Social Security Numbers: Federal Actions Could Further Decrease
Availability in Public Records, though Other Vulnerabilities
Remain (15-JUN-07, GAO-07-752).
Various public records in the United States, including some
generated by the federal government, contain Social Security
numbers (SSN) and other personal identifying information that
could be used to commit fraud and identity theft. Public records
are generally defined as government agency-held records made
available to the public in their entirety for inspection, such as
property records and court records. Although public records were
traditionally accessed locally in county courthouses and
government record centers, in recent years, some state and local
public record keepers have begun to make these records available
to the public through the Internet. While it is important for the
public to have access to these records, concerns about the use of
information in these records for criminal purposes have been
raised. In 2006, these concerns were heightened when an Ohio
woman pled guilty to conspiracy, bank fraud, and aggravated
identity theft as the leader of a group that stole citizens'
personal identifying information from a local public record
keeper's Web site and other sources, resulting in over $450,000
in losses to individuals, financial institutions, and other
businesses. Although we previously reported on the types of
public records that contain SSNs and access to those records,
less is known about the federal government's direct provision of
records with SSNs to state and local public record keepers.
Because of Congress's interest in information on these issues, we
agreed to answer the following questions: (1) Which federal
agencies commonly provide records containing SSNs to state and
local public record keepers, and what actions have been taken to
protect SSNs in these records? (2) What significant
vulnerabilities, if any, remain to protecting SSNs in public
records?
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-752
ACCNO: A71196
TITLE: Social Security Numbers: Federal Actions Could Further
Decrease Availability in Public Records, though Other
Vulnerabilities Remain
DATE: 06/15/2007
SUBJECT: Federal records management
Federal/state relations
Identity theft
Information security
Information security management
Policy evaluation
Public records
Social security number
Information sharing
Personal information
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-752
* [1]Conclusions
* [2]Recommendations for Executive Action
* [3]Agency Comments
* [4]GAO's Mission
* [5]Obtaining Copies of GAO Reports and Testimony
* [6]Order by Mail or Phone
* [7]To Report Fraud, Waste, and Abuse in Federal Programs
* [8]Congressional Relations
* [9]Public Affairs
Report to the Chairman, Subcommittee on Administrative Oversight and the
Courts, Committee on the Judiciary, U.S. Senate
United States Government Accountability Office
GAO
June 2007
SOCIAL SECURITY NUMBERS
Federal Actions Could Further Decrease Availability in Public Records,
though Other Vulnerabilities Remain
GAO-07-752
Contents
Letter 1
Conclusions 3
Recommendations for Executive Action 4
Agency Comments 4
Appendix I Briefing Slides 6
Appendix II Comments from the Office of Management and Budget 40
Appendix III Comments from the Internal Revenue Service 42
Related GAO Products 44
Abbreviations
DOJ Department of Justice
IRS Internal Revenue Service
OMB Office of Management and Budget
SSA Social Security Administration
SSN Social Security number
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States Government Accountability Office
Washington, DC 20548
June 15, 2007
The Honorable Charles Schumer
Chairman
Subcommittee on Administrative Oversight and the Courts
Committee on the Judiciary
United States Senate
Various public records in the United States, including some generated by
the federal government, contain Social Security numbers (SSN) and other
personal identifying information that could be used to commit fraud and
identity theft. Public records are generally defined as government
agency-held records made available to the public in their entirety for
inspection, such as property records and court records. Although public
records were traditionally accessed locally in county courthouses and
government record centers, in recent years, some state and local public
record keepers have begun to make these records available to the public
through the Internet. While it is important for the public to have access
to these records, concerns about the use of information in these records
for criminal purposes have been raised. In 2006, these concerns were
heightened when an Ohio woman pled guilty to conspiracy, bank fraud, and
aggravated identity theft as the leader of a group that stole citizens'
personal identifying information from a local public record keeper's Web
site and other sources, resulting in over $450,000 in losses to
individuals, financial institutions, and other businesses. Various public
records in the United States, including some generated by the federal
government, contain Social Security numbers (SSN) and other personal
identifying information that could be used to commit fraud and identity
theft. Public records are generally defined as government agency-held
records made available to the public in their entirety for inspection,
such as property records and court records. Although public records were
traditionally accessed locally in county courthouses and government record
centers, in recent years, some state and local public record keepers have
begun to make these records available to the public through the Internet.
While it is important for the public to have access to these records,
concerns about the use of information in these records for criminal
purposes have been raised. In 2006, these concerns were heightened when an
Ohio woman pled guilty to conspiracy, bank fraud, and aggravated identity
theft as the leader of a group that stole citizens' personal identifying
information from a local public record keeper's Web site and other
sources, resulting in over $450,000 in losses to individuals, financial
institutions, and other businesses.
Although we previously reported on the types of public records that
contain SSNs and access to those records, less is known about the federal
government's direct provision of records with SSNs to state and local
public record keepers. Because of your interest in information on these
issues, we agreed to answer the following questions: (1) Which federal
agencies commonly provide records containing SSNs to state and local
public record keepers, and what actions have been taken to protect SSNs in
these records? (2) What significant vulnerabilities, if any, remain to
protecting SSNs in public records? Although we previously reported on the
types of public records that contain SSNs and access to those records,
less is known about the federal government's direct provision of records
with SSNs to state and local public record keepers. Because of your
interest in information on these issues, we agreed to answer the following
questions: (1) Which federal agencies commonly provide records containing
SSNs to state and local public record keepers, and what actions have been
taken to protect SSNs in these records? (2) What significant
vulnerabilities, if any, remain to protecting SSNs in public records?
To answer these questions, we gathered information from a variety of
sources. Specifically, we interviewed cognizant officials from the Social
Security Administration (SSA), Office of Management and Budget (OMB),
Internal Revenue Service (IRS), and Department of Justice (DOJ). We
interviewed these agencies because they are responsible for overseeing To
answer these questions, we gathered information from a variety of sources.
Specifically, we interviewed cognizant officials from the Social Security
Administration (SSA), Office of Management and Budget (OMB), Internal
Revenue Service (IRS), and Department of Justice (DOJ). We interviewed
these agencies because they are responsible for overseeing federal use of
the SSN or they were identified through our research as commonly providing
records containing SSNs to state and local public record keepers. We also
conducted interviews with public record keepers, their national
associations, and stakeholder groups focused on privacy rights, open
government, and the title insurance industry. To gather information on
records access, we visited local public record keepers' offices in the
District of Columbia, Maryland, and Virginia; reviewed several Web sites
that provide information on state and local public records access; and
used this work to guide our selection of state and local public record
keepers' Web sites nationwide for additional review. In total, we reviewed
at least one public record keeper's Web site per state. We also
interviewed public record keepers in five Florida counties to examine
implementation of recently enacted Florida statutes requiring Internet
access to public records and the removal of SSNs and other information in
those records. We conducted our work from November 2006 through May 2007
in accordance with generally accepted government auditing standards.
On May 10, 2007, we briefed your staff on the results of our analysis.
This report formally conveys the information provided during that briefing
(see app. I). In summary, we found:
o IRS and DOJ are the only federal agencies that commonly provide
records containing SSNs to state and local public record keepers,
and in recent years, both have taken steps to truncate or remove
SSNs in those records. These agencies provide property lien
records to public record keepers, on which they traditionally
included full SSNs for identity verification purposes. However,
both agencies have recently taken steps to better protect SSNs in
these records. Currently, IRS mandates the use of a truncated
version of SSNs on tax lien notices, which displays only the last
four digits of the SSN. However, the agency does not mandate SSN
truncation on all lien releases it issues. In addition, many of
DOJ's districts have begun to truncate or fully remove SSNs on the
lien records they provide to public record keepers. However,
because DOJ's districts act independently to issue lien notices,
some continue to display full SSNs in these records. Independent
of IRS and DOJ efforts in this area, some states have begun to
remove SSNs in all public records they maintain, though this
approach can be costly and may not be fully effective at
protecting SSNs.
o Both full and truncated SSNs in federally generated public
records remain vulnerable to potential misuse, in part because
different truncation methods used by the public and private
sectors may enable the reconstruction of full SSNs. While the
display of truncated SSNs in federally generated public records is
a step toward improved SSN protection, we previously reported that
information resellers--companies that specialize in amassing
personal information--sometimes provide truncated SSNs to
customers that show the first five digits. Consequently, it is
possible to reconstruct an individual's full nine-digit SSN by
combining a truncated SSN from a federally generated lien record
with a truncated SSN from an information reseller. In addition,
while IRS and DOJ have recently taken actions to limit disclosure
of full SSNs in records they generate going forward, full SSNs
remain in the millions of lien records provided to public record
keepers before the agencies implemented these changes. Increased
access to these records through bulk sales to private companies
and Internet access also creates the potential for identity theft.
For example, public record keepers in some states have been
selling complete copies of their records to private companies,
such as title companies and information resellers, for many years.
Because of this practice, current efforts to remove SSNs in
records maintained by public record keepers do not apply to all
copies of the record already made available. In addition, some
public record keepers now provide potentially unlimited Web site
access to personal identifying information in the records they
maintain.
Conclusions
Federal agencies have taken actions to mitigate the availability of SSNs
in public records by implementing the use of truncation for documents
provided to state and local record keepers. While these actions provide
some additional protection against using these records to perpetrate
identity theft, our review demonstrates that identity thieves may still be
able to reconstruct full SSNs by combining different truncated versions of
the SSN available from public and private sources. Thus, truncation does
not provide complete protection against identity theft. Yet despite this
limitation, our analysis suggests that truncation provides better
protection compared with records that display full SSNs. In this regard,
as we noted in our May 2006 report, Congress may wish to further improve
SSN protection by enacting truncation standards or assigning an agency to
do so. In addition, Congress may wish to solicit input on promising
truncation practices from the Commissioner of Social Security as part of
this process. However, in the absence of such standards, federal agencies
can still take steps to protect SSNs by further reducing their exposure in
records they generate and provide to record keepers.
Recommendations for Executive Action
To the extent that truncation provides an added level of protection from
identity theft, we are recommending that
o The Commissioner of IRS should implement a policy requiring the
truncation of all SSNs in lien releases the agency generates.
o The Attorney General should implement a policy requiring, at a
minimum, SSN truncation in all lien records generated by its
judicial districts. Truncation should be in the same format as is
currently used by IRS on lien notices.
Agency Comments
We provided a draft of this report to SSA, OMB, IRS, and DOJ for review
and comment. SSA, IRS, and DOJ provided technical comments, which we
incorporated as appropriate. We received written comments from OMB and
IRS, which are reproduced in appendixes II and III. In its comments, OMB
indicated its appreciation for the report's analysis of SSN use and
vulnerability, in both full and truncated forms, and provided information
on OMB's recent actions that require federal agencies to reduce the volume
of sensitive information, including SSNs, they maintain.
Concerning our recommendations, SSA indicated that the agency fully
supports our recommendations to IRS and DOJ because it believes that SSN
truncation will greatly improve protection of the SSN. DOJ also agreed
with our recommendation and subsequently issued a policy guidance memo
that restricts all U.S. Attorneys' Offices from using full SSNs in any
record submitted to state or local public record keepers. The memo
requires offices to either remove the SSN entirely from these records or
use a truncated version of the SSN, showing only the last four digits.
While IRS generally agreed that the use of truncated SSNs on records
submitted to state and local public record keepers provides an added level
of protection against identity theft, the agency does not currently plan
to implement our recommendation to truncate SSNs in all lien releases it
generates, specifically those relating to pre-2006 lien notices. IRS
indicated that truncating SSNs on lien releases for which the original
lien notices show full SSNs may place a hardship on IRS's lien processing
capabilities because it requires a change in how the agency's centralized
Lien Processing Unit formats those lien releases. While we recognize that
this change could potentially cause an administrative burden for IRS, we
believe that the added level of protection against identity theft
accomplished by truncating SSNs on lien releases outweighs these costs.
IRS also indicated that truncating SSNs on lien releases for which the
original lien notices show full SSNs may prove problematic for record
keepers. However, we do not believe that truncating SSNs on lien releases
would prove problematic for most record keepers. Specifically, IRS
includes key identifying information that corresponds to the original lien
notice on most of the lien releases they submit to record keepers.
Therefore, this identifying information can be used by record keepers to
determine which lien notice corresponds to the newly submitted release,
and IRS should not need to include a person's full SSN on the lien release
for this purpose.
As we agreed with your office, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
after its issue date. At that time, we will send copies of this report to
relevant congressional committees, the Commissioner of SSA, the Director
of OMB, the Commissioner of IRS, the Attorney General, and other
interested parties and will make copies available to others upon request.
In addition, this report will be available on GAO's Web site at
http://www.gao.gov . If you or your staff have any questions about
this report, please contact me at 202-512-7215 or [email protected] .
Contact points for our Offices of Congressional Relations and Public
Affairs may be found on the last page of this report. Key contributors to
this report include Jeremy Cox (Assistant Director), Rachel Frisk
(Analyst-in-Charge), and Ayeke Messam. In addition, Dan Schwimer provided
legal assistance.
Daniel Bertoni
Director, Education, Workforce, and Income Security Issues
Appendix I: Briefing Slides
Appendix II: Comments from the Office of Management and Budget
Appendix III: Comments from the Internal Revenue Service
Related GAO Products
Social Security Numbers: Internet Resellers Provide Few Full SSNs, but
Congress Should Consider Enacting Standards for Truncating SSNs.
[12]GAO-06-495 . Washington, D.C.: May 17, 2006.
Social Security Numbers: More Could be Done to Protect SSNs.
[13]GAO-06-586T . Washington, D.C.: March 30, 2006.
Social Security Numbers: Federal and State Laws Restrict Use of SSNs, yet
Gaps Remain. [14]GAO-05-1016T . Washington, D.C.: September 15, 2005.
Social Security Numbers: Governments Could Do More to Reduce Display in
Public Records and on Identity Cards. [15]GAO-05-59 . Washington, D.C.:
November 9, 2004.
Social Security Numbers: Use Is Widespread and Protections Vary in Private
and Public Sectors. [16]GAO-04-1099T . Washington, D.C.: September 28,
2004.
Social Security Numbers: Use Is Widespread and Protections Vary.
[17]GAO-04-768T . Washington, D.C.: June 15, 2004.
Social Security Numbers: Private Sector Entities Routinely Obtain and Use
SSNs, and Laws Limit the Disclosure of This Information. [18]GAO-04-11 .
Washington, D.C.: January 22, 2004.
Social Security Numbers: Ensuring the Integrity of the SSN.
[19]GAO-03-941T . Washington, D.C.: July 10, 2003.
Social Security Numbers: Government Benefits from SSN Use but Could
Provide Better Safeguards. [20]GAO-02-352 . Washington, D.C.: May 31,
2002.
Social Security Numbers: SSNs Are Widely Used by Government and Could Be
Better Protected. [21]GAO-02-691T . Washington, D.C.: April 29, 2002.
(130625)
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [email protected] (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
References
Visible links
12. http://www.gao.gov/cgi-bin/getrpt?GAO-06-495
13. http://www.gao.gov/cgi-bin/getrpt?GAO-06-586T
14. http://www.gao.gov/cgi-bin/getrpt?GAO-05-1016T
15. http://www.gao.gov/cgi-bin/getrpt?GAO-05-59
16. http://www.gao.gov/cgi-bin/getrpt?GAO-04-1099T
17. http://www.gao.gov/cgi-bin/getrpt?GAO-04-768T
18. http://www.gao.gov/cgi-bin/getrpt?GAO-04-11
19. http://www.gao.gov/cgi-bin/getrpt?GAO-03-941T
20. http://www.gao.gov/cgi-bin/getrpt?GAO-02-352
21. http://www.gao.gov/cgi-bin/getrpt?GAO-02-691T
*** End of document. ***