Social Security Numbers: Use is Widespread and Protection Could
Be Improved (21-JUN-07, GAO-07-1023T).
Since its creation, the Social Security number (SSN) has evolved
beyond its intended purpose to become the identifier of choice
for public and private sector entities, and it is now used for
myriad non-Social Security purposes. This is significant because
a person's SSN, along with name and date of birth, are the key
pieces of personal information used to perpetrate identity theft.
Consequently, the potential for misuse of the SSN has raised
questions about how private and public sector entities obtain,
use, and protect SSNs. Accordingly, this testimony focuses on
describing the (1) use of SSNs by government agencies, (2) use of
SSNs by the private sector, and (3) vulnerabilities that remain
to protecting SSNs. For this testimony, we primarily relied on
information from our prior reports and testimonies that address
public and private sector use and protection of SSNs. These
products were issued between 2002 and 2006 and are listed in the
Related GAO Products section at the end of this statement. We
conducted our reviews in accordance with generally accepted
government auditing standards.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-1023T
ACCNO: A71186
TITLE: Social Security Numbers: Use is Widespread and Protection
Could Be Improved
DATE: 06/21/2007
SUBJECT: Confidential information
Federal law
Identification cards
Identity theft
Information disclosure
Information management
Information security
Private sector
Public records
Social security number
Strategic planning
Information sharing
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-1023T
* [1]Background
* [2]Federal Laws Affecting SSN Use and Disclosure
* [3]State Laws Affecting SSN Use and Disclosure
* [4]Government Agencies Collect and Use SSNs for a Variety of Pu
* [5]Private Sector Entities Collect SSNs from Various Sources fo
* [6]Private Sector Entities Collect SSNs from Both Public and Pr
* [7]Private Sector Entities Primarily Use SSNs to Verify Individ
* [8]Vulnerabilities Remain to Protecting SSNs in both the Public
* [9]Government Agencies Have Taken Additional Actions to Address
* [10]Vulnerabilities Persist in Federal Laws Addressing SSN Colle
* [11]Concluding Observations
* [12]GAO Contacts
* [13]GAO's Mission
* [14]Obtaining Copies of GAO Reports and Testimony
* [15]Order by Mail or Phone
* [16]To Report Fraud, Waste, and Abuse in Federal Programs
* [17]Congressional Relations
* [18]Public Affairs
Testimony
Before the Subcommittee on Social Security, Committee on Ways and Means,
House of Representatives
United States Government Accountability Office
GAO
For Release on Delivery
Expected at 10:00 a.m. EDT
Thursday, June 21, 2007
SOCIAL SECURITY NUMBERS
Use is Widespread and Protection Could Be Improved
Statement of Daniel Bertoni, Director
Education, Workforce, and Income Security Issues
GAO-07-1023T
Mr. Chairman and Members of the Subcommittee:
I am pleased to be here today to discuss ways to better protect the Social
Security number (SSN), which was originally created as a means to track
workers' earnings and eligibility for Social Security benefits. Since its
creation, the SSN has evolved beyond its intended purpose to become the
identifier of choice for public and private sector entities and is now
used for myriad non-Social Security purposes. This is significant because
a person's SSN, along with name and date of birth, are the key pieces of
personal information used to perpetrate identity theft. Consequently, the
potential for misuse of the SSN has raised questions about how private and
public sector entities obtain, use, and protect SSNs.
Over the last several years, the Congress and some states have recognized
the importance of restricting the use and display of SSNs by both the
public and private sectors. As a result, federal and state laws have been
enacted that to some degree protect individuals' personal information,
including SSNs. However, the continued use of and reliance on SSNs by
public and private sector entities, as well as the potential for their
misuse, underscore the importance of identifying areas that can be further
strengthened. GAO has issued a number of reports and testified before this
Subcommittee about the various aspects of SSN use in both the public and
private sectors. Accordingly, my remarks today will focus on describing
the (1) use of SSNs by government agencies, (2) use of SSNs by the private
sector, and (3) vulnerabilities that remain to protecting SSNs.
In summary, a number of federal laws and regulations require agencies at
all levels of government to frequently collect and use SSNs for various
purposes. For example, agencies frequently collect and use SSNs to
administer their programs, link data for verifying applicants' eligibility
for services and benefits, and conduct program evaluations. In the private
sector, certain entities, such as information resellers, collect SSNs from
public sources, private sources, and their customers and use this
information for identity verification purposes. In addition, banks,
securities firms, telecommunication firms, and tax preparers sometimes
share SSNs with their contractors for limited purposes. Although laws at
both the federal and state levels have helped to restrict SSN use and
display, and both public and private sector entities have taken some steps
to further protect this information, several vulnerabilities remain. For
example, federal laws addressing SSN use and collection in the private
sector continue to leave SSNs maintained by certain industries vulnerable
to misuse by identity thieves and others.
For this testimony, we primarily relied on information from our prior
reports and testimonies that address public and private sector use and
protection of SSNs. These products were issued between 2002 and 2006 and
are listed in the Related GAO Products section at the end of this
statement. We conducted our reviews in accordance with generally accepted
government auditing standards.
Background
The Social Security Act of 1935 authorized the Social Security
Administration (SSA) to establish a record-keeping system to manage the
Social Security program, which resulted in the creation of the SSN.^1
Through a process known as "enumeration," unique numbers are created for
every person as a work and retirement benefit record. Today, SSA issues
SSNs to most U.S. citizens, as well as non-citizens lawfully admitted to
the United States with permission to work. Because the SSN is unique for
every individual, both the public and private sectors increasingly use it
as a universal identifier. This increased use, as well as increased
electronic record keeping by both sectors, has eased access to SSNs and
potentially made this information more vulnerable to misuse, including
identity theft.
Specifically, SSNs are a key piece of information used to create false
identities for financial misuse or to assume another individual's
identity. Most often, identity thieves use SSNs belonging to real people.
However, the Federal Trade Commission's (FTC) identity theft victim
complaint data has shown that only 30 percent of identity theft victims
know how thieves obtained their personal information. The FTC estimated
that over a 1-year period, nearly 10 million people discovered they were
victims of identity theft, translating into estimated losses of billions
of dollars.
Federal Laws Affecting SSN Use and Disclosure
There is no one law that regulates the overall use of SSNs by all levels
and branches of government. However, the use and disclosure of SSNs by the
federal government is generally restricted under the Privacy Act of 1974.
Broadly speaking, this act seeks to balance the government's need to
maintain information about individuals with the rights of individuals to
be protected against unwarranted invasions of their privacy. Section 7 of
the act requires that any federal, state, or local government agency, when
requesting an SSN from an individual, tell individuals whether disclosing
the SSN is mandatory or voluntary, cite the statutory or other authority
under which the request is being made, and state what uses it will make of
the individual's SSN.
^1The Social Security Act of 1935 created the Social Security Board, which
was renamed the Social Security Administration in 1946.
Additional federal laws also place restrictions on public and private
sector entities' use and disclosure of consumers' personal information,
including SSNs, in specific instances. As shown in table 1, some of these
laws require certain industries, such as the financial services industry,
to protect individuals' personal information to a greater degree than
entities in other industries.
Table 1: Aspects of Federal Laws That Affect Disclosure of Personal
Information
Federal laws Restrictions
Fair Credit Reporting Act Limits access to credit data that includes
(FCRA) SSNs to those who have a permissible
purpose under the law.
Fair and Accurate Credit Amends FCRA to allow, among others things,
Transactions Act (FACTA) consumers who request a copy of their
credit report to also request that the
first five digits of their SSN (or similar
identification number) not be included in
the file; requires consumer reporting
agencies and any business that use a
consumer report to adopt procedures for
proper disposal.
Gramm-Leach-Bliley Act (GLBA) Creates a new definition of personal
information that includes SSNs and limits
when financial institutions may disclose
the information to nonaffiliated third
parties.
Drivers Privacy Protection Act Prohibits obtaining and disclosing SSNs and
(DPPA) other personal information from a motor
vehicle record except as expressly
permitted under the law.
Health Insurance Portability Protects the privacy of health information
and Accountability Act (HIPAA) that identifies an individual (including by
SSNs) and restricts health care
organizations from disclosing such
information to others without the patient's
consent.
Source: GAO analysis.
In 1998, Congress also enacted a federal statute that criminalizes fraud
in connection with the unlawful theft and misuse of personal identifiable
information, including SSNs. The Identity Theft and Assumption Deterrence
Act made it a criminal offense for a person to "knowingly transfer,
possess, or use without lawful authority," another person's means of
identification "with the intent to commit, or to aid or abet, or in
connection with, any unlawful activity that constitutes a violation of
Federal law, or that constitutes a felony under any applicable state or
local law." Under the act, an individual's name or Social Security number
is considered a "means of identification." In addition, in 2004, the
Identity Theft Penalty Enhancement Act established the offense of
aggravated identity theft in the federal criminal court, which is
punishable by a mandatory two-year prison term.
State Laws Affecting SSN Use and Disclosure
Many states have also enacted laws to restrict the use and display of
SSNs.^2 For example, in 2001, California enacted a law that generally
prohibited companies and persons from engaging in certain activities with
SSNs, such as posting or publicly displaying SSNs, or requiring people to
transmit an SSN over the Internet unless the connection is secure or the
number is encrypted. In our prior work, we identified 13 states--Arizona,
Arkansas, Connecticut, Georgia, Illinois, Maryland, Michigan, Minnesota,
Missouri, Oklahoma, Texas, Utah, and Virginia--that have passed laws
similar to California's. ^3 While some states, such as Arizona, have
enacted virtually identical restrictions on the use and display of SSNs,
other states have modified the restrictions in various ways. For example,
unlike the California law, which prohibits the use of the full SSN, the
Michigan statute prohibits the use of more than four sequential digits of
the SSN.
Some states have also enacted other types of restrictions on the uses of
SSNs. For example, Arkansas, Colorado, and Wisconsin prohibit the use of a
student's SSN as an identification number. ^4 Other recent state
legislation places restrictions on state and local government agencies,
such as Indiana's law that generally prohibits state agencies from
releasing SSNs unless otherwise required by law. ^5
2 For more information on state laws relating to SSN use and disclosure,
see GAO, Social Security Numbers: More Could Be Done to Protect SSNs,
[19]GAO-06-586T (Washington, D.C.: March 30, 2006) GAO, Social Security
Numbers: Federal and State Laws Restrict Use of SSNs, yet Gaps Remain,
[20]GAO-05-1016T (Washington, D.C.: Sept.15, 2005).
^3 See Arkansas (Ark. Code Ann. S 4-86-107 (2005)); Arizona (Ariz. Rev.
Stat. S 44-1373 (2004)); Connecticut (Conn. Gen. Stat. S 42-470 (2003));
Georgia (Ga. Code Ann. S 33-24-57.1 (2003)); Illinois (815 Ill. Comp.
Stat. 505/2QQ (2004)); Maryland (Md. Code Ann., Com. Law S 14-3301 et seq.
(2005)); Michigan (Mich. Comp. Laws S 445.81 et seq. (2004)); Minnesota
(Minn. Stat. S 325E.59 (2005)); Missouri (Mo. Rev. Stat. S 407.1355
(2003)); Oklahoma (Okla. Stat. tit. 40, S 173.1 (2004)); Texas (Tex. Bus.
& Com. Code Ann. 35.58 (2003)); Utah (Utah Code Ann. S 31A-21-110 (2004));
and Virginia (Va. Code Ann. S 59.1-443.2 (2005)).
^4Ark. Code Ann. S 6-18-208 (2005); Colo. Rev. Stat. S 23-5-127 (2003);
and Wis. Stat. S 36.32 (2001).
^5Ind. Code S 4-1-10-1 et seq. (2005).
Government Agencies Collect and Use SSNs for a Variety of Purposes
A number of federal laws and regulations require agencies at all levels of
government to frequently collect and use SSNs for various purposes.
Beginning with a 1943 Executive Order issued by President Franklin D.
Roosevelt, all federal agencies were required to use the SSN exclusively
for identification systems of individuals, rather than set up a new
identification system. In later years, the number of federal agencies and
others relying on the SSN as a primary identifier escalated dramatically,
in part, because a number of federal laws were passed that authorized or
required its use for specific activities. For example, agencies use SSNs
o for internal administrative purposes, which include activities
such as identifying, retrieving, and updating records;
o to collect debts owed to the government and conduct or support
research and evaluations, as well as use employees' SSNs for
activities such as payroll, wage reporting, and providing employee
benefits;
o to ensure program integrity, such as matching records with state
and local correctional facilities to identify individuals for whom
the agency should terminate benefit payments; and
o for statistics, research, and evaluation.^6
Table 2 provides an overview of federal statutes that address government
collection and use of SSNs. In some cases, these statutes require that
state and local government entities collect SSNs.
^6The Bureau of the Census is authorized by statute to collect a variety
of information and is prohibited from making it available, except in
certain circumstances.
Table 2: Examples of Federal Statutes that Authorize or Mandate the
Collection or Use of SSNs
General purpose for
collecting or using Government entity and
Federal statute SSN authorized or required use
Tax Reform Act of 1976 General public Authorizes states to collect
42 U.S.C. assistance programs, and use SSNs in
405(c)(2)(c)(i) tax administration, administering any tax,
driver's license, general public assistance,
motor vehicle driver's license, or motor
registration vehicle registration law
Food Stamp Act of 1977 Food Stamp Program Mandates the Secretary of
7 U.S.C. 2025(e)(1) Agriculture and state
agencies to require SSNs for
program participation
Deficit Reduction Act Eligibility benefits Requires that, as a
of 1984 42 U.S.C. under the Medicaid condition of eligibility for
1320b-7(1) program Medicaid benefits,
applicants for and
recipients of these benefits
furnish their SSNs to the
state administering program
Housing and Community Eligibility for the Authorizes the Secretary of
Development Act of Department of Housing the Department of Housing
1987 42 U.S.C. 3543(a) and Urban Development and Urban Development to
programs require program applicants
and participants to submit
their SSNs as a condition of
eligibility
Family Support Act of Issuance of birth Requires states to obtain
1988 42 U.S.C. certificates parents' SSNs before issuing
405(c)(2)(C)( ii) a birth certificate unless
there is good cause for not
requiring the number
Technical and Blood donation Authorizes states and
Miscellaneous Revenue political subdivisions to
Act of 1988 42 U.S.C. require that blood donors
405(c)(2)(D)(i) provide their SSNs
Food, Agriculture, Retail and wholesale Authorizes the Secretary of
Conservation, And businesses Agriculture to require the
Trade Act of 1990 42 participation in food SSNs of officers or owners
U.S.C. 405(c)(2)(C) stamp program of retail and wholesale food
concerns that accept and
redeem food stamps
Omnibus Budget Eligibility for Requires individuals to
Reconciliation Act of Veterans Affairs provide their SSNs to be
1990 38 U.S.C. 510(c) compensation or eligible for Department of
pension benefits Veterans Affairs'
programs compensation or pension
benefits programs
Social Security Eligibility of Authorizes states and
Independence and potential jurors political subdivisions of
Program Improvements states to use SSNs to
Act of 1994 42 U.S.C. determine eligibility of
405(c)(2)(E) potential jurors
Personal Various license Mandates that states have
Responsibility and applications, divorce laws in effect that require
Work Opportunity and child support collection of SSNs on
Reconciliation Act of documents, death applications for driver's
1996 42 U.S.C. certificates licenses and other licenses;
666(a)(13) requires placement in the
pertinent records of the SSN
of the person subject to a
divorce decree, child
support order, paternity
determination; requires SSNs
on death certificates;
creates national database
for child support
enforcement purposes
Debt Collection Persons doing business Requires those doing
Improvement Act of with a federal agency business with a federal
1996 31 U.S.C. 7701(c) agency (i.e., lenders in a
federal guaranteed loan
program; applicants for
federal licenses, permits,
right-of-ways, grants, or
benefit payments;
contractors of an agency and
others) to furnish SSNs to
the agency
Higher Education Act Financial assistance Authorizes the Secretary of
Amendments of 1998 20 Education to include the
U.S.C. 1090(a)(7) SSNs of parents of dependent
students on certain
financial assistance forms
Internal Revenue Code Tax returns Authorizes the Commissioner
(various amendments) of the Internal Revenue
26 U.S.C. 6109 Service to require that
taxpayers include their SSNs
on tax returns
Souce: GAO review of applicable federal laws.
Some government agencies also collect SSNs because of their responsibility
for maintaining public records, which are those records generally made
available to the public for inspection by the government. Because these
records are open to the public, such government agencies, primarily at the
state and local levels, provide access to the SSNs sometimes contained in
those records.^7 Based on a survey of federal, state, and local
governments, we reported in 2004 that state agencies in 41 states and the
District of Columbia displayed SSNs in public records; this was also true
in 75 percent of U.S. counties.^8 We also found that while the number and
type of records in which SSNs were displayed varied greatly across states
and counties, SSNs were most often found in court and property records.
Public records displaying SSNs are stored in multiple formats, such as
electronic, microfiche and microfilm, or paper copy. While our prior work
found that public access to such records was often limited to inspection
of the individual paper copy in public reading rooms or clerks' offices,
or request by mail, some agencies also made public records available on
the Internet.
In recent years, some agencies have begun to take measures to change the
ways in which they display or provide access to SSNs in public records.
For example, some state agencies have reported removing SSNs from
electronic versions of records, replacing SSNs with alternative
identifiers in records, restricting record access to individuals
identified in the records, or allowing such individuals to request the
removal of their SSNs from these records.
^7Not all records held by government or public agents are "public" in
terms of their availability to any inquiring person. For example, adoption
records are generally sealed. Personnel records are often not readily
available to the public, although newspapers may publish the salaries of
high, elected officials.
^8GAO, Social Security Numbers: Governments Could Do More To Reduce
Display in Public Records and on Identity Cards, [21]GAO-05-59
(Washington, D.C.: November 9, 2004).
Private Sector Entities Collect SSNs from Various Sources for Identity
Verification Purposes
Certain private sector entities, such as information resellers, consumer
reporting agencies (CRAs), and healthcare organizations collect SSNs from
public and private sources, as well as their customers, and primarily use
SSNs for identity verification purposes. In addition, banks, securities
firms, telecommunication firms, and tax preparers engage in third party
contracting and sometimes share SSNs with their contractors for limited
purposes, generally when it is necessary and unavoidable.
Private Sector Entities Collect SSNs from Both Public and Private Sources
Information resellers are businesses that specialize in amassing personal
information, including SSNs, and offering informational services. They
provide their services to a variety of customers, such as specific
businesses clients or through the Internet to the general public. Large or
well known information resellers reported that they obtain SSNs from
various public records, such as records of bankruptcies, tax liens, civil
judgments, criminal histories, deaths, and real estate transactions. ^9
However, some of these resellers said they are more likely to rely on SSNs
obtained directly from their clients, who may voluntarily provide such
information, than those found in public records. In addition, in our prior
review of information resellers that offer their services through the
Internet, we found that their Web sites most frequently identified public
or nonpublic sources, or both, as their sources of information.^10 For
example, a few Internet resellers offered to conduct background
investigations on individuals by compiling information from court records
and using a credit bureau to obtain consumer credit data.
CRAs, also known as credit bureaus, are agencies that collect and sell
information about the creditworthiness of individuals. Like information
resellers, CRAs also obtain SSNs from public and private sources. For
example, CRA officials reported that they obtain SSNs from public sources,
such as bankruptcy records.^11 We also found that these companies obtain
SSNs from other information resellers, especially those that specialize in
collecting information from public records. However, CRAs are more likely
to obtain SSNs from businesses that subscribe to their services, such as
banks, insurance companies, mortgage companies, debt collection agencies,
child support enforcement agencies, credit grantors, and employment
screening companies.
^9 GAO, Social Security Numbers: Private Sector Entities Routinely Obtain
and Use SSNs, and Laws Limit the Disclosure of This Information,
[22]GAO-04-11 (Washington, D.C.: January 22, 2004).
^10 GAO, Social Security Numbers: Internet Resellers Provide Few Full
SSNs, but Congress Should Consider Enacting Standards for Truncating SSNs,
[23]GAO-06-495 (Washington, D.C.: May 17, 2006).
^11 [24]GAO-04-11 .
Organizations that provide health care services, including health care
insurance plans and providers, are less likely to obtain SSNs from public
sources. These organizations typically obtain SSNs either from individuals
themselves or from companies that offer health care plans. For example,
individuals enrolling in a health care plan provide their SSNs as part of
their plan applications. In addition, health care providers, such as
hospitals, often collect SSNs as part of the process of obtaining
information on insured people.
Private Sector Entities Primarily Use SSNs to Verify Individuals' Identities
We found that the primary use of SSNs by information resellers, CRAs, and
health care organizations is to help verify the identity of individuals.
Large information resellers reported that they generally use the SSN as an
identity verification tool, though they also use it for matching internal
databases, identifying individuals for their product reports, or
conducting resident or employment screening investigations for their
clients. CRAs use SSNs as the primary identifier of individuals in order
to match information they receive from their business clients with
information on individuals already stored in their databases. Finally,
health care organizations also use the SSN, together with information such
as name, address, and date of birth, for identity verification.
In addition to their own direct use of customers' SSNs, private sector
entities also share this information with their contractors. According to
experts, approximately 90 percent of businesses contract out some activity
because they find either it is more economical to do so or other companies
are better able to perform these activities. Banks, investment firms,
telecommunication companies, and tax preparation companies we interviewed
for our prior work routinely obtain SSNs from their customers for
authentication and identification purposes and contract with other
companies for various services, such as data processing, administrative,
and customer service functions. ^12 Company officials reported that
customer information, such as SSNs, is shared with contractors for limited
purposes, generally when it is necessary or unavoidable. Further, these
companies included certain provisions in their standard contact forms
aimed at safeguarding customer's personal information. For example, forms
included electronic and physical data protections, audit rights, data
breach notifications, subcontractor restrictions, and data handling and
disposal requirements.
^12GAO, Social Security Numbers: Stronger Protections Needed When
Contractors Have Access to SSNs, [25]GAO-06-238 (Washington, D.C.: January
23, 2006).
Vulnerabilities Remain to Protecting SSNs in both the Public and Private Sectors
Although federal and state laws have helped to restrict SSN use and
display, and public and private sector entities have taken some steps to
further protect this information, our prior work identified several
remaining vulnerabilities. While government agencies have since taken
actions to address some of the identified SSN protection vulnerabilities
in the public sector, private sector vulnerabilities that we previously
identified have not yet been addressed. Consequently, in both sectors,
vulnerabilities remain to protecting SSNs from potential misuse by
identity thieves and others.
Government Agencies Have Taken Additional Actions to Address SSN Protection, yet
Vulnerabilities Remain
In our prior work, we found that several vulnerabilities remain to
protecting SSNs in the public sector, and in response, some of these
vulnerabilities have since been addressed by agencies. For example, in our
review of government uses of SSNs, we found that some federal, state, and
local agencies do not consistently fulfill the Privacy Act requirements
that they inform individuals whether SSN disclosure is mandatory or
voluntary, provide the statutory or other authority under which the SSN
request is made, or indicate how the SSN will be used, when they request
SSNs from individuals. To help address this inconsistency, we recommended
that the Office of Management and Budget (OMB) direct federal agencies to
review their practices for providing required information, and OMB has
since implemented this recommendation.
Actions have also been taken by some federal agencies in response to our
previous finding that millions of SSNs are subject to exposure on
individual identity cards issued under federal auspices. ^13 Specifically,
in 2004, we reported that an estimated 42 million Medicare cards, 8
million Department of Defense (DOD) insurance cards, and 7 million
Department of Veterans Affairs (VA) beneficiary cards displayed entire
9-digit SSNs. While the Centers for Medicare and Medicaid Services, with
the largest number of cards displaying the entire 9-digit SSN, does not
plan to remove the SSN from Medicare identification cards, VA and DOD have
begun taking action to remove SSNs from cards. For example, VA is
eliminating SSNs from 7 million VA identification cards and will replace
cards with SSNs or issue new cards without SSNs between 2004 and 2009,
until all such cards have been replaced.
^13 [26]GAO-05-59 .
However, some of the vulnerabilities we identified in public sector SSN
protection have not been addressed. For example, while the Privacy Act and
other federal laws prescribe actions agencies must take to assure the
security of SSNs and other personal information, we found that these
requirements may not be uniformly observed by agencies at all levels of
government.^14 In addition, in our review of SSNs in government
agency-maintained public records, we found that SSNs are widely exposed to
view in a variety of these records.^15 While some agencies reported taking
actions such as removing SSNs from electronic versions of records, without
a uniform and comprehensive policy, SSNs in these records remain
vulnerable to potential misuse by identity thieves. Consequently, in both
instances, we suggested that Congress consider convening a representative
group of federal, state, and local officials to develop a unified approach
to safeguarding SSNs used in all levels of government. Some steps have
since been taken at the federal level to promote inter-agency discussion
of SSN protection, such as creation of the President's Identity Theft Task
Force in 2006 to increase the safeguards on personal data held by the
federal government.
In April 2007, the Task Force completed its work, which resulted in a
strategic plan aimed at making the federal government's efforts more
effective and efficient in the areas of identity theft awareness,
prevention, detection, and prosecution. The plan's recommendations focus
in part on increasing safeguards employed by federal agencies and the
private sector with respect to the personal data they maintain, including
decreasing the unnecessary use of SSNs in the public sector. To that end,
last month, OMB issued a memorandum requiring federal agencies to examine
their use of SSNs in systems and programs in order to identify and
eliminate instances in which collection or use of the SSN is unnecessary.
In addition, the memo requires federal agencies to participate in
governmentwide efforts to explore alternatives to agency use of SSNs as
personal identifiers for both federal employees and in federal programs.
^14 [27]GAO-02-352 .
^15 [28]GAO-05-59 .
Vulnerabilities Persist in Federal Laws Addressing SSN Collection and Use by
Private Sector Entities
In our reviews of private sector entities' collection and use of SSNs, we
found variation in how different industries are covered by federal laws
protecting individuals' personal information. For example, although
federal laws place restrictions on reselling some personal information,
these laws only apply to certain types of private sector entities, such as
financial institutions. Consequently, information resellers are not
covered by these laws, and there are few restrictions placed on these
entities' ability to obtain, use, and resell SSNs. However, recently
proposed federal legislation, if implemented, may help to address this
vulnerability.^16 For example, the SSN Protection Act of 2007, as
introduced by Representative Edward Markey, would give the Federal Trade
Commission (FTC) rulemaking authority to restrict the sale and purchase of
SSNs and determine appropriate exemptions.^17 The proposed legislation
would therefore improve SSN protection while also permitting limited
exceptions to the purchase and sale of SSNs for certain purposes, such as
law enforcement or national security.
Vulnerabilities also exist in federal law and agency oversight for
different industries that share SSNs with their contractors.^18 For
example, while federal law and oversight of the sharing of personal
information in the financial services industry is very extensive, federal
law and oversight of the sharing of personal information in the tax
preparation and telecommunications industries is somewhat lacking.
Specific actions to address these vulnerabilities in federal laws have not
yet been taken, leaving SSNs maintained by information resellers and
contractors in the tax preparation and telecommunications industries
potentially exposed to misuse, including identity theft.
We also found a gap in federal law addressing SSN truncation, a practice
that would improve SSN protection if standardized. Specifically, in our
Internet resellers report, several resellers provided us with truncated
SSNs showing the first five digits, though other entities truncate SSNs by
showing the last four digits. Therefore, because of the lack of SSN
truncation standards, even truncated SSNs remain vulnerable to potential
misuse by identity thieves and others. While we suggested that the
Congress consider enacting standards for truncating SSNs or delegating
authority to SSA or some other governmental entity to do so, SSN
truncation standards have yet to be addressed at the federal level.
^16Legislation proposed in the 110th Congress that may help to address
this vulnerability includes H.R. 948 "Social Security Number Protection
Act of 2007," H.R. 958 "Data Accountability and Trust Act," and S.238
"Social Security Number Misuse Prevention Act."
^17HR 948.
^18 [29]GAO-06-238 .
Concluding Observations
The use of SSNs as a key identifier in both the public and private sectors
will likely continue as there is currently no other widely accepted
alternative. However, because of this widespread use of SSNs, and the
vulnerabilities that remain to protecting this identifier in both sectors,
SSNs continue to be accessible to misuse by identity thieves and others.
Given the significance of the SSN in committing fraud or stealing an
individual's identity, it would be helpful to take additional steps to
protect this number. As the Congress moves forward in pursuing legislation
to address SSN protection and identity theft, focusing the debate on
vulnerabilities that have already been documented may help target efforts
and policy directly toward immediate improvements in SSN protection. To
this end, we look forward to supporting the Subcommittee and the Congress
however we can to further ensure the integrity of SSNs. Related to this,
we have issued a report on the federal government's provision of SSNs to
state and local public record keepers, and we have also recently begun a
review of the bulk sale of public records containing SSNs, including how
federal law protects SSNs in these records when they are sold to entities
both here and overseas.
Mr. Chairman, this concludes my prepared testimony. I would be pleased to
respond to any questions you or other members of the subcommittee may
have.
GAO Contacts
For further information regarding this testimony, please contact me at
[email protected] or (202) 512-7215. In addition, contact points for our
Offices of Congressional Relations and Public Affairs can be found on the
last page of this statement. Individuals making key contributions to this
testimony include Jeremy Cox, Rachel Frisk, Ayeke Messam, and Dan
Schwimer.
Related GAO Products
Social Security Numbers: Internet Resellers Provide Few Full SSNs, but
Congress Should Consider Enacting Standards for Truncating SSNs.
[30]GAO-06-495 . Washington, D.C.: May 17, 2006.
Social Security Numbers: More Could Be Done to Protect SSNs.
[31]GAO-06-586T . Washington, D.C.: March 30, 2006.
Social Security Numbers: Stronger Protections Needed When Contractors Have
Access to SSNs. [32]GAO-06-238. Washington, D.C.: January 23, 2006.
Social Security Numbers: Federal and State Laws Restrict Use of SSNs, yet
Gaps Remain. [33]GAO-05-1016T. Washington, D.C.: September 15, 2005.
Social Security Numbers: Governments Could Do More to Reduce Display in
Public Records and on Identity Cards. [34]GAO-05-59. Washington, D.C.:
November 9, 2004.
Social Security Numbers: Use Is Widespread and Protections Vary in Private
and Public Sectors. [35]GAO-04-1099T. Washington, D.C.: September 28,
2004.
Social Security Numbers: Use Is Widespread and Protections Vary.
[36]GAO-04-768T. Washington, D.C.: June 15, 2004.
Social Security Numbers: Private Sector Entities Routinely Obtain and Use
SSNs, and Laws Limit the Disclosure of This Information. [37]GAO-04-11.
Washington, D.C.: January 22, 2004.
Social Security Numbers: Ensuring the Integrity of the SSN.
[38]GAO-03-941T. Washington, D.C.: July 10, 2003.
Social Security Numbers: Government Benefits from SSN Use but Could
Provide Better Safeguards. [39]GAO-02-352. Washington, D.C.:May 31, 2002.
(130787)
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( [40]www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
[41]www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: [42]www.gao.gov/fraudnet/fraudnet.htm
E-mail: [43][email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [44][email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [45][email protected] (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
[46]www.gao.gov/cgi-bin/getrpt? GAO-07-1023T .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Daniel Bertoni at (202) 512-7215,
[email protected].
Highlights of [47]GAO-07-1023T , a testimony before the Committee On Ways
and Means, Subcommittee on Social Security
June 21, 2007
SOCIAL SECURITY NUMBERS
Use is Widespread and Protection Could be Improved
Since its creation, the Social Security number (SSN) has evolved beyond
its intended purpose to become the identifier of choice for public and
private sector entities, and it is now used for myriad non-Social Security
purposes. This is significant because a person's SSN, along with name and
date of birth, are the key pieces of personal information used to
perpetrate identity theft. Consequently, the potential for misuse of the
SSN has raised questions about how private and public sector entities
obtain, use, and protect SSNs.
Accordingly, this testimony focuses on describing the (1) use of SSNs by
government agencies, (2) use of SSNs by the private sector, and (3)
vulnerabilities that remain to protecting SSNs.
For this testimony, we primarily relied on information from our prior
reports and testimonies that address public and private sector use and
protection of SSNs. These products were issued between 2002 and 2006 and
are listed in the Related GAO Products section at the end of this
statement. We conducted our reviews in accordance with generally accepted
government auditing standards.
A number of federal laws and regulations require agencies at all levels of
government to frequently collect and use SSNs for various purposes. For
example, agencies frequently collect and use SSNs to administer their
programs, link data for verifying applicants' eligibility for services and
benefits, and conduct program evaluations.
In the private sector, certain entities, such as information resellers,
collect SSNs from public sources, private sources, and their customers and
use this information for identity verification purposes. In addition,
banks, securities firms, telecommunication firms, and tax preparers engage
in third party contracting, and consequently sometimes share SSNs with
their contractors for limited purposes.
Vulnerabilities persist in federal laws addressing SSN collection and use
by private sector entities. In particular, we found variation in how
different industries are covered by federal laws protecting individuals'
personal information. For example, although federal laws place
restrictions on reselling some personal information, these laws apply only
to certain types of private sector entities, such as financial
institutions. Consequently, information resellers are not covered by these
laws, and there are few restrictions placed on these entities' ability to
obtain, use, and resell SSNs for their businesses. Vulnerabilities also
exist in federal law and agency oversight for different industries that
share SSNs with their contractors. For example, while federal law and
oversight of the sharing of personal information in the financial services
industry are very extensive, federal law and oversight of the sharing of
personal information in the tax preparation and telecommunications
industries are somewhat lacking. Moreover, in our Internet resellers
report, several resellers provided us with truncated SSNs showing the
first five digits, though other information resellers and consumer
reporting agencies truncate SSNs to show the last four digits. Therefore,
because of the lack of SSN truncation standards, even truncated SSNs
remain vulnerable to potential misuse by identity thieves and others.
While we suggested that the Congress consider enacting standards for
truncating SSNs or delegating authority to the Social Security
Administration or some other governmental entity to do so, SSN truncation
standards have yet to be addressed at the federal level.
References
Visible links
19. http://www.gao.gov/cgi-bin/getrpt?GAO-06-586T
20. http://www.gao.gov/cgi-bin/getrpt?GAO-05-1016T
21. http://www.gao.gov/cgi-bin/getrpt?GAO-05-59
22. http://www.gao.gov/cgi-bin/getrpt?GAO-04-11
23. http://www.gao.gov/cgi-bin/getrpt?GAO-06-495
24. http://www.gao.gov/cgi-bin/getrpt?GAO-04-11
25. http://www.gao.gov/cgi-bin/getrpt?GAO-06-238
26. http://www.gao.gov/cgi-bin/getrpt?GAO-05-59
27. http://www.gao.gov/cgi-bin/getrpt?GAO-02-352
28. http://www.gao.gov/cgi-bin/getrpt?GAO-05-59
29. http://www.gao.gov/cgi-bin/getrpt?GAO-06-238
30. http://www.gao.gov/cgi-bin/getrpt?GAO-06-495
31. http://www.gao.gov/cgi-bin/getrpt?GAO-06-586T
32. http://www.gao.gov/cgi-bin/getrpt?GAO-06-238.
33. http://www.gao.gov/cgi-bin/getrpt?GAO-05-1016T.
34. http://www.gao.gov/cgi-bin/getrpt?GAO-05-59.
35. http://www.gao.gov/cgi-bin/getrpt?GAO-04-1099T.
36. http://www.gao.gov/cgi-bin/getrpt?GAO-04-768T.
37. http://www.gao.gov/cgi-bin/getrpt?GAO-04-11.
38. http://www.gao.gov/cgi-bin/getrpt?GAO-03-941T.
39. http://www.gao.gov/cgi-bin/getrpt?GAO-02-352.
40. http://www.gao.gov/
41. http://www.gao.gov/
42. http://www.gao.gov/fraudnet/fraudnet.htm
43. mailto:[email protected]
44. mailto:[email protected]
45. mailto:[email protected]
46. http://www.gao.gov/cgi-bin/getrpt?GAO-07-1023T
47. http://www.gao.gov/cgi-bin/getrpt?GAO-07-1023T
*** End of document. ***