[Congressional Record Volume 153, Number 113 (Monday, July 16, 2007)]
[Extensions of Remarks]
[Pages E1527-E1528]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




STATEMENT UPON THE INTRODUCTION OF THE ``SOCIAL SECURITY NUMBER PRIVACY 
              AND IDENTITY THEFT PROTECTION ACT OF 2007''

                                 ______
                                 

                        HON. MICHAEL R. McNULTY

                              of new york

                    in the house of representatives

                         Monday, July 16, 2007

  Mr. McNULTY. Madam Speaker, I rise today to introduce the ``Social 
Security Number Privacy and Identity Theft Protection Act of 2007.'' As 
Chairman of the Subcommittee on Social Security, I am proud to 
introduce this bipartisan bill along with my chief cosponsor, the 
Ranking Member of the subcommittee, Sam Johnson. We are also joined by 
Members of the Committee on Ways and Means, which has jurisdiction over 
the Social Security number (SSN). This bill is modeled after 
legislation sponsored in prior Congresses by our friends and former 
colleagues Congressman Clay Shaw, and the late Congressman Bob Matsui, 
who were our predecessors on the subcommittee.
  The bill is the subcommittee's response to the growing problem of 
identity theft. Our subcommittee has held 16 hearings on identity theft 
and the misuse of Social Security numbers since 2000. Numerous experts 
have testified that identity theft is greatly facilitated by the easy 
availability of SSNs in public and private sector records and because 
of the rampant use of the number as an individual identifier. Once 
obtained, criminals use the SSN to impersonate their victims or unlock 
access to their good credit histories to open new accounts.
  Identity theft is one of the fastest-growing crimes in the United 
States. Research by the Federal Trade Commission (FTC) in 2003 found 
that almost 5 percent of the adult population of the U.S.--some ten 
million people--were victims of some kind of identity theft in just a 
single 12-month period. A more recent private sector survey estimated 
the number of victims at 15 million in the 12 months prior to August 
2006.
  Identity theft ruins individuals' good names and destroys their 
credit ratings. Identity thieves have stolen the homes of elderly 
retirees, and have caused innocent persons to be arrested when crimes 
are committed under a falsified identity. It has even ruined the future 
credit ratings of young children.
  The FTC reports that individuals spend $5 billion a year attempting 
to recover their good names and credit histories. Annual surveys find 
that businesses lose more than $50 billion

[[Page E1528]]

per year to identity theft-related fraud. Victims often spend years 
recovering from the damage done by such thieves.
  The Social Security Administration (SSA) and its Inspector General 
have worked diligently to increase the integrity and security of the 
Social Security number, and the procedures used in issuing numbers and 
cards. But despite its value as a key facilitator of identity theft 
crimes, SSA has essentially no control over how the Social Security 
number is used by other governmental agencies or the private sector. 
The SSN was originally created for SSA's use in the administration of 
the Social Security programs. Its use has grown, piecemeal, by the 
federal government as a result of regulation or legislation, wherever a 
unique identifier was needed for official government purposes. However, 
no law of general applicability explicitly allows or specifically 
requires the private sector to collect, sell, or use the SSN to the 
extent that it is done so today. Although the Social Security Act 
requires government entities to protect the confidentiality of the SSN, 
no law exists that generally protects the privacy of the SSN in the 
private sector.
  The Government Accountability Office (GAO) and other law enforcement 
experts have testified before the subcommittee that the current 
patchwork of laws that regulate how businesses and government agencies 
use and disclose personally identifiable information in their records 
leaves large gaps in protection for the SSN. While financial services 
and consumer reporting agencies are subject to some regulation 
controlling how and when they may disclose SSNs to third parties, there 
are limitations in these protections. Moreover, other industries remain 
completely free to buy and sell personal information about individuals 
with whom they have no business relationship. Sophisticated identity 
thieves have taken advantage of the gaps in protection and have been 
able to pose as users of personal information for purportedly 
legitimate purposes, gaining access to hundreds of thousands of SSNs 
sold by information brokers. Stalkers are also able to capitalize on 
the lack of protection for Social Security numbers and use them to 
locate and track their targets.
  For these reasons, the legislation we introduce today will restrict 
the ability of government agencies, private businesses and others to 
sell, purchase or publicly display Social Security numbers. In 
recognition that a general prohibition may disrupt legitimate 
government uses and business practices that rely on the SSN, certain 
exceptions are made for law enforcement purposes, national security, 
public health, where the health or safety of an individual is at risk 
in an emergency situation, to ensure the accuracy of credit and 
insurance underwriting information and certain other Fair Credit 
Reporting Act purposes, for tax compliance purposes, if incidental to 
the sale or merger of a business, to administer employee or government 
benefits, for limited research purposes, with the individual's 
affirmative and written consent, and to the extent authorized by the 
Social Security Act. Further exceptions may be made for other purposes 
by regulation. Among other new requirements, the bill also restricts 
the display of SSNs on the Internet, on government documents and 
identification cards and tags. The bill's provisions will be 
enforceable by civil and criminal penalties imposed by federal 
agencies or state attorneys general; and by a limited ability of 
citizens to stop a federal agency's lack of compliance and recover 
actual damages through federal court action.

  Madam Speaker, it is my expectation that this legislation will give 
us more control over how the SSN is used, in order to better protect 
the SSN from identity thieves and other criminals. I am proud to 
sponsor this bill and to join my colleagues as we move this legislation 
forward.
  A summary of the bill follows.

Provisions Related to Social Security Numbers (SSNs) in the Public and 
                            Private Sectors

       Federal, State, and local governments would be prohibited 
     from:
       Selling SSNs (limited exceptions would be allowed, such as 
     to facilitate law enforcement and national security, to 
     ensure the accuracy of credit and insurance underwriting 
     information and certain other Fair Credit Reporting Act 
     purposes, for tax purposes, for research purposes, and to the 
     extent authorized by the Social Security Act). Further 
     exceptions may be made for other purposes by regulation.
       Displaying SSNs to the general public, including on the 
     Internet.
       Displaying SSNs on checks issued for payment and 
     accompanying documents.
       Displaying SSNs on identification cards and tags issued to 
     employees or their families; patients and students at public 
     institutions; and Medicare cards.
       Employing prisoners in jobs that provide them with access 
     to SSNs.
       Requiring the transmission of SSNs over the Internet 
     without encryption or other security measures.
       The private sector would be prohibited from:
       Selling or purchasing SSNs (limited exceptions would be 
     made for law enforcement (including child support 
     enforcement); national security; public health; health or 
     safety emergency situations; tax purposes; to ensure the 
     accuracy of credit and insurance underwriting information and 
     certain other Fair Credit Reporting Act purposes; if 
     incidental to the sale, lease or merger of a business; to 
     administer employee or government benefits; for some 
     research; or with the individual's affirmative, written 
     consent). Further exceptions may be made for other purposes 
     by regulation.
       Displaying SSNs to the general public, including on the 
     Internet.
       Displaying SSNs on checks.
       Requiring the transmission of SSNs over the Internet 
     without encryption or other security measures.
       Making unnecessary disclosures of another individual's SSN 
     to government agencies.
       Displaying the SSN on cards or tags issued to employees, 
     their family members, or other individuals.
       Displaying the SSN on cards or tags issued to access goods, 
     services, or benefits.
       Public and private sectors would be required to safeguard 
     SSNs they have in their possession from unauthorized access 
     by employees or others.
       Sale, purchase, or display of SSNs in the public or private 
     sector would be permitted by regulation in other 
     circumstances, when appropriate. In making this 
     determination, regulators would consider whether the 
     authorization would serve a compelling public interest and 
     would consider the costs and burdens to the public, 
     government, and businesses. If sale, purchase, or display 
     were to be authorized, the regulation would provide for 
     restrictions to prevent identity theft, fraud, deception, 
     crime, and risk of bodily, emotional, or financial harm.
       A person would be prohibited from obtaining another 
     person's SSN to locate or identify the individual with the 
     intent to harass, harm, physically injure or use the 
     individual's identity for an illegal purpose.
       Would specify that, wherever a truncated SSN is used, it 
     must be limited to the last 4 digits of the number. (This 
     truncation standard does not change the permissible uses of 
     the SSN.)
       State law governing use of SSNs would not be preempted 
     where state law is stronger.
       The National Research Council would be required to conduct 
     a study to evaluate the feasibility of banning the use of the 
     SSN as an authenticator.


                              Enforcement

       New criminal penalties (up to 5 years imprisonment and fine 
     up to $250,000) and civil penalties (up to $5,000 per 
     incident) would be created for violations of the law relating 
     to the display, sale, purchase, or misuse of the SSN, 
     offering to acquire an additional SSN for a fee, and for 
     selling or transferring one's own SSN.
       Prison sentences would be enhanced for SSN misuse 
     associated with repeat offenders (up to 10 years), drug 
     trafficking or crimes of violence (up to 20 years), or 
     terrorism (up to 25 years).
       New criminal penalties (as much as 20 years in prison and 
     fine up to $250,000) and civil penalties (up to $5,000 per 
     incident) would be created for Social Security Administration 
     employees who fraudulently sell or transfer SSNs or Social 
     Security cards.
       The bill permits enforcement by the Social Security 
     Administration (which would have civil monetary penalty 
     authority); the Department of Justice (which enforces 
     criminal violations of federal law); and state attorneys 
     general (who would be granted civil enforcement authority 
     over private-sector users and state and local government). In 
     addition, individual victims affected by violations of this 
     bill by federal agencies would be provided with limited legal 
     recourse to stop an agency's violation and recover any actual 
     damages they may have suffered.

                          ____________________