal experiences evidencing the misuse of
social security numbers by the FTB.
---------------------------------------------------------------------------
\2\ The FTB is the agency that collects income taxes for the state
of California.
---------------------------------------------------------------------------
II. Examples of Misuse of Confidential Taxpayer information (including
Social Security Numbers) by the FTB
An independent observation of personal experiences with the
FTB would suggest that no information, including social
security numbers, is confidential to the FTB. As an example,
during the course of a typical state tax residency audit, the
FTB will promise that the confidentiality of a taxpayer's
information is protected by California law in order to induce
taxpayers to disclose such confidential information. Then, the
FTB later creates reasons why the confidential information is
no longer confidential. As part of this pattern, the FTB then
unilaterally declassifies and, without even notifying the
taxpayer, publicly discloses the confidential information,
which includes a taxpayer's social security number.
In one particular case, the FTB was performing a residency
audit on a wealthy Nevada resident who is well-known for his
innovations in computer technology. The Nevada resident is
justly protective of the location of his office and research
lab in view of the industrial espionage that is rampant in the
industry marketplace and in view of the established danger from
stalkers and other predators. He has taken great care to keep
the address of his home, office, and research lab secret to
protect against industrial espionage and stalking, including
purchasing the property through a trust and taking other
precautions so that his name was not connected with the
property. He gave the private address to the FTB only after the
FTB provided assurances that it would keep it strictly
confidential and that California law made it a crime for the
FTB to disclose such information.
Then, without notice to the Nevada resident and with total
disregard for his privacy, safety, and confidentiality, the
FTB, within weeks, began indiscriminately broadcasting the
private address along with the taxpayer's social security
number to the very entities from whom the Nevada resident
sought to keep the private address confidential. The FTB sent
out formal Demands for Information (quasi-subpoenas) to
newspapers and to other public entities that keep large
databases of information on citizens which contained the
individual's private social security number. See attached copy
of the FTB's Demand for Information (with the confidential
taxpayer information having been redacted for this copy, but
which was not redacted in the original).
These quasi-subpoenas disclosed the Nevada resident's name,
social security number, and his non-public residence address to
the very entities from which he sought to be protected. This
without even noticing, servicing, or informing the Nevada
resident or his attorney that such quasi-subpoenas were being
sent out, thereby depriving him of his legal right to take
legal action to quash these fraudulent quasi-subpoenas. After
unilaterally declassifying and indiscriminately disclosing to
the public the Nevada resident's confidential information,
including his social security number and private residence
address, the FTB defended its disclosure by stating that it
needed to disclose the confidential information (even though
the FTB could have obtained the information it sought from the
Nevada resident himself).
When challenged about this disclosure of confidential
information, the FTB attempted to justify its disclosure of the
Nevada resident's confidential taxpayer information by alleging
that the confidential information was not confidential because
it could be found in the public domain (even though the FTB
never found the information publicly). The FTB asserts that
because the Nevada resident's social security number could be
found in an obscure public court filing, it need not be kept
confidential. Such a position not only represents a ``crass
legal fiction'' \3\, but is also contrary to federal ase law--
``a clear privacy interest exists with respect to such
information as names, addresses, and other identifying
information even if such information is already available on
publicly recorded filings.'' \4\ The court cited for support
the Supreme Court's notation in United States Dept of Defense
v. Federal Labor Relations Auth. that ``an individual's
interest in controlling the dissemination of information
regarding personal matters does not dissolve simply because
that information may [already] be available to the public in
some form'' \5\. The court also cited the Supreme Court's
conclusion in U.S. Dept of Justice v. Reporters Comm. for
Freedom of the Press that ``the fact that 'an event is not
wholly private does not mean that an individual has no interest
in limiting disclosure or dissemination of the information.''
\6\
---------------------------------------------------------------------------
\3\ Briscoe v. Reader's Digest Association, Inc., 4 Cal. 3d 529,
539 (Cal. 1971) (``It would be a crass legal fiction to assert that a
matter once public never become private again.'')
\4\ Abraham & Rose v. U.S., 138 F.3d 1075, 1083 (6th Cir. 1998)
(footnote omitted).
\5\ Id. (quoting 510 U.S. 487, 500, 127 L. Ed. 2d 325, 114 S. Ct.
1006 (1994) (alteration in original)).
\6\ Id. (quoting 489 U.S. 749, 770, 103 L. Ed. 2d 774, 109 S. Ct.
1468 (1989).
---------------------------------------------------------------------------
In the case of the attached Demand for Information form
letter, the FTB clearly lists the taxpayer's social security
number in the upper-right hand corner of this form, which
indicates that the FTB always sends out this form letter with
the social security number disclosed. There is absolutely no
reason why the Las Vegas Sun--a widely distributed public
newspaper--needs to see the taxpayer's social security number
in order to answer the FTB's queries. If the FTB needs some
method of keeping track of cases, the agency can easily assign
each taxpayer under audit a case identification number--this
would accomplish the FTB's goal of keeping track of a taxpayer
without unlawfully disclosing the taxpayer's confidential
social security number to the public.
In the case of the Nevada resident, the FTB had also made
specific promises that it would not disclose the taxpayer's
private address. Nevertheless, the attached Demand for
Information clearly equates the Nevada resident with the
address--in direct violation of the FTB's promises of
confidentiality toward the Nevada resident. The FTB could have
easily divided its demand letters into two--the first one sent
to the Las Vegas Sun asking for any and all records regarding
the taxpayer (without any mentioning of a social security
number, without stating that it was for an investigation into
the taxpayer, and without stating a specific address) and the
second one sent to the Las Vegas Sun asking for any and all
records regarding newspaper subscriptions at XXX address
(without any mentioning of a social security number, without
mentioning the taxpayer's name, and without stating that it was
for an investigation into the taxpayer). This would accomplish
the FTB's goal of getting the information it wants (even though
it could have just as easily received such information from the
Nevada resident himself) and would also keep the Nevada
resident's identity as a subject of investigation, his social
security number, and his address confidential (as the FTB is
required to do anyway and explicitly agreed to do in the case
of the Nevada resident).
The FTB does not just disclose this confidential
information accidentally or discretely. While the FTB asserts
that these quasi-subpoenas are intended only to demand
information from uncooperative third parties, the FTB has
adopted another use for them--as tools for embarrassing and
intimidating the taxpayer and disclosing the taxpayer's
confidential information by indiscriminately sending them out
in mailings. In fact, the FTB is very direct in using the
aforementioned intimidating Demands for Information form to
indiscriminately disclose a taxpayer's confidential information
and at the same time cast the taxpayer in a bad light and
getting the recipient's attention due to its formal, criminal-
investigation type format. The Demand clearly states that it is
``In the Matter of: <insert name here>'' and that the
information ``will be used by this department for
investigation, audit or collection purposes pertaining to the
above-named taxpayer for the years indicated.'' The FTB could
have easily requested information from the Las Vegas Sun
without plastering the taxpayer's name all over the Demand. As
suggested above, cases can be assigned case numbers for
reference purposes and need not place taxpayers under such
obvious suspicion by putting their name at the top of the
Demand. The form would still accomplish its objectives were the
name not on the Demand. The only purpose served by putting the
subject's name on the Demand is to raise suspicion in the
recipient's mind regarding the subject taxpayer.
Because first requesting information directly from the
taxpayer (as required by California Civil Code Sec. 1798) would
not be intimidating or embarrassing enough to accomplish its
purpose, the FTB instead prefers to break the law and go
directly to third parties in the most intimidating way for the
taxpayer. In the case of the Nevada resident, the FTB located a
check made out to a Dr. Shapiro; but instead of asking the
Nevada resident for information on this Dr. Shapiro, the FTB
located six Dr. Shapiros in the telephone book and sent out the
aforementioned quasi-subpoenas to all of them, thereby
informing a group of professionals that the Nevada resident was
under investigation, focusing more attention on him, and
causing him even greater exposure and embarrassment. This in
addition to the quasi-subpoenas sent by the FTB to several
newspapers on a ``fishing expedition'' calculated to cause the
victim even more exposure and embarrassment while disclosing
his confidential information. Both of theses examples show how
the FTB uses confidential taxpayer information (including
social security numbers) to intimidate taxpayers in order to
exact improper tax assessments.
The FTB's official position is that a taxpayer's
confidential information is protected under California law but
that the FTB can disclose the confidential information
(including commingled Federal tax information and social
security numbers) at its sole discretion without even notifying
the taxpayer or giving the taxpayer an opportunity to challenge
the declassification. Hence, confidentiality is all at the
self-serving discretion of the FTB and the FTB is bent on
public disclosure of taxpayer information to intimidate
taxpayers to settle. In the case of the aforementioned Nevada
resident, the FTB assessed millions of dollars in false
penalties and made millions of dollars worth of intentional
errors in income calculations consistent with the FTB's
established practice of significantly increasing assessments in
preparation for settlement negotiations. Then, when the Nevada
resident refused to submit to this practice, the FTB threatened
that his confidential personal information would become public
if he didn't settle like other citizens do--taxpayers usually
settle at the protest stage to keep their private information
from becoming public. The FTB has been accused of extortion and
fraud as a result of this methodology.
The FTB is guilty of regularly revealing confidential
Federal tax information (and social security numbers) in a
public forum. In court papers submitted by the FTB to the SBE
\7\, the FTB routinely attaches its NPAs (Notice of Proposed
Assessments) to the briefs without redacting the taxpayer's
social security number (which is predominantly displayed on
each of the NPAs sent out by the FTB). See the 52 pages of
Federal tax return information that were attached to the FTB's
Supplemental Brief.\8\
---------------------------------------------------------------------------
\7\ The SBE is the California State Board of Equalization, the
agency that hears the administrative appeals from the decisions of the
FTB.
\8\ See, e.g., In the Appeal of Paine/Norton, 98A090741, Case No.
89002467180, California State Board of Equalization decision at 4
(October 7, 1999) (emphasis added).
---------------------------------------------------------------------------
The FTB is so blatant in its disregard for the taxpayer's
confidential Federal tax information that it, without
hesitation, discussed specific monetary figures on the
taxpayer's tax return: ``As a result, appellants [sic] asserted
that only $127,113 of their total federal adjusted gross income
of $772,850 for 1990 was California income subject to tax in
this state.'' \9\ ``Reported on the federal return is Schedule
C income in the amount of $164,435.00. . . . Also reported on
the federal return is partnership income in the amount of
$567,446.00.'' \10\ This material was supplied by the FTB to
the SBE without any confidentiality statement or motion to seal
the Federal tax information records and this Federal tax
information is now available to the public.\11\
---------------------------------------------------------------------------
\9\ See, e.g., Id. (emphasis added).
\10\ See, e.g., Id. in the letter from the FTB to Mr. Paine dated
January 20, 1994 and included as part of the public record available to
the public from the SBE (emphasis added).
\11\ The file of the Appeal of Paine/Norton was ordered from the
SBE and was supplied by the SBE without any form of confidentiality
notation.
---------------------------------------------------------------------------
III. Social Security Numbers are the Least of the FTB'S Unscrupulous
Actions
The FTB is one of many state taxing agencies which relies
upon IRS information for its taxing activities. But California
tax law has not been conformed with the Internal Revenue
Service Restructuring and Reform Act of 1998. Thus, while the
IRS collects taxes from taxpayers now protected under the
reformed provisions, the FTB continues to reek havoc on
unsuspecting taxpayers, held only to its own un-reformed, self-
serving standards. Even worse, the FTB does not even follow its
own un-reformed standards, blatantly violating California laws
with impunity.
The FTB has been violating both Federal law and even
California law for so long under the guise of assessing and
collecting taxes that it cannot be expected to comply with the
new more stringent Federal laws on confidentiality of Federal
tax information (and social security numbers).\12\
---------------------------------------------------------------------------
\12\ Federal tax returns and return information (FTI). See OMB No.
1545090962 at 1.
---------------------------------------------------------------------------
Also, the FTB is so submerged in a culture of bad faith
and fraudulent behavior that it cannot be expected to comply
with laws that are based on good faith relationships with
taxpayers. Hence, regardless of the lip-service paid by the FTB
concerning the confidentiality of a taxpayer's information, the
FTB is incapable of providing the safeguards necessary to
protect not only shared IRS tax return information (including
social security numbers) but also the FTB's own taxpayer
information that it is legally required by statute to keep
confidential.
An agency whose actions are based upon bad faith taints all
who cooperate with it in its deeds. The FTB's record of bad
faith is reason alone for it to be excluded from receiving IRS
information and social security numbers. This kind of state tax
agency cannot be trusted with confidential Federal tax
information and social security numbers. Before the IRS shares
information with such a state agency, the law should require
that the Federal tax information be used only in cases where
the state agency is acting in good faith and in compliance with
its own state laws as well as Federal laws. Any evidence that a
state tax agency is using Federal tax information and social
security numbers in conjunction with any kind of improper and/
or illegal state tax activities should be grounds for immediate
suspension of any sharing by the IRS with that state tax
agency.
The improper acts of the FTB involve both Federal tax
information as well as state tax information. The FTB auditors
are untrained, inexperienced, and unsupervised and do not
distinguish between different types of information. They
intermingle tax information and social security numbers of
different citizens in the same audit file and produce it to
citizens who do not have a right to access the other taxpayer's
tax information.
The FTB auditors indiscriminately disclose confidential tax
and social security information to associates that do not have
a need to know. For example, one FTB auditor seeking peer
approval and attention distributed her narrative, which
described the confidential issues and details of the Nevada
resident's audit (the largest in residency-audit history at the
time) to her associates. This type of disclosure is prohibited
by both the Taxpayer Browsing Protection Act and by common
sense.
This same auditor visited that Nevada resident's private
residence with her friend out of curiosity, to take ``trophy''
photographs of the private residence, to improperly rummage
through garbage, and to trespass and investigate the private
property. The auditor was no longer involved in the audit at
the time, she had no right to continued activities thereon, and
her friend had not been involved in the audit or had no right
to be involved.
The FTB indiscriminately discloses or at times threatens to
disclose confidential information publicly as a tool in forcing
taxpayers to give up on or settle tax controversies. In one
case, knowing of a particularly need for privacy, the FTB made
a promise to keep information confidential and then,
immediately after this promise, the FTB disclosed such
confidential information in order to intimidate the Nevada
resident to extort him of multi-millions of dollars in taxes,
interest, and penalties. The FTB was convinced that he was very
concerned about his privacy and that such public disclosure
would force him to settle an unjust assessment. The common name
for this type of tactic is extortion.
The FTB sends out letters to Federal officials,
postmasters, to find out the taxpayer's forwarding address. But
these letters, which were signed by the head of the FTB, made
false certifications to the Federal officials. These letters
certified that the FTB had exhausted all other avenues to
obtain the taxpayer's address information. But the FTB had
already received this information--from the taxpayer himself.
More relevant here is the fact that this address that the FTB
was investigating was the same address that was on the IRS tax
return information shared with the FTB. The issue is that the
FTB got information from the IRS that the IRS considers to be
confidential, yet the FTB comes up with reasons that they
should not keep it confidential. Accepting taxpayer address
information (and social security number information) from the
IRS requires the FTB to comply with Federal laws regarding the
treatment of such information, otherwise the FTB's hair-
splitting will extend to even more blatant violations of the
IRS tax return sharing laws.
In one particular case, the FTB continued to refuse to
disclose the Nevada resident's tax records to him (which he has
a right to see under California law) but the FTB
indiscriminately disclosed other citizens' tax records to the
taxpayer that he did not at the time have a right to see and
the FTB indiscriminately discloses the Nevada resident's tax
records to others that do not have a right to see. The FTB
habitually uses private and detailed taxpayer information for
training materials that the FTB makes available to the public.
The FTB changes the last names to something seemingly innocuous
(such as to James H. Taxpayer), but the audit information
provided by the FTB is so specific and so detailed that the
real name and address of James H. Taxpayer was found within 15
minutes--it was as simple as ordering and looking through a
phone book.
A state tax agency that would is involved with any of the
aforementioned illegal acts cannot be trusted with confidential
Federal tax information and social security numbers. Although
the Federal statutes and guidelines do not expressly require
any state tax agency to act in good faith on taxpayer matters,
a state tax agency that acts in bad faith cannot be relied on
to protect the confidentiality of Federal tax information and
social security numbers. In fact, the Federal statutes and
guidelines require competence and imply good faith, but the FTB
shows neither when it is focused on exacting large assessments
from former California residents.
California requires taxpayers to disclose to the FTB the
Federal tax information (and social security numbers) from
their Federal income tax return. The FTB then uses this
information in its audits and publicly discloses it (such as in
appeals to the SBE). Therefore, regardless of the protections
that the IRS provides for Federal tax information in order to
encourage taxpayers to provide the IRS with all tax
information, taxpayers will be reluctant to provide the IRS
with such information because states like California require
taxpayers to provide them that Federal tax information (and
social security numbers), but do not protect its
confidentiality as the IRS is required to do. Because the IRS
promises taxpayers that Federal tax information will be kept
confidential, it is improper for the FTB to require taxpayers
to disclose this confidential information without proper legal
process. State taxing agencies should not be permitted to
require taxpayers to disclose Federal income tax information
without legal process, and even then such information should be
treated with the same respect to confidentiality as does the
IRS.
IV. Congress' Role in Reforming Abusive State Tax Agencies
The FTB has been abusive and aggressive in its state taxing
activities and the IRS is being made an unwitting party to the
abuse. An agency that indiscriminately and intentionally uses
and misuses social security numbers and undertakes other such
illegal tactics as described above should not be trusted with
Federal tax information and social security information until
it has been reformed.
Instead of acknowledging the abuses and instituting reforms
after being alerted to them, the FTB continues with the illegal
activities. These include continuing illegal disclosure of
confidential information (and social security numbers),
falsification of official tax records, illegal destruction of
important litigation-related documents, improper disclosure of
other taxpayer's information, and much much more. The FTB
practices the most abusive and often illegal tax collecting
methods imaginable. Clearly, the FTB cannot be trusted to
protect the confidentiality of Federal tax information and
social security numbers.
Congress has a strong interest in the policies and
procedures of the state tax agencies because the IRS shares its
Federal tax information with the state tax agencies. Internal
Revenue Code Sec. 6103(a) makes it clear that state employees
with access to Federal tax return information shall keep such
information confidential and may not disclose it to anyone
except for those properly authorized to view such information.
Because Federal tax information is what is being shared,
Congress must insure that the shared tax information (including
social security numbers) is protected to the same degree called
for by Federal law and state tax agencies must be held to the
same standard to which the IRS is held regarding Federal tax
information. Congress should also insure that the IRS reforms
are not tainted by abusive state tax agencies misusing Federal
tax information and social security numbers. Furthermore,
Congress should also insure that the IRS is not tainted by
associations with abusive state tax agencies acting in bad
faith in exacting improper taxes.
State tax agency reform can be easily accomplished by
Congress. All state tax agencies receiving IRS information
should be required to adopt and abide by the taxpayer
protection reforms present in the Internal Revenue Service
Restructuring and Reform Act of 1998 as a prerequisite for
obtaining Federal tax information from the IRS. Because most
state tax agencies are dependent on Federal tax information
obtained from the IRS for administering their own tax programs,
they will most likely agree to conform to the Federal statutes
in order to continue to obtain Federal tax information and
social security number information if mandated by Congress.
V. Conclusion
State taxing agencies (including California's FTB) have a
record of misusing confidential taxpayer information (including
social security numbers) and have been found to violate well-
intended safeguards to protect such information by a study of
the Joint Committee on Taxation. Accordingly, Congress should
take action to prevent such abuse, including directing the IRS
to cease sharing tax return information (and social security
numbers) with any state tax agency, such as the FTB, that
abuses such information or violates such safeguards. These
actions should be mandated until the abuses have been
rectified, the agencies have taken appropriate measures to
prevent future abuses, and the state statutes have been
conformed with the Federal IRS statutes regarding taxpayer's
rights. Furthermore, a Treasury Department investigation and a
Congressional investigation by the GAO should be conducted to
ascertain the scope of the egregious and illegal conduct of
state agencies, including the FTB, and to determine the degree
to which confidential Federal tax information and social
security numbers have been inappropriately and illegally
misused.
[GRAPHIC] [TIFF OMITTED] T8072.001
Statement of Kent Snyder, Executive Director, Liberty Study, Falls
Church, Virginia
Ludwig von Mises, economist and true champion of liberty,
concluded that with respect to political and economic systems,
one can choose either totalitarianism or capitalism--there is
no middle ground. Few issues demonstrate the justification for
his conclusion so clearly as does that of privacy protection.
The premise of Mises' argument was that interventionism
necessarily begets interventionism as the negative effects of
government's initial intervention become the justification for
each of the subsequent interventions. For example, when
government establishes a minimum wage above the market wage,
that class of employees whose marginal product is below the
artificially established minimum wage become legally
unemployable, and, hence in ``need'' of governmental support.
Of course, government's subsequent response to then support
every unemployed member of society at some subsistence level
creates yet another incentive for more intervention when those
actually working to achieve that level of subsistence realize
it can be achieved without continuing their efforts. Of course,
this privacy hearing is not exactly about the minimum wage but
rather whether government should intervene yet again to remedy
the negative consequences of its prior, privacy-destructive
intervention or whether they should properly recognize
themselves as the source of the malaise and repeal the prior
intervention.
In America's Great Depression, economist Murray Rothbard
explains how massive federal intervention into the monetary
sphere (contrary to the usual tripe proffered regarding
``unbridled capitalism'' causing the depression) served as the
intervention that sent this country into the throws of the
great depression. Among the subsequent and numerous
interventions to remedy the negative effects of governmental
monetary mischief, was the Social Security Act, a bill which
after nearly one hundred and fifty years of history to the
contrary, ``relieved'' citizens of the individual
responsibility for providing for their own financial futures
and those of their family members. Of course, as Mises
understood and explained, these interventions were the natural
result of the negative consequences triggered by interference
in the monetary sphere.
Because individual and private accounts would no longer be
the means by which most savers provided for their financial
futures and as though money was actually being placed by
government into individual accounts for those without the
requisite self-discipline to provide for their own future
financial well-being, every participant in the system was
ultimately issued a Social Security ``Account Number.''
Although the Congress that created the Social Security system
in no way intended to create a national identifier, a
subsequent executive order by President Roosevelt authorized
the use of the Social Security number as a standard federal
identifier.
In the name of ``protecting'' the taxpayer against
government inefficiency and various forms of fraud, government
took subsequent steps to further establish the SSN as a uniform
identifier. For example, where military members once used their
military serial number, this was replaced by the Social
Security number as a standard identifier. Additionally, the
Bank Secrecy Act of 1970 generated regulation requiring the
collection of Social Security Numbers by banking institutions.
When, at a minimum, banks were mandated by government to use at
least that number and to preserve scarce data resources and
avoid duplicity of records, financial institutions naturally
adopted the social security number as their record number of
choice.
In response to concerns about the widespread use of the
SSN, Congress passed the Privacy Act of 1974, but,
unfortunately, the language of the Privacy Act allows Congress
to require the use of the Social Security number at will. In
fact, just two years after the passage of the Privacy Act,
Congress explicitly allowed state governments to use the Social
Security number as an identifier for tax collection, motor
vehicle registration and drivers' license identification. The
federal government has also compelled extensive disclosure and
use of the Social Security number in its labor, medical, and
education databases.
Given that government, to accommodate its own prior
interventions, has not only facilitated but compelled the
creation of a massive tool for privacy invasion, government is
now, of course, presented with the question of whether to undo
at least some of the prior intervention or use the culmination
of negative effects of all these prior interventions to, yet
again, intervene further in the liberty and private dealings of
individuals.
The Liberty Study Committee supports what is the only
proper response to this question: eliminate the proliferation
of the government-instilled, privacy-destroying tool--the
Social Security Account Number. While it certainly does not
return government to its proper role and restore responsibility
for saving to individuals, The Freedom and Privacy Restoration
Act, H.R. 220, introduced by Representative Ron Paul, would
limit the use of the Social Security number to the Social
Security system administration, and is an important step in the
right direction of at least protecting the privacy of
individuals. Without question, certain inefficiencies will
necessarily result in limiting the use by government of this
number but, first and foremost, we must not forget that
government's primary role must be to preserve individual
liberty rather than ``efficiently'' run government programs,
many of which lack constitutionally legitimacy in any case.
Under no circumstances should the government use their very
own government-created privacy crisis as a justification to
restrict what private individuals do or don't do with their
private information (even to include release of their own
Social Security number). As much as free speech includes the
right to be still, inherent to privacy is the right to share or
not share private information with those of one's own choosing.
Government has, in essence, turned the notion of privacy
protection on it's head with proposals to limit information
sharing by private individuals while compelling disclosure to
government by those very same individuals. I hope this Congress
will recognize and, thus, not fall prey to the ``intervention-
begets-intervention'' recognized by Mises and, as such, not
move our nation yet another step further down the road to
totalitarianism.
-
�