Child Support Enforcement: Most States Collect Drivers' SSNs and 
Use Them to Enforce Child Support (15-FEB-02, GAO-02-239).	 
                                                                 
Congress established a national child support enforcement (CSE)  
program in 1965 to ensure that noncustodial parents financially  
support their children. In fiscal year 2000, the Office of Child 
Support Enforcement (OCSE) estimated that $84 billion in past-due
child support was owed, but never collected. The Social Security 
Act contains provisions to help child support agencies collect	 
support when noncustodial parents or their income and assets are 
hard to find. The Act mandates that states enact laws requiring  
social security numbers (SSNs) on applications for a driver's	 
license. State CSE programs rely on SSNs to locate the addresses,
income, and assets of noncustodial parents. Motor vehicle	 
agencies can be a valuable source of SSNs that CSE programs have 
difficulty obtaining elsewhere. The Act also requires that states
suspend, withhold, or restrict the driver's licenses of 	 
noncustodial parents delinquent in child support payments. Most  
motor vehicle agencies that GAO surveyed collect SSNs from all	 
applicants for driver's licenses, but OCSE has taken few steps to
promote such collection in states not currently doing so.	 
Although state officials and privacy experts expressed few	 
concerns about motor vehicle agencies collecting SSNs for child  
support enforcement, possible weaknesses in the policies and	 
procedures in use to safeguard SSNs indicate the potential for	 
compromising privacy. Child support enforcement officials in 35  
states told GAO that their agencies use driver's license	 
suspension extensively, which has led to the collection of some  
payments.							 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-02-239 					        
    ACCNO:   A02662						        
  TITLE:     Child Support Enforcement: Most States Collect Drivers'  
SSNs and Use Them to Enforce Child Support			 
     DATE:   02/15/2002 
  SUBJECT:   Child support payments				 
	     Collection procedures				 
	     Data collection					 
	     Federal/state relations				 
	     Late payments					 
	     Law enforcement information systems		 
	     Licenses						 
	     Social security number				 
	     State-administered programs			 
	     Child Support Enforcement Program			 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-02-239
     
United States General Accounting Office

GAO

Report to the Subcommittee on Human

Resources, Committee on Ways and Means, House of Representatives

February 2002

                                CHILD SUPPORT
                                 ENFORCEMENT

Most States Collect Drivers' SSNs and Use Them to Enforce Child Support

GAO-02-239

Contents

Letter

Results in Brief
Background
Most MVAs Are Collecting SSNs from Driver's License Applicants

but OCSE Actions to Track and Promote Compliance Have Been Limited

Few Privacy Concerns Expressed about MVAs Collecting SSNs, Yet Potential
Weaknesses in Safeguarding SSNs May Compromise Privacy

Driver's License Suspension Is Not Fully Used in All States Even

Though It Can Result in Collecting Payments Conclusions Recommendation for
Executive Action Agency Comments

                                     1

                                    3 5

                                     7

12

19 24 24 24

     Appendix I                    Objectives, Scope, and Methodology                 26

                                               Objectives                             26
                                          Scope and Methodology                       26

     Appendix II                             Survey to MVAs

Appendix III Comments From the Department of Health and Human Services 43

GAO Comments 47

Appendix IV GAO Contacts and Staff Acknowledgments 48

GAO Contacts 48 Staff Acknowledgments 48

Tables

Table 1: SSN Collection Practices at MVAs Prior to SSN

Requirement  Becoming Law  8 Table  2: MVA  Risk Assessments  and Agencywide
Security Plans 17 Table 3: MVA Monitoring Access and Adherence to Password

Policies 19

Table 4: Outcome of Driver's License Suspension in Three States in 2000 23

Abbreviations

AAMVA American Association of Motor Vehicle Administrators
CSE child support enforcement
OCSE Office of Child Support Enforcement
DPPA Driver's Privacy Protection Act
FISCAM Federal Information System Controls Audit Manual
GISRA Government Information Security Reform provisions
HHS Department of Health and Human Services
MVA Motor Vehicle Agency
OCSE Office of Child Support Enforcement
OMB Office of Management and Budget
PRWORA Personal Responsibility and Work Opportunity

Reconciliation Act

United States General Accounting Office Washington, DC 20548

February 15, 2002

The Honorable Wally Herger
Chairman, Subcommittee on Human Resources
Committee on Ways and Means
House of Representatives

The Honorable Nancy Johnson
House of Representatives

The Honorable Sander Levin
House of Representatives

In 1975, the Congress established a national child support enforcement
(CSE) program to ensure that noncustodial1 parents financially support
their children. From fiscal years 1976 through 2000, this program collected
approximately $156.6 billion in child support, with approximately $84.3
billion collected from 1995 through 2000. Despite these results, billions in
child support remain uncollected. In fiscal year 2000, the Office of Child
Support Enforcement (OCSE), which is located in the Department of
Health and Human Services (HHS), estimated that $84 billion in past-due
child support was owed, but never collected, for all previous fiscal years.

The Social Security Act as amended contains many provisions designed to
help child support agencies collect support when noncustodial parents or
their income and assets are hard to find, including two which relate to
driver's licenses. The act mandates that states enact and implement laws
requiring the recording of social security numbers (SSN) of any applicants
for a driver's license on the application. State CSE programs rely on SSNs
to locate the addresses, income, and assets of noncustodial parents. Motor
vehicle agencies (MVA) can be a valuable source of SSNs that CSE
programs have difficulty obtaining elsewhere. The act also requires that
states have laws requiring procedures to suspend, withhold, or restrict2 the

1Noncustodial parents are parents who do not live with and provide
day-to-day care for their children.

2In this report the term license suspension also includes withholding or
restricting a driver's license. Withholding a license includes not allowing
a person to obtain an initial license. Restricting a license means limiting
when a noncustodial parent may drive, such as only to and from work. All
three of these procedures are permissible under the act.

driver's licenses of noncustodial parents who are delinquent in their child
support payments.

In light of both the desire to have an effective child support enforcement
system and the desire to protect personal privacy, you requested that we (1)
determine the extent to which states collect SSNs from all applicants for
driver's licenses and what OCSE has done to promote compliance in states not
doing so, (2) identify privacy concerns associated with MVA efforts to
collect and safeguard SSNs that are used for child support enforcement
purposes, and (3) determine the extent to which state CSE programs use
driver's license suspension to collect past-due child support and whether
this tool has resulted in collections.

To accomplish these objectives, we mailed a survey to 54 MVAs-one in each of
the 50 states, the District of Columbia, and 3 U.S. territories3- and
received 53 back. The intent of the survey was to obtain information about
(1) the extent to which MVAs collect SSNs from licensed drivers and (2)
their policies and procedures regarding the collection and safeguarding of
SSNs. We also telephoned the CSE programs in the 50 states, the District of
Columbia, and the 3 U.S. territories to obtain information on how they use
MVA-collected SSNs, the extent to which privacy concerns about MVA-collected
SSNs exist in their jurisdictions, and their use of driver's license
suspension. We visited MVAs, CSE programs, Offices of Attorney General, and
legislators in 5 states (California, Georgia, Michigan, North Carolina, and
Texas) to obtain more in-depth information on the same topics that we
addressed in the MVA survey and CSE program telephone calls. We analyzed
data on driver's license suspensions during calendar year 2000 from CSE
programs in 4 other states (Colorado, Maryland, Pennsylvania, and
Washington) to determine the extent to which this action resulted in child
support payments. Finally, we interviewed officials from OCSE and privacy
experts about these two federal requirements. We performed our work from
November 2000 through December 2001 in accordance with generally accepted
government auditing standards. See appendix I for additional information on
our scope and methodology and appendix II for a copy of our survey and
responses.

3This report uses the word "states" to refer to those areas where we did our
work. That is, the 50 states, the District of Columbia, and U.S.
territories. The territories were Guam, the Virgin Islands, and Puerto Rico.
The remaining U.S. territory, American Samoa, was not included because it
does not have a formal CSE program.

Results in Brief

Most motor vehicle agencies (47 out of 53 that returned our survey) collect
SSNs from all applicants for driver's licenses, but the Office of Child
Support Enforcement has taken limited or no steps to promote such collection
of SSNs in states not currently doing so. All except two of the child
support enforcement programs in the 47 states collecting SSNs use motor
vehicle agency collected SSNs, along with SSNs from other sources, when
establishing or verifying SSNs or seeking other information about
noncustodial parents. Further, officials from most of these states believe
that motor vehicle agency collected SSNs are helpful in these endeavors. Of
the six states that are not collecting SSNs from all applicants for driver's
licenses, the legislatures in five have not passed laws requiring their
motor vehicle agencies to collect SSNs from all noncommercial drivers.
Although the legislature in the sixth state has passed such a law, at the
time of our review, the motor vehicle agency had not implemented it. The
Office of Child Support Enforcement is responsible for overseeing state
adoption and implementation of federal requirements related to child support
enforcement. This includes tracking whether states are complying with
federal requirements and, when necessary, taking formal action to promote
compliance. Such action could result in states losing all or part of federal
funds for child support enforcement until they come into compliance. During
our review, the Office of Child Support Enforcement had not taken action to
promote compliance in four of the six states because they did not know that
these states were not collecting SSNs from all applicants for driver's
licenses. Although the Office of Child Support Enforcement officials knew
that two states had not passed laws requiring collection, they did not
initiate formal action to try to remedy the situation because they had not
yet determined the extent to which these states are complying with various
requirements of the law. They did, however, elect to work with these two
states through informal mechanisms.

Although state officials and privacy experts we spoke with expressed few
privacy concerns regarding the policy that motor vehicle agencies collect
SSNs for child support enforcement, possible weaknesses in the policies and
procedures that some motor vehicle agencies use to safeguard SSNs indicate
the potential for compromising privacy. While many of the state officials
and privacy experts we spoke with recognized the increased dissemination of
SSNs throughout society as a serious concern, few felt that this concern
extended to the policy of motor vehicle agencies collecting SSNs for child
support enforcement. The low level of concern about this policy may reflect
two factors. First, this policy relates to a government program-child
support enforcement-that many view as having a legitimate need for SSNs.
Second, federal and state laws greatly limit the extent to which motor
vehicle agencies can provide SSNs to other

entities, including those in the private sector. However, limiting who can
legally receive SSNs is not enough to ensure privacy. SSNs also must be
protected from unauthorized access and misuse. Our survey of motor vehicle
agencies revealed potential deficiencies in protecting SSNs from such abuse.
Although most motor vehicle agency officials believed that the SSNs stored
on their agency's computers were safe from unauthorized access, officials in
40 states also reported that their computer security programs lacked at
least one of five basic components of information security included in our
survey-risk assessments, agencywide security plans, audits, access
monitoring, and policies for password selection and use. These five
components-all of which are requirements of computer security programs at
federal agencies-are among those essential for safeguarding data. However,
no guidelines exist regarding the components that motor vehicle agencies
should include in their computer security programs.

Child support enforcement officials in 35 states told us that their agencies
use driver's license suspension extensively, and our work shows that, when
used, this process can result in collecting some payments. All 54 child
support enforcement programs have policies and procedures in place for
driver's license suspension, including criteria specifying the level of
delinquency that a noncustodial parent must meet before the CSE program
begins the suspension process by sending a warning letter. Child support
enforcement officials in 35 states explained that their programs either use
this tool in all cases that meet their state's delinquency criteria or use
it frequently. Child support enforcement officials in 16 states, however,
told us that their programs were not using this tool in all cases that met
their state's delinquency criteria primarily because some judges were
reluctant to order its use or because of cumbersome administrative
processes. Additionally, most of these officials indicated that they would
like to use it more. It was too soon to gauge the extent of driver's license
suspension use in the remaining 3 states because they were either just
beginning to implement it or making significant changes to the process.
According to officials from the Office of Child Support Enforcement as well
as officials from state child support enforcement programs, when used, the
driver's license suspension process can result in collecting some
particularly difficult-to-collect child support payments-those that are
overdue and from noncustodial parents who are self-employed or who work
informally for cash. It is also useful for collecting payments from
noncustodial parents who depend upon their driver's licenses for work. We
analyzed data on the use of the driver's license suspension process in 4
states and found that it led to collecting payments in 29 percent of the
cases for which it was used and resulted in $48 million in collections.

Background

To ensure that all states are following the act's requirement that states
enact and implement laws requiring the collection of SSNs from all
applicants for driver's licenses, we are recommending that the Office of
Child Support Enforcement more effectively track compliance with this
requirement and take formal steps to bring about such compliance. Although
the motor vehicle agency officials reported that their computer security
programs lacked at least one of the basic components of information security
included in our survey, we are not recommending specific action because, at
this time, no federal agency has responsibility related to computer security
at state motor vehicle agencies.

The child support enforcement (CSE) program is a joint federal and state
partnership mandated in 1975 under Title IV-D of the Social Security Act4
through which noncustodial parents are located, paternity is established,
and child support orders are issued and enforced. State CSE programs are
responsible for carrying out these basic activities. These activities may
take place through judicial action or an expedited administrative process,
depending on the state where the action takes place. In a judicial process,
the courts have the authority to make certain decisions and take certain
actions, and proceedings take place in a legal setting, typically involving
district, state, or county attorneys, judges, and other parties. By
contrast, in an expedited administrative process, the state CSE program has
the authority to administer certain aspects of state child support law or
regulation without court approval being required for legally binding
actions.

Although the states administer the child support enforcement program, the
federal government plays a major role. This includes funding most of the
program and requiring states to develop certain policies and procedures to
help locate noncustodial parents and enforce child support orders. The
Office of Child Support Enforcement (OCSE), in conjunction with regional HHS
offices, is responsible for overseeing and monitoring state CSE programs'
compliance with federal requirements.

The Personal Responsibility and Work Opportunity Reconciliation Act (PRWORA)
of 19965 amended portions of the Social Security Act, including some
provisions that pertained to child support enforcement. One such

442 U.S.C. sec. 651 et seq. 5Public Law 104-193 (Aug. 22, 1996).

provision mandates that states enact laws requiring state agencies to
collect SSNs for child support enforcement purposes. Under PRWORA, SSNs are
to be recorded when individuals apply for certain licenses such as
commercial driver's licenses, occupational and professional licenses, and
marriage licenses. This provision also mandates placing SSNs in records
related to divorce decrees, death certificates, child support orders, and
paternity establishments. The Balanced Budget Act of 1997 expanded this
requirement to include the collection of SSNs from applicants for all
driver's licenses-commercial and noncommercial-and also made it effective
for applicants of recreational licenses. Additionally, the Balanced Budget
Act initially made the effective date of this provision retroactive to
October 1996, as if it had been included in PRWORA. In 1998, however, the
effective date of this provision was extended to October 1, 2000. This
provision only required that SSNs be collected, not that they be displayed
on driver's licenses. A second provision of PRWORA requires that states
enact laws requiring procedures to suspend licenses of noncustodial parents
who owe past-due child support. Licenses subject to suspension include
commercial and noncommercial driver's licenses, and occupational and
professional licenses. Additionally, as part of their CSE plans, states are
required to provide OCSE with information on how they will implement the
procedures prescribed in their laws.

CSE programs use SSNs to help locate noncustodial parents and enforce
support orders. SSNs are important in these endeavors because, by virtue of
being unique numbers, they help ensure that the correct person has been
identified as the noncustodial parent. This accurate identification is
essential in situations in which databases contain several individuals with
the same or similar names and birthdates. When SSN data are not available,
child support officials said that it is more likely that the wrong person
will be identified as the noncustodial parent. Efforts to confirm identity
by other means can be labor-intensive and time-consuming.

When SSNs are available, child support programs use them as one component in
their efforts to identify the whereabouts, income and assets of noncustodial
parents by matching them against those in state and federal databases. For
example, child support programs use these matches to obtain address
information to locate noncustodial parents, to obtain employment information
to enforce support orders, and to identify the driver's licenses of
noncustodial parents who are candidates for license suspension. Although CSE
programs obtain SSNs from a variety of sources, including MVAs, CSE programs
themselves are not generally a source of SSNs for other agencies. Generally,
CSE programs may disclose SSNs only to other CSE programs or social service
agencies.

While MVAs' use of SSNs varies, some MVAs accept a valid Social Security
card as one form of identification to issue a driver's license. MVAs also
use SSNs to control fraudulent driver's license applications, for internal
administrative purposes, or to track fines or fees. For these reasons 35 of
the MVAs collected SSNs from all drivers before being required to do so by
the federal government.

Most MVAs Are Collecting SSNs from Driver's License Applicants but OCSE
Actions to Track and Promote Compliance Have Been Limited

Most MVAs (47 out of 53) collect SSNs from all applicants for driver's
licenses, but OCSE has taken limited or no steps to promote such collection
in states not currently doing so. Almost two-thirds of the MVAs collecting
SSNs collected them from all driver's license applicants prior to the
passage of the Social Security Act's requirement to do so. Of the 6 states
that are not collecting SSNs from all applicants for driver's licenses, the
legislatures in 5 (Georgia, Kansas, Maryland, Minnesota, and Oregon) have
not introduced laws requiring collection of SSNs in this manner, and,
although the remaining state (Michigan) has passed such a law, the MVA has
not implemented it. OCSE did not take any action against 1 state (Michigan)
because of a lawsuit, did not take formal action against 2 states (Georgia,
and Minnesota), and did not know that 3 states were not collecting SSNs from
all applicants for driver's licenses.

Most MVAs Collect SSNs from All Driver's License Applicants

Table 1 shows that almost two-thirds of the MVAs were collecting SSNs from
all driver's license applicants before the date of the legislation requiring
this practice, August 5, 1997.6 There are two opportunities for MVAs to
collect SSNs on all applicants, at license issuance and renewal. Of the 6
states not collecting SSNs from all driver's license applicants at the time
of our review, 2 performed such collections during the 1980s or 1990s.7

6From this point forward, the term "drivers" will refer to noncommercial
drivers and the term "driver's licenses" will refer to noncommercial
driver's licenses. We are not discussing commercial drivers and driver's
licenses because all states are collecting SSNs on commercial drivers. This
is required by the Commercial Motor Vehicle Safety Act of 1986 and,
according to the American Association of Motor Vehicle Administrators
(AAMVA), all states are complying with this law.

7Both of these states ceased such collections prior to August 5, 1997, for
reasons unrelated to the passage of this requirement.

Table 1: SSN Collection  Practices at MVAs Prior to SSN Requirement Becoming
Law

                       Type of SSN collection at MVAs

                   MVAs collecting SSNs as of August 5, 1997 (prior to law)

MVAs collecting SSNs as of December 2001

aData not received
from 2 MVAs.

bData not received
from 1 MVA.

Source: GAO's survey of MVAs and interviews with MVA officials.

MVA-collected SSNs are used in at least one of two ways by CSE programs in
all but 28 of the 47 states that adhere to this federal requirement. The
first way that CSE programs use MVA-collected SSNs, along with SSNs from
other sources, is to help initially establish or verify the SSNs of
noncustodial parents. CSE programs consult a variety of sources
simultaneously when doing this, often through electronic networks that link
state agencies, including MVAs, or federal agencies. The second way that
MVA-collected SSNs are used in most states is to identify the driver's
licenses of noncustodial parents who are candidates for suspension. This is
normally done through computer matches, where the SSN from the CSE program,
the SSN from the MVA, and several other pieces of information must match
prior to suspending the driver's license of a particular noncustodial
parent.

CSE officials from 44 of the 47 states that are collecting SSNs found them
useful, while 3 did not find them useful. The officials who found them
useful said that the SSN is one of many sources that their programs consult
and some of these officials elaborated on factors that make MVA-collected
SSNs useful. Several explained that MVA-collected SSNs were helpful because
this source included SSNs on almost everyone in the CSE system. This is
presumably because MVAs have access to a wide range of people-everyone who
wants a driver's license. Others added that MVAs were particularly helpful
for obtaining the SSNs of noncustodial parents who were self-employed,
unemployed, or working for cash because the SSNs of these individuals tend
not to be found in other more commonly

8The  2 states that did  not use the SSNs in one of  two ways are New Jersey
and Pennsylvania.

used SSN sources, such as state and federal agencies that maintain
employment or tax records. Finally, others explained that MVAs were
particularly important for identifying the driver's licenses of noncustodial
parents who were candidates for license suspension.

CSE officials in the 3 states that did not find SSNs useful, as well as in
other states, cited various drawbacks to MVA-collected SSNs. First, in
states where MVAs only recently began collecting SSNs, they often do not
have SSNs from enough individuals for them to be of much use to the CSE
program. Second, MVA SSNs can be unreliable because most MVAs do not have
procedures in place for verifying that drivers are providing their correct
SSN. Only 14 of the 49 MVA survey respondents who answered this question
reported that they verify the SSNs that they collect with the agency that
issues SSNs, the Social Security Administration. Third, in two states, CSE
program officials prefer to use other sources.

Six States Not in Compliance with Social Security Act Requirements

As of the time of our survey, six states were not complying with the Social
Security Act's requirements that they pass and implement laws mandating SSN
collection on all drivers' license applications. Three of these states-
Georgia, Michigan, and Oregon-were not collecting SSNs from any applicants.
Three states-Kansas, Maryland, and Minnesota- were doing so for some, but
not all, applicants.

The legislatures in all of the states, except Michigan, did not pass laws
requiring the collection of SSNs from all applicants for driver's licenses.
Officials from the MVAs and CSE programs in these five states indicated that
this noncompliance occurred, at least in part, because their programs either
did not bring the need for such laws to their legislatures' attention or did
not sufficiently highlight the need. For example, a CSE official in Oregon
told us that the state legislature was required to pass various laws to
comply with the Social Security Act's requirements and the need to pass a
law requiring collection of SSNs on driver's license applications was simply
overlooked until sometime in 2000 or 2001. CSE officials in Maryland and
Kansas told us that they mistakenly thought that the MVAs in their states
were collecting SSNs from all driver's license applicants and thus never
proposed that their legislatures pass such legislation.

CSE and MVA officials from these five states stated that their legislatures
would most likely debate the privacy implications9 of this requirement

9See the next section for a discussion on the privacy implications of this
requirement.

should legislation be proposed. However, privacy was not characterized as
the overriding reason for not trying to get such legislation passed. Other
reasons included the concern that proposing SSN legislation might detract
from pursuing other child support priorities, a belief that the MVA already
had the authority to collect SSNs in this manner, and concerns about the
cost of implementing this requirement.

Michigan differs from the other five states that were not collecting SSNs in
that its legislature passed a law in 1998 requiring its MVA to collect SSNs
from all driver's license applicants. However, the secretary of state, who
oversees the state's MVA, did not want to implement this law for some of the
same reasons cited in other states-cost and privacy. Michigan's attorney
general filed suit against the federal government in early 2001 challenging
the constitutionality of the act's requirement. The court ruled against
Michigan in October of 2001 and as a result the MVA is now planning to
implement the state law.

OCSE Actions to Track and Promote Compliance Have Been Limited

OCSE is responsible for overseeing the states' adoption and implementation
of federally mandated requirements related to child support enforcement.
This includes tracking state passage and implementation of conforming laws
and taking formal action when necessary to promote compliance with such
requirements. OCSE has not fulfilled these responsibilities in regard to the
six states not in compliance with the Social Security Act's requirements
regarding the collection of SSNs. This is largely because OCSE officials did
not know about the noncompliance in four states and did not take formal
actions against the other two states.

State plans describe the nature and scope of a state's CSE program. Child
support staff located in the regional offices of OCSE's parent agency, HHS,
review and approve these plans, and approval is a condition for federal
funding of state CSE programs. As part of the state plan approval process,
OCSE and regional offices track whether states have passed federally
mandated laws. CSE programs are required to update these plans at various
times, including when their states pass new laws to comply with federal
requirements. HHS regional office staffs are responsible for reviewing these
updates to ensure that they comply with all federal requirements. One tool
that regional staff use for reviews is the legislative analysis checklist, a
list of federally mandated laws that states are required to follow.

OCSE learned from us about the noncompliance in three (Kansas, Maryland, and
Oregon) of the six states at the end of November 2001,well after the
implementation deadline. This was more than 4 years after the SSN collection
requirement was made part of the Act (August 5, 1997) and nearly 14 months
after the deadline for implementation (October 1, 2000). With regard to two
other states, OCSE became aware that one (Georgia) was not in compliance
sometime prior to September 2000 and the other (Minnesota),10 in December of
2000. For the remaining state (Michigan) we were unable to determine when
OCSE learned that it was noncompliant.

Because regional staff were unaware of state noncompliance at the time that
they were reviewing state plans, they erroneously approved four of the six
state plans.11 One HHS regional staff member mistakenly believed that MVAs'
collecting SSNs from some, but not all, driver's license applicants was in
accordance with the act. Thus, this staff member, although responsible for
monitoring this state, did not know that the state was not in compliance
with this requirement until we raised this issue in July 2001. Regional
staff responsible for three other states were unaware that the states were
not collecting SSNs from all licensed drivers. Regional staff for these four
states may not have been closely reviewing the SSN requirement because the
Act established many new requirements and OCSE senior officials indicated
that the requirement for MVAs to collect SSNs was not their highest
priority.

Once OCSE officials and regional staff learn about noncompliant states, they
are responsible for taking action to try to bring the states into
compliance. They can take informal action-discussing the situation with
state CSE program officials and other relevant parties-or, in the case of
OCSE, formal action. OCSE officials take two types of formal actions. The
first is to disapprove a state plan, which will result in a state losing all
federal funds for its CSE program until it brings the program into

10In October 2001, the Minnesota CSE program requested that OCSE exempt its
MVA and Department of Natural Resources from collecting SSNs on drivers and
holders of recreational licenses. OCSE officials told us that it would take
at least 6 to 8 weeks to study the exemption request. This process was not
complete at the time of our review.

11The states with erroneously approved state plans were Maryland, Kansas,
Oregon, and Minnesota. The two states with unapproved state plans were
Georgia and Michigan. Georgia's state plan was not approved because OCSE was
aware of its lack of legislation on the SSN requirement. Approval of
Michigan's state plan was suspended until the lawsuit discussed earlier in
the report was resolved.

compliance with federal requirements. The second is to conduct targeted
audits focused on specific areas of noncompliance, which could result in a
state being subjected to graduated monetary penalties based on how long it
takes for the state to address the problem.

As of December 2001, OCSE officials had not taken formal action against the
two states that they knew were not complying with the federal requirement
that states pass and implement laws requiring collection of SSNs. Regional
staff took informal actions, including sending a letter in April 2001 to a
CSE program in one state indicating that it may receive a Notice of Intent
to Disapprove State Plan in the future if it does not comply with the SSN
requirement. When asked why formal action has not yet been initiated in
these two states, officials responded that OCSE's strategy is to first try
to bring about compliance through informal discussions. One senior official
also informed us in December 2001 that OCSE has asked HHS regional staff to
determine the extent to which the states that they are responsible for
overseeing are complying with the MVA requirement as well as the requirement
that other licensing agencies collect SSNs from licensees. Once such
determinations are complete, OCSE in conjunction with HHS will decide what
formal actions, if any, to take against noncomplying states. OCSE officials
were not able to tell us when such determinations would be made.

State officials and privacy experts we spoke with generally did not express
privacy concerns regarding the policy that MVAs collect SSNs for child
support enforcement. Although many of these individuals did express concern
about the increased dissemination of SSNs throughout society, most did not
extend this concern to MVA-collected SSNs. This low level of concern may
reflect the facts that CSE programs are widely viewed as having a legitimate
need for SSNs and that federal and state laws greatly limit the extent to
which MVAs can provide SSNs to others. Privacy, however, can be compromised
if SSNs are not properly safeguarded. Our survey of MVAs indicates potential
weaknesses in this area.

Few Privacy Concerns Expressed about MVAs Collecting SSNs, Yet Potential
Weaknesses in Safeguarding SSNs May Compromise Privacy

Few Privacy Concerns Generally, state officials and privacy experts we spoke
with did not Expressed about MVAs express privacy concerns related to MVAs
collecting SSNs for child Collecting SSNs support enforcement. Most state
child support enforcement officials, MVA

officials, attorney general officials, and state legislators did not view
this requirement as one that raised privacy concerns, reported no widespread

objections to the requirement from members of the public, or did not
consider this requirement one of the current major threats to privacy in
their states. Additionally, privacy experts we contacted tended not to
identify this requirement as an issue of concern.

Many of these same individuals, however, expressed general privacy concerns
related to the increased dissemination of SSNs throughout society because
such dissemination increases opportunities for their unauthorized use and
disclosure. These concerns focused on the dissemination of SSNs in the
private sector and the belief that SSNs are too easily accessible. For
example, concerns were expressed about the use of SSNs in commercial
transactions, as a student identification number, or as a library card
number. Concerns were also expressed about how easily SSNs can be obtained
from the Internet or through companies that collect and sell personal
information.

The low level of concern about MVAs collecting SSNs for child support
enforcement on the part of those we spoke with may be because SSNs are being
collected in support of a federal program and federal law restricts how MVAs
can use and share them. For example, officials of the Texas and Georgia
attorney general's offices and MVA officials in Texas and North Carolina
pointed to government's purpose in collecting SSNs to facilitate the payment
of child support as a reason why they are not concerned about privacy.
Children's advocacy groups echoed this belief, and noted that SSNs are
particularly important for facilitating the collection of payments when
noncustodial parents or their income and assets are not in the same state as
the child.

Furthermore, federal law greatly restricts the extent to which MVAs can
provide SSNs to other entities. Federal law protects individual privacy by
affirming the principle that the individual has a right to control personal
information released about oneself to others, by giving consent to such
disclosures. The Driver's Privacy Protection Act of 1994 (DPPA)12 explicitly
defines SSNs as "highly restricted personal information," a category of
information that may not be disclosed without "express consent" of the
individuals affected by the requests, except for certain "permissible
uses."13 According to MVA officials, the DPPA's consent

12P.L 103-322 (Sept. 13, 1994).

13Permissible uses include requests and inquiries from other government
agencies, including courts and law enforcement agencies, as well as
insurance companies and employers of commercial drivers.

provision has led MVAs to discontinue the bulk disclosure and sale of
personal information, including SSNs, to private-sector entities.
Additionally, entities authorized to receive data under the DPPA must also
comply with the law's provisions-that is, generally, they may not redisclose
SSNs without the driver's consent.

Moreover, MVAs are free to adopt policies that are more restrictive than
those in the DPPA. For example, the Texas MVA only shares SSNs with two
other entities,14 both of which are government agencies, and places
redisclosure restrictions on these agencies. Additionally, according to
responses to our survey, when asked to identify entities that receive SSN
data from their agencies, MVA officials in 30 states identified only other
government agencies as receiving such data. States can also enact laws or
require written agreements to further restrict the extent to which entities
that receive SSNs from MVAs can disclose those SSNs to other entities. Based
on survey responses, 33 MVAs operate under such laws, written agreements, or
both.

State officials in the six states not collecting SSNs from all driver's
license applicants expressed the most concern about the SSN requirement.
Although privacy was not the only nor the overriding reason these
individuals cited for not complying with this requirement, it was one
factor.15 These individuals mentioned that privacy concerns have been
expressed within their own agencies, by members of the public in their
states, or in their state legislatures. Such concerns were linked to the
belief that government use of SSNs can intrude on privacy, for example, by
exposing people to the risk of identity theft or by allowing government
agencies access to personal information that some people would rather not
provide to them.

Potential Weaknesses in Safeguarding SSNs May Exist at Some MVAs

Privacy can be compromised if there are computer security weaknesses because
they raise the possibility that SSNs and other data stored in MVA computers
could be improperly accessed and misused. The federal government has
established guidelines for effective computer security programs in federal
agencies; however, there are no uniform guidelines for

14The other entities are the offices of the attorney general (where the
child support agency is housed) and the secretary of state (for election
purposes).

15See pages 9 through10 for a discussion of these six states and for a
summary of the other concerns that these states had about this requirement.

MVAs. While most MVA officials believe that their agencies are adequately
protecting the SSNs that they collect, our survey, which asked about several
of the components included in the federal guidelines, points to potential
weaknesses in the computer security programs at these agencies.

The federal government has established guidelines identifying practices
essential to effective computer security. These guidelines have emphasized
the need to continually assess and mitigate risk. The Office of Management
and Budget (OMB) and the National Institute of Standards and Technology
(NIST) have issued standards for federal agency computer security. Further,
in 1999, we issued the Federal Information System Controls Audit Manual
(FISCAM)16, a comprehensive guide to conducting computer security audits
that is consistent with the OMB and NIST standards. In 2000, the Congress
passed Government Information Security Reform (GISRA) provisions17 that
codified existing federal computer security guidance. GISRA provisions
include requirements for risk assessment, agencywide security plans,
independent audits, and appropriate control techniques. This last category
includes techniques such as monitoring external access and appropriate
policies for the selection and use of passwords.

GISRA requires federal agencies to adopt computer security programs, but it
does not require that state agencies do so. Furthermore, although computer
security standards have been established for state child support agency
systems, there are no nationwide standards or guidelines for MVA computer
security programs and computer security was not addressed in the federal
laws related to SSNs at the MVAs. MVAs as a group have not developed
computer security standards. Moreover, officials from the American
Association of Motor Vehicle Administrators (AAMVA) told us that the
association did not have a program to promote computer security standards or
best practices among MVAs. AAMVA officials said, however, that AAMVA would
be willing to do so if the Congress decides that such standards are needed.
Furthermore, although the Social Security Act requires MVAs to collect SSNs
for child support enforcement purposes and restricts their use to those
purposes, the law did not address computer security at MVAs. Similarly,
while the DPPA addressed the disclosure of SSNs by MVAs, it did not address
computer security practices that MVAs should adopt to safeguard SSNs on
their systems.

16GAO/AIMD-12.9.6, Jan., 1999. 17Public Law 106-398, Division A, Title X,
Subtitle G (Oct. 30, 2000).

Nearly all MVA officials we spoke with believed that the SSNs stored on
their agencies' computers are safe from unauthorized access. Our survey
asked MVA officials how easy or difficult it would be for MVA employees or
outside individuals to improperly access SSNs in their agencies' computer
systems. Of the 48 MVA officials responding, only 4 said that such access
would be easy for MVA employees and none said such access would be easy for
individuals not employed by MVAs. We obtained more detailed information on
the security programs during site visits at five MVAs. Officials at these
sites described the computer policies and procedures that they believe make
unauthorized access of MVA-collected SSNs difficult. These included
firewalls to detect and prevent individuals not employed by MVAs from
accessing MVA computer systems. We did not perform any audit tests to verify
MVA responses.

When asked about their computer security programs, MVA officials in 40
states said at least one of five components of computer security in our
survey was missing in their programs. This number included the 4 officials
who said that unauthorized access was easy at their agencies and most of
those who said that it was difficult. These elements are important for
protecting all personal information on driver's license applicants that MVAs
collect, not just SSNs. Other types of personal information include names,
addresses, and telephone numbers.

In MVA programs, at least one of the following elements was missing:

*
risk assessments to identify and explore how to mitigate potential
vulnerabilities;

*
agencywide security plans to describe an agency's overall security program;

* audits to evaluate an agency's security program;

* access monitoring of an agency's computer system; and

* appropriate password selection and use.18

GISRA specifically established a requirement for risk assessments and
agencywide security plans, among others. Periodic risk assessments provide
the foundation for other aspects of computer security management. These risk
assessments not only help an agency identify risks and determine which
controls will most effectively mitigate them, but they also increase
awareness and support for adopted policies and

18Passwords refer to both passwords and personal identification numbers.

controls. Such policies and controls should be described in agencywide
security plans. These written plans are important, according to government
and private security experts, to clearly and comprehensively describe all of
the security policies and procedures that an agency must follow. These plans
also serve as the primary mechanism by which management communicates such
requirements to an agency.

It is important to have both risk assessments and agencywide security plans
because each of these components influences the other. That is, security
plans should include policies and procedures about when and how to conduct
risk assessments and conducting risk assessments can lead to revising
security plans. Table 2 shows, however, that fewer than half of the MVA
officials responding to our survey reported that their agencies conduct risk
assessments or have agencywide security plans. Moreover, seven officials
reported that their agencies did not conduct risk assessments nor have
agencywide security plans.

Table 2: MVA Risk Assessments and Agencywide Security Plans

Risk assessments and agencywide security plans Number of MVAs Percentage of
MVAs

MVAs with both 21

MVAs with neither 7

Note: Data not
received from 4
MVAs.

Note: Numbers do
not total 100 due
to rounding.

aIncludes one MVA where respondent reported an agencywide security plan but
did not specify whether his agency had a risk assessment.

Source: GAO survey sent to MVAs in 54 states.

GISRA and FISCAM call for computer security audits, which are also important
to an agency's computer security program. Such audits can help agencies
obtain objective assessments of their computer security risks and provide
information for agencies to use in developing their risk assessments and
agencywide security plans. According to our survey, officials at 21 MVAs
reported that they have not obtained any independent audits, reviews, or
studies. Moreover, of the seven MVAs that lack both risk assessments and
security plans, six have never obtained independent audits.

GISRA and the FISCAM also include two components of computer security that
are part of a broader category, known as control techniques or access
controls. These two components are monitoring who is accessing computerized
data and adherence to appropriate policies for password selection and use.
These are important because they can provide reasonable assurance that
computerized data are protected against unauthorized disclosure. Monitoring
consists of procedures to detect unusual access activity, such as access by
an unauthorized individual or repeated failed attempts to log into a
computer system. Passwords are reportedly used by almost all MVAs to
distinguish users from one another. Policies about their selection and use
ensure that they cannot be easily guessed, copied, or overheard by someone
attempting unauthorized access. FISCAM includes nine typical policies for
protecting passwords. These typical policies for protecting passwords
include changing them periodically and setting a minimum length of
characters or numbers.19

Table 3 shows that officials in 31 MVAs reported that their agencies monitor
access to their computer systems and adhere to five or more of the nine
typical policies on password selection and use. Officials at 19 other MVAs
reported that their agencies do not monitor access, do not adhere to at
least five of the nine password policies, or do not do either. (See table
4.)20 The password policies that MVA officials reported most often as not
being followed were requiring that passwords consist of both numbers and
letters and encrypting passwords.

19Seven other typical password policies are users selecting their own
passwords, requiring that passwords consist of letters and numbers,
preventing the reuse of retired passwords for a reasonable period,
prohibiting the use of group passwords, requiring that only a few employees
have access to all passwords, encrypting passwords, and limiting the number
of attempts to log on to the system with an invalid password.

20For simplicity of reporting, the table shows those states that reported
adherence to just over half of the nine FISCAM password policies-i.e., any
five of the nine policies. Four states reported using all nine, and three
reported using three policies.

Table 3:  MVA Monitoring Access  and Adherence to Password  Policies Monitor
access and adhere to at least five Number of 
Percentage of MVAs

                   of nine typical password policies MVAs

MVAs do both 31

MVAs do neither 5

Note: Data not
received from 4
MVAs.

aOur survey did
not assess the
extent to which an agency, other than the MVA, may be monitoring access to
an MVA's computer system.

bIncludes one MVA where respondent reported that his agency was not
monitoring access but did not answer the question about standards for
passwords.

Source: GAO survey to MVAs in 54 states.

Although MVA officials reported that their computer security programs lacked
at least one of five basic components of information security included in
our survey, we are not recommending specific action because at this time, no
federal agency has responsibility related to computer security at state
MVAs.

CSE officials in 35 states told us that their programs use driver's license
suspension extensively and our work shows that, when used, this process can
result in collecting payments. All CSE programs have policies and procedures
in place for driver's license suspension, including criteria specifying the
level of delinquency noncustodial parents must attain before a CSE program
begins the driver's license suspension process. Although CSE officials in
most states said that their programs use this tool extensively, CSE
officials in 16 states told us that their programs were not using this tool
in all cases that met their state's delinquency criteria for use. When used,
the driver's license suspension process can result in collecting child
support payments in some cases. Our analysis of the use of this tool in four
states, for example, found that it led to collecting payments in 29 percent
of the cases for which it was used.

Driver's License Suspension Is Not Fully Used in All States Even Though It
Can Result in Collecting Payments

States Have Varying Policies and Procedures for Driver's License Suspension

All states have driver's license suspension policies and procedures in
place. Driver's license suspension is the end result of a process that
starts with the identification of potential noncustodial parents who are
candidates for suspension because they are delinquent in their child support
payments. After initial identification, a warning letter is usually issued
notifying the noncustodial parent who is delinquent in paying child support
that his or her driver's license may be suspended within a specified number
of days unless the noncustodial parent pays the delinquent amount,
establishes a payment plan, or requests a hearing to appeal the suspension.
If noncustodial parents do not respond within this time period, they become
candidates for driver's license suspension.

One key difference in driver's license suspension among states is the level
of delinquency that qualifies a noncustodial parent for suspension. Such
delinquency criteria is based on the amount of past-due support owed, the
length of time in which a payment has not been made, or a combination of the
two. Among the states with a delinquency criteria of past-due support owed
the amount ranges from $500 to $5,000 or the amount of support that would
accumulate in 1 to 12 months. The criteria also may specify a length of time
in which a payment has not been made, and it ranges from 1 to 6 consecutive
months.

A second key difference in driver's license suspension among states is the
agency that has authority to initiate and carry out this process. In 13
states, suspending a driver's license because of nonpayment of child support
is a judicial process in which courts can order a license suspension after
holding a hearing. In 31 states, it is an administrative process in which
the CSE program can suspend the license, usually after the program has given
the noncustodial parent an opportunity to contest the suspension. Finally,
10 states use both judicial and administrative processes, meaning that both
CSE programs and courts can initiate and order driver's license suspension.

Most But Not All States Use Driver's License Suspension Fully

CSE officials we spoke with in 35 states indicated that their programs are
using driver's license suspension extensively. Officials in more than half
of these states said their programs initiate the driver's license suspension
process in all cases that meet their states' delinquency criteria. The
remaining officials in these 35 states characterized their programs' use of
driver's license suspension as routine or frequent or, as in the case of one
state, provided us with data on use of license suspension indicating that it
is used in many cases.

CSE officials we spoke with in 16 states told us that their programs were
not using driver's license suspension to its full extent. These officials
said that, although their states use driver's license suspension, it is not
used in all cases that meet their states' delinquency criteria primarily due
to factors related to the discretionary nature of judges' authority and to
cumbersome administrative processes. Almost all of these officials indicated
that the child support programs in their states could benefit from increased
use of this tool and characterized driver's license suspension as an
effective tool for obtaining payments from noncustodial parents who are
delinquent in paying child support.

In 11 of the 16 states in which CSE officials reported that driver's license
suspension is not used fully, licenses are suspended through a judicial
process and, according to CSE officials, many judges are reluctant to order
it. The CSE officials from judicial states who believed that some judges
were not fully using driver's license suspension characterized such judges
as being reluctant about suspension in general, as opposed to deciding that
it was inappropriate on a case-by-case basis. The main reason CSE officials
cited for judges' reluctance to use driver's license suspension was concern
that suspending driver's licenses would deny noncustodial parents
transportation to and from work, making it more difficult for the parents to
generate earnings and pay child support.

Driver's license suspension is an administrative process in 5 of the 16
states, and CSE officials in these 5 states said that they would like their
programs to use it more often for the collection of child support payments.
These officials said that their programs were not fully using license
suspension primarily because the process for suspending licenses was
cumbersome. For example, as officials from 2 states reported, the monitoring
of noncustodial parents' responses to the initial warning letter can be
time-consuming and can make CSE staff reluctant to initiate the license
suspension process. Even when a noncustodial parent responds to the warning
letter by making payments, CSE staff must monitor the payments for years
after sending the letter because the driver's license can be suspended at
any time that the parent stops making payments. In addition, officials in
other states reported that difficulties working with MVAs made the license
suspension process cumbersome and limited its use. In 1 state, for example,
officials said that the MVA's computer system matches delinquent parents
with their driver's license primarily by first and last name, and the system
cannot identify the correct driver's license to suspend if the delinquent
parent has a common name. Consequently, the CSE program may not be able to
suspend the driver's licenses of those noncustodial parents with common
names.

In the remaining 3 states it was not possible to gauge CSE program use of
driver's license suspension at the time of our review. One state has
recently relaxed its delinquency criteria, and the CSE official in that
state believes the program will use driver's license suspension more
extensively as a result. The CSE program in the second state was in the
process of implementing this tool. Finally, in the third state, the CSE
officials said they were making major changes to its implementation
procedures that should result in driver's license suspension being used
frequently.

Driver's License Suspension Results in Collecting Some Child Support
Payments

Driver's license suspension alone, or in conjunction with other enforcement
actions, does lead some noncustodial parents with past-due support to make
their child support payments. We obtained data on driver's license
suspension in calendar year 2000 in four states-Colorado, Maryland,
Pennsylvania, and Washington. We found that in nearly one out of every three
cases, parents who were subjected to this action made at least one child
support payment after being notified that their licenses could be, or were
being, suspended for nonpayment of child support. 21 In calendar year 2000,
104,608 noncustodial parents in the four states we examined had their
driver's licenses threatened or suspended and the total amount of child
support collected from these parents was $48 million.

In three of these states, the CSE programs were able to break their
suspension data into two groups: cases in which noncustodial parents were
warned of a possible suspension and cases in which the noncustodial parents'
licenses were actually suspended. Table 4 shows that in 80 percent of the
cases, the states threatened suspension but did not actually suspend the
license. Moreover, in 28 percent of the cases, noncustodial parents who were
threatened with suspension made at least one payment, resulting in $35
million in support payments. In addition, in 25 percent of the cases,
noncustodial parents whose licenses were suspended made at least one
payment, resulting in payments totaling $6 million.

21In 44 percent of these cases, threatening or suspending the driver's
licenses of noncustodial parents may not have been the only action that
influenced these parents to make payments. In these cases, noncustodial
parents were subjected to other actions at the same time that their driver's
licenses were threatened or suspended and the data did not indicate which
action, or combination of actions, motivated these parents to make payments.
The most common action was reporting parents to credit bureaus for
nonpayment of support. Other less common actions were conducting computer
matches to identify bank accounts and professional license suspension.

  Table 4: Outcome of Driver's License Suspension in Three States in 2000

Numbers and dollars in thousands

Amount Payments from driver's license of driver's license actions actions

                               Type of action

Number of actions

Percentage of total actions

                                            Number of actions with payments

           Percentage of actions with payments Amount of payments collected

              Warning letters issued 71.0 80 19.7 28 $35,179.5

             Driver's licenses suspended 17.2 20 4.4 25 6,110.5

                       Total 88.2a 100 24.1 41,290.0

aAs stated in footnote 21, threatening or suspending driver's licenses was
not always the sole action that may have led noncustodial parents to make
payments. In the case of the three states in this table, 46 percent of the
cases had at least one other action taken near the time that a noncustodial
parent's license was under the threat of suspension or suspended.

Source: GAO analysis of case data from CSE programs in Colorado,
Pennsylvania, and Washington.

Although no one tool is always effective in collecting payments in all
cases, CSE officials in 51 states believe, and our data analysis shows, that
suspension does result in some noncustodial parents paying the support they
owe. Specifically, many CSE officials characterized driver's license
suspension as effective for reaching one or both of the following types of
noncustodial parents: (1) those who have a source of income from which CSE
programs cannot directly collect payments and (2) those who need their
license for work or transportation. Examples of noncustodial parents in the
first category are those who are self-employed, informally employed, or are
paid in cash. In these situations, CSE programs cannot withhold wages
directly through the noncustodial parent's employer either because the
parent does not have an employer or the CSE program is not able to identify
the employer.22 Examples of noncustodial parents in the second category are
those in jobs requiring a driver's license and those residing in areas in
which automobiles are the primary means of transportation.

CSE officials also described circumstances in which driver's license
suspension was not effective in motivating noncustodial parents to pay the
support they owe. The most common circumstance cited by officials for
suspension not being effective was that some noncustodial parents may not be
concerned about losing their driver's licenses. Such parents may,

22CSE agencies can directly withhold the wages of noncustodial parents once
they identify their source of employment. This is frequently done through a
database called the National Directory of New Hires. This database contains
employment information on all individuals whose wages are reported to the
state and on all federal employees.

Conclusions

Recommendation for Executive Action

Agency Comments

for example, already be driving with expired licenses, or their licenses may
have been suspended for reasons unrelated to child support enforcement. In
addition, several officials noted that some noncustodial parents do not pay
the child support they owe regardless of the enforcement action used against
them. For example, some CSE officials reported that their programs have
tried using every tool available against certain noncustodial parents, and
none of these efforts have resulted in child support payments. Furthermore,
CSE officials stated that some noncustodial parents do not have the money to
make their support payments so that any action taken, including driver's
license suspension, would be ineffective.

While most MVAs collect SSNs from all drivers and most CSE programs use
them, CSE programs in states where MVAs are not collecting SSNs as required
by federal law are not receiving the benefit of SSNs from this source. SSNs
from MVAs are particularly valuable because they include the SSNs of
noncustodial parents that CSE programs may have had difficulty obtaining
from other sources. As the oversight office for state CSE programs, OCSE
should know whether MVAs are collecting SSNs from all driver's license
applicants and take action, which may result in state monetary penalties,
when they are not.

To ensure that all states are following the federal requirements that states
enact and implement laws requiring the collection of SSNs from all driver's
license applicants for child support enforcement purposes, we recommend that
OCSE more effectively track compliance with this requirement and take formal
action, when necessary, against states that are not in compliance. OCSE
should, for example, ensure that staff effectively use the legislative
analysis checklist that is designed to track the adoption and implementation
of state laws. The agency should also take formal actions, when necessary,
such as disapproving state plans or conducting targeted audits, in an effort
to promote compliance with this federal requirement.

We received written comments on a draft report from the Department of Health
and Human Services' Administration for Children and Families. These comments
are presented and evaluated in appendix III. The department agreed with our
findings and said that the Office of Child Support Enforcement will
strengthen its efforts to monitor and oversee state plan compliance with
regard to SSNs and licenses. Additionally, the department asked that we
include more information on OCSE's approach for ensuring state compliance,
which we did.

The department said that we incorrectly stated that its OCSE learned about
noncompliance in Michigan at the end of November 2001 and the department
disagreed strongly with the statement that it did not view MVAs collecting
SSNs as a high priority. We dropped this reference to November 2001 and
revised the report to reflect that the officials indicated that collecting
SSNs was not their highest priority. In addition, the department provided
technical comments, which we incorporated in the report as appropriate.

As agreed with your offices, unless you publicly release its contents
earlier, we will make no further distribution of this report until 30 days
after its issue date. At that time, we will send copies of this report to
appropriate congressional committees, the secretary of HHS and other
interested parties. We will also make copies available to others on request.
If you or your staff have questions concerning this report, please call me
on (202) 512-8403. Key contributors are listed in appendix IV.

Cornelia M. Ashby Director, Education, Workforce, and Income Security Issues

Appendix I: Objectives, Scope, and Methodology

Objectives The objectives of our review were to (1) determine the extent to
which states have implemented the federal requirement that MVAs collect SSNs
from all licensed drivers and what OCSE has done to promote compliance in
states not adhering to this requirement, (2) identify privacy concerns
associated with MVA efforts to collect and safeguard SSNs that are used for
child support enforcement purposes, and (3) determine the extent to which
state CSE programs use driver's license suspension to collect past-due child
support and whether this tool has resulted in collections.

We conducted our review from November 2000 through December 2001 in
accordance with generally accepted government auditing standards.

Scope and To accomplish the above objectives, we mailed a survey to 54 MVAs,
conducted telephone interviews with 54 CSE programs, conducted site

Methodology visits in five states, analyzed data on driver's license
suspension from CSE programs in four states, and interviewed officials from
HHS's OCSE and regional offices.

Survey of MVAs We mailed a survey to 54 MVAs-one in each of the 50 states,
the District of Columbia, and three of the U.S. territories1-and received 53
completed surveys from the MVAs. The intent of the survey was to obtain
information about (1) the extent to which MVAs collect SSNs from licensed
drivers and (2) their policies and procedures regarding the collection,
sharing, and safeguarding of SSNs. We took steps during survey design and
data analysis to minimize errors. For example, we pretested the survey in 3
states prior to mailing it to all survey respondents to ensure that we were
phrasing questions in the best way. We also contacted respondents to clarify
information when needed.

Telephone Interviews with We telephoned CSE officials in the 50 states, the
District of Columbia, and

State CSE Programs the same three U.S. territories that received our MVA
survey. The overall objectives of these interviews were to obtain
information on how CSE programs use MVA-collected SSNs and driver's license
suspension and whether they find them helpful in locating noncustodial
parents and

1The territories were Guam, the Virgin Islands, and Puerto Rico. The
remaining U.S. territory, American Samoa, was not included because it does
not have a formal child support enforcement program.

Appendix I: Objectives, Scope, and Methodology

getting them to pay the support they owe. Our questions about the use of
MVA-collected SSNs focused on (1) whether and how CSE programs use
MVA-collected SSNs; (2) the importance attached to this SSN source; and (3)
whether privacy concerns were expressed about the requirement that MVAs
collect SSNs from all licensed drivers and, if so, whether and how such
concerns were addressed. Our questions about the use of driver's license
suspension focused on (1) the policies and procedures that CSE programs
follow for driver's license suspension, (2) the extent to which CSE programs
use driver's license suspension, and (3) whether driver's license suspension
is effective in getting noncustodial parents to pay the support that they
owe.

                         Site Visits to Five States

We visited five states-California, Georgia, Michigan, North Carolina, and
Texas-and held face-to-face meetings with officials from CSE programs, MVAs,
and offices of attorney general. In addition, we met with state legislators
involved with privacy or child support enforcement issues and privacy
experts. We discussed in more detail the topics covered in the CSE program
telephone interviews and the questions contained in the MVA survey focusing
on computer security and use of SSNs (see app. II).

We selected these five states because they are geographically diverse and
because they have differing practices with regard to MVA-collected SSNs and
use of driver's license suspension. Specifically, we wanted a mix of states
with respect to whether MVAs were collecting SSNs from all licensed drivers
and whether driver's license suspension was a judicial process or an
administrative process. Of the five states, three were collecting SSNs from
all drivers and two were not and two used administrative procedures to
suspend driver's licenses, two used judicial procedures, and one used both.

Analysis of States' Data on Driver's License Suspension Actions

We analyzed data from CSE programs in four states to determine how often
these programs used the driver's license suspension process in calendar year
2000 and the extent to which this process resulted in collecting payments.
The states were Colorado, Maryland, Pennsylvania, and Washington, and we
chose them because they had the type of automated data that we required for
this analysis and were willing to provide it to us. CSE program personnel
extracted the data we requested from their files. We did not verify the
accuracy of the data; however, we did review the data for reasonableness,
consistency, and suitability for our analysis.

Appendix I: Objectives, Scope, and Methodology

The objective of our data analysis was to identify child support payments
that could reasonably be attributed to driver's license suspension. For 56
percent of the cases in which we attributed payments to suspension, this
identification was straightforward. That is, the data were sufficient to
indicate that these payments were the result of either the threat of
driver's license suspension or an actual suspension. In the other 44 percent
of the cases, it was not possible to conclude that the payments were solely
the result of driver's license suspension. This is because the data showed
that the CSE programs took other enforcement actions at about the same time
as driver's license suspensions and the data did not indicate which actions
were responsible for the payment. In these cases, we concluded that driver's
license suspension, in conjunction with other actions, resulted in payments.
The most common action taken in these situations was reporting delinquent
payment information to credit bureaus. Other, less common actions included
conducting computer matches to identify bank accounts and suspending
professional licenses.

We counted all payments that were solely or partially attributable to
driver's license suspension in calendar year 2000. Our starting point for
counting these payments was the first payment made after a noncustodial
parent received a letter stating that his or her driver's license could be,
or was being, suspended. We stopped counting payments at the end of 2000 or
when another enforcement action was taken. New enforcement actions would
only have been taken if the noncustodial parent had stopped making payments.

Because driver's license suspension is a process that starts with a warning
letter and may end with a suspension, we counted the entire process as one
action. Thus, if a noncustodial parent received one or more warning letters
regarding a possible suspension, but never had his or her license suspended,
we counted this as a single action. If a noncustodial parent did not respond
to warning letters and had his or her license suspended, we counted this
entire process-warning through suspension-as a single action. Finally, if a
noncustodial parent went through the driver's license suspension more than
once in 2000, we counted each time as a separate action.

For Colorado, Pennsylvania, and Washington, we obtained data on all driver's
license suspension actions occurring during calendar year 2000 and whether
these actions were warnings or actual suspensions. Thus, for these states,
we could distinguish when actions were warning actions and when they were
suspension actions and the amount of payments that resulted from each. For
Maryland, however, we could only obtain

Appendix I: Objectives, Scope, and Methodology

information on the last driver's license suspension action taken in a case
and could not tell if this action was a warning letter or an actual
suspension.

Interviews With Officials from HHS' OCSE and Regional Offices

We interviewed officials from OCSE and HHS regional offices about federal
oversight of the Social Security Act's requirement about MVA-collected SSNs.
We discussed (1) the extent to which states are complying with the SSN
requirement, (2) whether OCSE and the regional offices were aware that
certain states were not in compliance, (3) what OCSE is doing to promote
compliance in these noncompliant states, and (4) OCSE's role in driver's
license suspension. We also reviewed OCSE program documents, OCSE official
communications, and selected states' laws regarding MVAs collecting SSNs.
Finally, we talked with officials from the CSE programs and MVAs in each
noncompliant state about why their states were not complying with this
federal requirement.

                         Appendix II: Survey to MVAs

 Appendix II: Survey to MVAs Appendix II: Survey to MVAs Appendix II: Survey
to MVAs Appendix II: Survey to MVAs Appendix II: Survey to MVAs Appendix II:
   Survey to MVAs Appendix II: Survey to MVAs Appendix II: Survey to MVAs
 Appendix II: Survey to MVAs Appendix II: Survey to MVAs Appendix II: Survey
                    to MVAs Appendix II: Survey to MVAs

Appendix III: Comments From the Department of Health and Human Services

Note: GAO comments supplementing those in the report text appear at the end
of this appendix.

Appendix III: Comments From the Department of Health and Human Services
Appendix III: Comments From the Department of Health and Human Services

                               See comment 1.

                               See comment 2.

                               See comment 3.

Appendix III: Comments From the Department of Health and Human Services

                               See comment 4.

                               See comment 5.

                               See comment 6.

Appendix III: Comments From the Department of Health and Human Services

                                GAO Comments

The following are GAO's comments on the Department of Health and Human
Services' Administration for Children and families letter dated February 6,
2002.

1. We note in the body of the report that OCSE's strategy for ensuring state
compliance is to first work with states through informal mechanisms.

2. We deleted the reference to the November date in regard to Michigan.

3. After further review of the information, we revised the report to reflect
that OCSE officials said that collecting SSNs was not their highest
priority.

4. We revised the text to clarify that disapproving a state plan will result
in a state losing all federal funds for its child support enforcement
program until the program comes into compliance.

5. We revised the statement to reflect that it depends on the state where
the action takes place.

6. We corrected the title of the act.

Appendix IV: GAO Contacts and Staff Acknowledgments

GAO Contacts Carolyn Taylor (202) 512-2974 Nancy Cosentino (415) 904-2117

Staff In addition to those named above, the following individuals made
important contributions to this report: Christopher Morehouse, Cathy

Acknowledgments Pardee, Kate Kousser, and Yunsian Tai.

GAO's Mission

Obtaining Copies of GAO Reports and Testimony

The General Accounting Office, the investigative arm of Congress, exists to
support Congress in meeting its constitutional responsibilities and to help
improve the performance and accountability of the federal government for the
American people. GAO examines the use of public funds; evaluates federal
programs and policies; and provides analyses, recommendations, and other
assistance to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents is through the
Internet. GAO's Web site (www.gao.gov) contains abstracts and full-text
files of current reports and testimony and an expanding archive of older
products. The Web site features a search engine to help you locate documents
using key words and phrases. You can print these documents in their
entirety, including charts and other graphics.

Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its Web
site daily. The list contains links to the full-text document files. To have
GAO e-mail this list to you every afternoon, go to www.gao.gov and select
"Subscribe to daily e-mail alert for newly released products" under the GAO
Reports heading.

Order by Mail or Phone The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out to
the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:

U.S. General Accounting Office P.O. Box 37050 Washington, D.C. 20013

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

Visit GAO's Document GAO Building

Distribution  Center  Room 1100,  700 4th  Street, NW  (corner of 4th  and G
Streets, NW) Washington, D.C. 20013

To Report Fraud, Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm,

Waste, and Abuse in E-mail: [email protected], or

Federal Programs 1-800-424-5454 or (202) 512-7470 (automated answering
system).

Jeff   Nelligan,  Managing   Director,   [email protected]   (202)  512-4800

Public Affairs U.S.  General Accounting Office, 441 G. Street NW, Room 7149,
Washington, D.C. 20548
*** End of document. ***