Us Gao Social Security Numbers 2007
Download original document:
Document text
Document text
This text is machine-read, and may contain errors. Check the original document to verify accuracy.
United States Government Accountability Office GAO Testimony Before the Subcommittee on Social Security, Committee on Ways and Means, House of Representatives For Release on Delivery Expected at 10:00 a.m. EDT Thursday, June 21, 2007 SOCIAL SECURITY NUMBERS Use is Widespread and Protection Could Be Improved Statement of Daniel Bertoni, Director Education, Workforce, and Income Security Issues GAO-07-1023T June 21, 2007 SOCIAL SECURITY NUMBERS Accountability Integrity Reliability Highlights Highlights of GAO-07-1023T, a testimony before the Committee On Ways and Means, Subcommittee on Social Security Use is Widespread and Protection Could be Improved Why GAO Did This Study What GAO Found Since its creation, the Social Security number (SSN) has evolved beyond its intended purpose to become the identifier of choice for public and private sector entities, and it is now used for myriad non-Social Security purposes. This is significant because a person’s SSN, along with name and date of birth, are the key pieces of personal information used to perpetrate identity theft. Consequently, the potential for misuse of the SSN has raised questions about how private and public sector entities obtain, use, and protect SSNs. Accordingly, this testimony focuses on describing the (1) use of SSNs by government agencies, (2) use of SSNs by the private sector, and (3) vulnerabilities that remain to protecting SSNs. A number of federal laws and regulations require agencies at all levels of government to frequently collect and use SSNs for various purposes. For example, agencies frequently collect and use SSNs to administer their programs, link data for verifying applicants’ eligibility for services and benefits, and conduct program evaluations. For this testimony, we primarily relied on information from our prior reports and testimonies that address public and private sector use and protection of SSNs. These products were issued between 2002 and 2006 and are listed in the Related GAO Products section at the end of this statement. We conducted our reviews in accordance with generally accepted government auditing standards. In the private sector, certain entities, such as information resellers, collect SSNs from public sources, private sources, and their customers and use this information for identity verification purposes. In addition, banks, securities firms, telecommunication firms, and tax preparers engage in third party contracting, and consequently sometimes share SSNs with their contractors for limited purposes. Vulnerabilities persist in federal laws addressing SSN collection and use by private sector entities. In particular, we found variation in how different industries are covered by federal laws protecting individuals’ personal information. For example, although federal laws place restrictions on reselling some personal information, these laws apply only to certain types of private sector entities, such as financial institutions. Consequently, information resellers are not covered by these laws, and there are few restrictions placed on these entities’ ability to obtain, use, and resell SSNs for their businesses. Vulnerabilities also exist in federal law and agency oversight for different industries that share SSNs with their contractors. For example, while federal law and oversight of the sharing of personal information in the financial services industry are very extensive, federal law and oversight of the sharing of personal information in the tax preparation and telecommunications industries are somewhat lacking. Moreover, in our Internet resellers report, several resellers provided us with truncated SSNs showing the first five digits, though other information resellers and consumer reporting agencies truncate SSNs to show the last four digits. Therefore, because of the lack of SSN truncation standards, even truncated SSNs remain vulnerable to potential misuse by identity thieves and others. While we suggested that the Congress consider enacting standards for truncating SSNs or delegating authority to the Social Security Administration or some other governmental entity to do so, SSN truncation standards have yet to be addressed at the federal level. www.gao.gov/cgi-bin/getrpt?GAO-07-1023T. To view the full product, including the scope and methodology, click on the link above. For more information, contact Daniel Bertoni at (202) 512-7215, bertonid@gao.gov. United States Government Accountability Office Mr. Chairman and Members of the Subcommittee: I am pleased to be here today to discuss ways to better protect the Social Security number (SSN), which was originally created as a means to track workers’ earnings and eligibility for Social Security benefits. Since its creation, the SSN has evolved beyond its intended purpose to become the identifier of choice for public and private sector entities and is now used for myriad non-Social Security purposes. This is significant because a person’s SSN, along with name and date of birth, are the key pieces of personal information used to perpetrate identity theft. Consequently, the potential for misuse of the SSN has raised questions about how private and public sector entities obtain, use, and protect SSNs. Over the last several years, the Congress and some states have recognized the importance of restricting the use and display of SSNs by both the public and private sectors. As a result, federal and state laws have been enacted that to some degree protect individuals’ personal information, including SSNs. However, the continued use of and reliance on SSNs by public and private sector entities, as well as the potential for their misuse, underscore the importance of identifying areas that can be further strengthened. GAO has issued a number of reports and testified before this Subcommittee about the various aspects of SSN use in both the public and private sectors. Accordingly, my remarks today will focus on describing the (1) use of SSNs by government agencies, (2) use of SSNs by the private sector, and (3) vulnerabilities that remain to protecting SSNs. In summary, a number of federal laws and regulations require agencies at all levels of government to frequently collect and use SSNs for various purposes. For example, agencies frequently collect and use SSNs to administer their programs, link data for verifying applicants’ eligibility for services and benefits, and conduct program evaluations. In the private sector, certain entities, such as information resellers, collect SSNs from public sources, private sources, and their customers and use this information for identity verification purposes. In addition, banks, securities firms, telecommunication firms, and tax preparers sometimes share SSNs with their contractors for limited purposes. Although laws at both the federal and state levels have helped to restrict SSN use and display, and both public and private sector entities have taken some steps to further protect this information, several vulnerabilities remain. For example, federal laws addressing SSN use and collection in the private sector continue to leave SSNs maintained by certain industries vulnerable to misuse by identity thieves and others. Page 1 GAO-07-1023T For this testimony, we primarily relied on information from our prior reports and testimonies that address public and private sector use and protection of SSNs. These products were issued between 2002 and 2006 and are listed in the Related GAO Products section at the end of this statement. We conducted our reviews in accordance with generally accepted government auditing standards. Background The Social Security Act of 1935 authorized the Social Security Administration (SSA) to establish a record-keeping system to manage the Social Security program, which resulted in the creation of the SSN.1 Through a process known as “enumeration,” unique numbers are created for every person as a work and retirement benefit record. Today, SSA issues SSNs to most U.S. citizens, as well as non-citizens lawfully admitted to the United States with permission to work. Because the SSN is unique for every individual, both the public and private sectors increasingly use it as a universal identifier. This increased use, as well as increased electronic record keeping by both sectors, has eased access to SSNs and potentially made this information more vulnerable to misuse, including identity theft. Specifically, SSNs are a key piece of information used to create false identities for financial misuse or to assume another individual’s identity. Most often, identity thieves use SSNs belonging to real people. However, the Federal Trade Commission’s (FTC) identity theft victim complaint data has shown that only 30 percent of identity theft victims know how thieves obtained their personal information. The FTC estimated that over a 1-year period, nearly 10 million people discovered they were victims of identity theft, translating into estimated losses of billions of dollars. Federal Laws Affecting SSN Use and Disclosure There is no one law that regulates the overall use of SSNs by all levels and branches of government. However, the use and disclosure of SSNs by the federal government is generally restricted under the Privacy Act of 1974. Broadly speaking, this act seeks to balance the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy. Section 7 of the act requires that any federal, state, or local government agency, when requesting an SSN from an individual, tell individuals whether disclosing 1 The Social Security Act of 1935 created the Social Security Board, which was renamed the Social Security Administration in 1946. Page 2 GAO-07-1023T the SSN is mandatory or voluntary, cite the statutory or other authority under which the request is being made, and state what uses it will make of the individual’s SSN. Additional federal laws also place restrictions on public and private sector entities’ use and disclosure of consumers’ personal information, including SSNs, in specific instances. As shown in table 1, some of these laws require certain industries, such as the financial services industry, to protect individuals’ personal information to a greater degree than entities in other industries. Table 1: Aspects of Federal Laws That Affect Disclosure of Personal Information Federal laws Restrictions Fair Credit Reporting Act (FCRA) Limits access to credit data that includes SSNs to those who have a permissible purpose under the law. Fair and Accurate Credit Transactions Act (FACTA) Amends FCRA to allow, among others things, consumers who request a copy of their credit report to also request that the first five digits of their SSN (or similar identification number) not be included in the file; requires consumer reporting agencies and any business that use a consumer report to adopt procedures for proper disposal. Gramm-Leach-Bliley Act (GLBA) Creates a new definition of personal information that includes SSNs and limits when financial institutions may disclose the information to nonaffiliated third parties. Drivers Privacy Protection Act (DPPA) Prohibits obtaining and disclosing SSNs and other personal information from a motor vehicle record except as expressly permitted under the law. Health Insurance Portability and Accountability Act (HIPAA) Protects the privacy of health information that identifies an individual (including by SSNs) and restricts health care organizations from disclosing such information to others without the patient’s consent. Source: GAO analysis. In 1998, Congress also enacted a federal statute that criminalizes fraud in connection with the unlawful theft and misuse of personal identifiable information, including SSNs. The Identity Theft and Assumption Deterrence Act made it a criminal offense for a person to “knowingly transfer, possess, or use without lawful authority,” another person’s means of identification “with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable state or local law.” Under the act, an individual’s name or Social Security number is considered a “means of identification.” In addition, in 2004, the Identity Theft Penalty Enhancement Act established the offense of aggravated identity theft in the federal criminal court, which is punishable by a mandatory two-year prison term. Page 3 GAO-07-1023T State Laws Affecting SSN Use and Disclosure Many states have also enacted laws to restrict the use and display of SSNs.2 For example, in 2001, California enacted a law that generally prohibited companies and persons from engaging in certain activities with SSNs, such as posting or publicly displaying SSNs, or requiring people to transmit an SSN over the Internet unless the connection is secure or the number is encrypted. In our prior work, we identified 13 states—Arizona, Arkansas, Connecticut, Georgia, Illinois, Maryland, Michigan, Minnesota, Missouri, Oklahoma, Texas, Utah, and Virginia—that have passed laws similar to California’s. 3 While some states, such as Arizona, have enacted virtually identical restrictions on the use and display of SSNs, other states have modified the restrictions in various ways. For example, unlike the California law, which prohibits the use of the full SSN, the Michigan statute prohibits the use of more than four sequential digits of the SSN. Some states have also enacted other types of restrictions on the uses of SSNs. For example, Arkansas, Colorado, and Wisconsin prohibit the use of a student’s SSN as an identification number. 4 Other recent state legislation places restrictions on state and local government agencies, such as Indiana’s law that generally prohibits state agencies from releasing SSNs unless otherwise required by law. 5 2 For more information on state laws relating to SSN use and disclosure, see GAO, Social Security Numbers: More Could Be Done to Protect SSNs, GAO-06-586T (Washington, D.C.: March 30, 2006) GAO, Social Security Numbers: Federal and State Laws Restrict Use of SSNs, yet Gaps Remain, GAO-05-1016T (Washington, D.C.: Sept.15, 2005). 3 See Arkansas (Ark. Code Ann. § 4-86-107 (2005)); Arizona (Ariz. Rev. Stat. § 44-1373 (2004)); Connecticut (Conn. Gen. Stat. § 42-470 (2003)); Georgia (Ga. Code Ann. § 33-2457.1 (2003)); Illinois (815 Ill. Comp. Stat. 505/2QQ (2004)); Maryland (Md. Code Ann., Com. Law § 14-3301 et seq. (2005)); Michigan (Mich. Comp. Laws § 445.81 et seq. (2004)); Minnesota (Minn. Stat. § 325E.59 (2005)); Missouri (Mo. Rev. Stat. § 407.1355 (2003)); Oklahoma (Okla. Stat. tit. 40, § 173.1 (2004)); Texas (Tex. Bus. & Com. Code Ann. 35.58 (2003)); Utah (Utah Code Ann. § 31A-21-110 (2004)); and Virginia (Va. Code Ann. § 59.1443.2 (2005)). 4 Ark. Code Ann. § 6-18-208 (2005); Colo. Rev. Stat. § 23-5-127 (2003); and Wis. Stat. § 36.32 (2001). 5 Ind. Code § 4-1-10-1 et seq. (2005). Page 4 GAO-07-1023T Government Agencies Collect and Use SSNs for a Variety of Purposes A number of federal laws and regulations require agencies at all levels of government to frequently collect and use SSNs for various purposes. Beginning with a 1943 Executive Order issued by President Franklin D. Roosevelt, all federal agencies were required to use the SSN exclusively for identification systems of individuals, rather than set up a new identification system. In later years, the number of federal agencies and others relying on the SSN as a primary identifier escalated dramatically, in part, because a number of federal laws were passed that authorized or required its use for specific activities. For example, agencies use SSNs • • • • for internal administrative purposes, which include activities such as identifying, retrieving, and updating records; to collect debts owed to the government and conduct or support research and evaluations, as well as use employees’ SSNs for activities such as payroll, wage reporting, and providing employee benefits; to ensure program integrity, such as matching records with state and local correctional facilities to identify individuals for whom the agency should terminate benefit payments; and for statistics, research, and evaluation.6 Table 2 provides an overview of federal statutes that address government collection and use of SSNs. In some cases, these statutes require that state and local government entities collect SSNs. 6 The Bureau of the Census is authorized by statute to collect a variety of information and is prohibited from making it available, except in certain circumstances. Page 5 GAO-07-1023T Table 2: Examples of Federal Statutes that Authorize or Mandate the Collection or Use of SSNs General purpose for collecting or using SSN Government entity and authorized or required use Tax Reform Act of 1976 42 U.S.C. 405(c)(2)(c)(i) General public assistance programs, tax administration, driver’s license, motor vehicle registration Authorizes states to collect and use SSNs in administering any tax, general public assistance, driver’s license, or motor vehicle registration law Food Stamp Act of 1977 7 U.S.C. 2025(e)(1) Food Stamp Program Mandates the Secretary of Agriculture and state agencies to require SSNs for program participation Deficit Reduction Act of 1984 42 U.S.C. 1320b-7(1) Eligibility benefits under the Medicaid program Requires that, as a condition of eligibility for Medicaid benefits, applicants for and recipients of these benefits furnish their SSNs to the state administering program Housing and Community Development Act of 1987 42 U.S.C. 3543(a) Eligibility for the Department of Housing and Urban Development programs Authorizes the Secretary of the Department of Housing and Urban Development to require program applicants and participants to submit their SSNs as a condition of eligibility Family Support Act of 1988 42 U.S.C. 405(c)(2)(C)( ii) Issuance of birth certificates Requires states to obtain parents’ SSNs before issuing a birth certificate unless there is good cause for not requiring the number Technical and Miscellaneous Revenue Act of 1988 42 U.S.C. 405(c)(2)(D)(i) Blood donation Authorizes states and political subdivisions to require that blood donors provide their SSNs Food, Agriculture, Conservation, And Trade Act of 1990 42 U.S.C. 405(c)(2)(C) Retail and wholesale businesses participation in food stamp program Authorizes the Secretary of Agriculture to require the SSNs of officers or owners of retail and wholesale food concerns that accept and redeem food stamps Omnibus Budget Reconciliation Act of 1990 38 U.S.C. 510(c) Eligibility for Veterans Affairs compensation or pension benefits programs Requires individuals to provide their SSNs to be eligible for Department of Veterans Affairs’ compensation or pension benefits programs Social Security Independence and Program Improvements Act of 1994 42 U.S.C. 405(c)(2)(E) Eligibility of potential jurors Authorizes states and political subdivisions of states to use SSNs to determine eligibility of potential jurors Personal Responsibility and Work Opportunity Reconciliation Act of 1996 42 U.S.C. 666(a)(13) Various license applications, divorce and child support documents, death certificates Mandates that states have laws in effect that require collection of SSNs on applications for driver’s licenses and other licenses; requires placement in the pertinent records of the SSN of the person subject to a divorce decree, child support order, paternity determination; requires SSNs on death certificates; creates national database for child support enforcement purposes Debt Collection Improvement Act of 1996 31 U.S.C. 7701(c) Persons doing business with a federal agency Requires those doing business with a federal agency (i.e., lenders in a federal guaranteed loan program; applicants for federal licenses, permits, right-of-ways, grants, or benefit payments; contractors of an agency and others) to furnish SSNs to the agency Higher Education Act Amendments of 1998 20 U.S.C. 1090(a)(7) Financial assistance Authorizes the Secretary of Education to include the SSNs of parents of dependent students on certain financial assistance forms Federal statute Page 6 GAO-07-1023T Federal statute Internal Revenue Code (various amendments) 26 U.S.C. 6109 General purpose for collecting or using SSN Government entity and authorized or required use Tax returns Authorizes the Commissioner of the Internal Revenue Service to require that taxpayers include their SSNs on tax returns Souce: GAO review of applicable federal laws. Some government agencies also collect SSNs because of their responsibility for maintaining public records, which are those records generally made available to the public for inspection by the government. Because these records are open to the public, such government agencies, primarily at the state and local levels, provide access to the SSNs sometimes contained in those records.7 Based on a survey of federal, state, and local governments, we reported in 2004 that state agencies in 41 states and the District of Columbia displayed SSNs in public records; this was also true in 75 percent of U.S. counties.8 We also found that while the number and type of records in which SSNs were displayed varied greatly across states and counties, SSNs were most often found in court and property records. Public records displaying SSNs are stored in multiple formats, such as electronic, microfiche and microfilm, or paper copy. While our prior work found that public access to such records was often limited to inspection of the individual paper copy in public reading rooms or clerks’ offices, or request by mail, some agencies also made public records available on the Internet. In recent years, some agencies have begun to take measures to change the ways in which they display or provide access to SSNs in public records. For example, some state agencies have reported removing SSNs from electronic versions of records, replacing SSNs with alternative identifiers in records, restricting record access to individuals identified in the records, or allowing such individuals to request the removal of their SSNs from these records. 7 Not all records held by government or public agents are “public” in terms of their availability to any inquiring person. For example, adoption records are generally sealed. Personnel records are often not readily available to the public, although newspapers may publish the salaries of high, elected officials. 8 GAO, Social Security Numbers: Governments Could Do More To Reduce Display in Public Records and on Identity Cards, GAO-05-59 (Washington, D.C.: November 9, 2004). Page 7 GAO-07-1023T Private Sector Entities Collect SSNs from Various Sources for Identity Verification Purposes Certain private sector entities, such as information resellers, consumer reporting agencies (CRAs), and healthcare organizations collect SSNs from public and private sources, as well as their customers, and primarily use SSNs for identity verification purposes. In addition, banks, securities firms, telecommunication firms, and tax preparers engage in third party contracting and sometimes share SSNs with their contractors for limited purposes, generally when it is necessary and unavoidable. Private Sector Entities Collect SSNs from Both Public and Private Sources Information resellers are businesses that specialize in amassing personal information, including SSNs, and offering informational services. They provide their services to a variety of customers, such as specific businesses clients or through the Internet to the general public. Large or well known information resellers reported that they obtain SSNs from various public records, such as records of bankruptcies, tax liens, civil judgments, criminal histories, deaths, and real estate transactions. 9 However, some of these resellers said they are more likely to rely on SSNs obtained directly from their clients, who may voluntarily provide such information, than those found in public records. In addition, in our prior review of information resellers that offer their services through the Internet, we found that their Web sites most frequently identified public or nonpublic sources, or both, as their sources of information.10 For example, a few Internet resellers offered to conduct background investigations on individuals by compiling information from court records and using a credit bureau to obtain consumer credit data. CRAs, also known as credit bureaus, are agencies that collect and sell information about the creditworthiness of individuals. Like information resellers, CRAs also obtain SSNs from public and private sources. For example, CRA officials reported that they obtain SSNs from public sources, such as bankruptcy records.11 We also found that these companies obtain SSNs from other information resellers, especially those that specialize in collecting information from public records. However, CRAs 9 GAO, Social Security Numbers: Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information, GAO-04-11 (Washington, D.C.: January 22, 2004). 10 GAO, Social Security Numbers: Internet Resellers Provide Few Full SSNs, but Congress Should Consider Enacting Standards for Truncating SSNs, GAO-06-495 (Washington, D.C.: May 17, 2006). 11 GAO-04-11. Page 8 GAO-07-1023T are more likely to obtain SSNs from businesses that subscribe to their services, such as banks, insurance companies, mortgage companies, debt collection agencies, child support enforcement agencies, credit grantors, and employment screening companies. Organizations that provide health care services, including health care insurance plans and providers, are less likely to obtain SSNs from public sources. These organizations typically obtain SSNs either from individuals themselves or from companies that offer health care plans. For example, individuals enrolling in a health care plan provide their SSNs as part of their plan applications. In addition, health care providers, such as hospitals, often collect SSNs as part of the process of obtaining information on insured people. Private Sector Entities Primarily Use SSNs to Verify Individuals’ Identities We found that the primary use of SSNs by information resellers, CRAs, and health care organizations is to help verify the identity of individuals. Large information resellers reported that they generally use the SSN as an identity verification tool, though they also use it for matching internal databases, identifying individuals for their product reports, or conducting resident or employment screening investigations for their clients. CRAs use SSNs as the primary identifier of individuals in order to match information they receive from their business clients with information on individuals already stored in their databases. Finally, health care organizations also use the SSN, together with information such as name, address, and date of birth, for identity verification. In addition to their own direct use of customers’ SSNs, private sector entities also share this information with their contractors. According to experts, approximately 90 percent of businesses contract out some activity because they find either it is more economical to do so or other companies are better able to perform these activities. Banks, investment firms, telecommunication companies, and tax preparation companies we interviewed for our prior work routinely obtain SSNs from their customers for authentication and identification purposes and contract with other companies for various services, such as data processing, administrative, and customer service functions. 12 Company officials reported that customer information, such as SSNs, is shared with contractors for limited 12 GAO, Social Security Numbers: Stronger Protections Needed When Contractors Have Access to SSNs, GAO-06-238 (Washington, D.C.: January 23, 2006). Page 9 GAO-07-1023T purposes, generally when it is necessary or unavoidable. Further, these companies included certain provisions in their standard contact forms aimed at safeguarding customer’s personal information. For example, forms included electronic and physical data protections, audit rights, data breach notifications, subcontractor restrictions, and data handling and disposal requirements. Vulnerabilities Remain to Protecting SSNs in both the Public and Private Sectors Although federal and state laws have helped to restrict SSN use and display, and public and private sector entities have taken some steps to further protect this information, our prior work identified several remaining vulnerabilities. While government agencies have since taken actions to address some of the identified SSN protection vulnerabilities in the public sector, private sector vulnerabilities that we previously identified have not yet been addressed. Consequently, in both sectors, vulnerabilities remain to protecting SSNs from potential misuse by identity thieves and others. Government Agencies Have Taken Additional Actions to Address SSN Protection, yet Vulnerabilities Remain In our prior work, we found that several vulnerabilities remain to protecting SSNs in the public sector, and in response, some of these vulnerabilities have since been addressed by agencies. For example, in our review of government uses of SSNs, we found that some federal, state, and local agencies do not consistently fulfill the Privacy Act requirements that they inform individuals whether SSN disclosure is mandatory or voluntary, provide the statutory or other authority under which the SSN request is made, or indicate how the SSN will be used, when they request SSNs from individuals. To help address this inconsistency, we recommended that the Office of Management and Budget (OMB) direct federal agencies to review their practices for providing required information, and OMB has since implemented this recommendation. Actions have also been taken by some federal agencies in response to our previous finding that millions of SSNs are subject to exposure on individual identity cards issued under federal auspices. 13 Specifically, in 2004, we reported that an estimated 42 million Medicare cards, 8 million Department of Defense (DOD) insurance cards, and 7 million Department of Veterans Affairs (VA) beneficiary cards displayed entire 9-digit SSNs. While the Centers for Medicare and Medicaid Services, with the largest 13 GAO-05-59. Page 10 GAO-07-1023T number of cards displaying the entire 9-digit SSN, does not plan to remove the SSN from Medicare identification cards, VA and DOD have begun taking action to remove SSNs from cards. For example, VA is eliminating SSNs from 7 million VA identification cards and will replace cards with SSNs or issue new cards without SSNs between 2004 and 2009, until all such cards have been replaced. However, some of the vulnerabilities we identified in public sector SSN protection have not been addressed. For example, while the Privacy Act and other federal laws prescribe actions agencies must take to assure the security of SSNs and other personal information, we found that these requirements may not be uniformly observed by agencies at all levels of government.14 In addition, in our review of SSNs in government agencymaintained public records, we found that SSNs are widely exposed to view in a variety of these records.15 While some agencies reported taking actions such as removing SSNs from electronic versions of records, without a uniform and comprehensive policy, SSNs in these records remain vulnerable to potential misuse by identity thieves. Consequently, in both instances, we suggested that Congress consider convening a representative group of federal, state, and local officials to develop a unified approach to safeguarding SSNs used in all levels of government. Some steps have since been taken at the federal level to promote interagency discussion of SSN protection, such as creation of the President’s Identity Theft Task Force in 2006 to increase the safeguards on personal data held by the federal government. In April 2007, the Task Force completed its work, which resulted in a strategic plan aimed at making the federal government’s efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution. The plan’s recommendations focus in part on increasing safeguards employed by federal agencies and the private sector with respect to the personal data they maintain, including decreasing the unnecessary use of SSNs in the public sector. To that end, last month, OMB issued a memorandum requiring federal agencies to examine their use of SSNs in systems and programs in order to identify and eliminate instances in which collection or use of the SSN is unnecessary. In addition, the memo requires federal agencies to participate in governmentwide 14 GAO-02-352. 15 GAO-05-59. Page 11 GAO-07-1023T efforts to explore alternatives to agency use of SSNs as personal identifiers for both federal employees and in federal programs. Vulnerabilities Persist in Federal Laws Addressing SSN Collection and Use by Private Sector Entities In our reviews of private sector entities’ collection and use of SSNs, we found variation in how different industries are covered by federal laws protecting individuals’ personal information. For example, although federal laws place restrictions on reselling some personal information, these laws only apply to certain types of private sector entities, such as financial institutions. Consequently, information resellers are not covered by these laws, and there are few restrictions placed on these entities’ ability to obtain, use, and resell SSNs. However, recently proposed federal legislation, if implemented, may help to address this vulnerability.16 For example, the SSN Protection Act of 2007, as introduced by Representative Edward Markey, would give the Federal Trade Commission (FTC) rulemaking authority to restrict the sale and purchase of SSNs and determine appropriate exemptions.17 The proposed legislation would therefore improve SSN protection while also permitting limited exceptions to the purchase and sale of SSNs for certain purposes, such as law enforcement or national security. Vulnerabilities also exist in federal law and agency oversight for different industries that share SSNs with their contractors.18 For example, while federal law and oversight of the sharing of personal information in the financial services industry is very extensive, federal law and oversight of the sharing of personal information in the tax preparation and telecommunications industries is somewhat lacking. Specific actions to address these vulnerabilities in federal laws have not yet been taken, leaving SSNs maintained by information resellers and contractors in the tax preparation and telecommunications industries potentially exposed to misuse, including identity theft. We also found a gap in federal law addressing SSN truncation, a practice that would improve SSN protection if standardized. Specifically, in our Internet resellers report, several resellers provided us with truncated SSNs 16 Legislation proposed in the 110th Congress that may help to address this vulnerability includes H.R. 948 “Social Security Number Protection Act of 2007,” H.R. 958 “Data Accountability and Trust Act,” and S.238 “Social Security Number Misuse Prevention Act.” 17 HR 948. 18 GAO-06-238. Page 12 GAO-07-1023T showing the first five digits, though other entities truncate SSNs by showing the last four digits. Therefore, because of the lack of SSN truncation standards, even truncated SSNs remain vulnerable to potential misuse by identity thieves and others. While we suggested that the Congress consider enacting standards for truncating SSNs or delegating authority to SSA or some other governmental entity to do so, SSN truncation standards have yet to be addressed at the federal level. Concluding Observations The use of SSNs as a key identifier in both the public and private sectors will likely continue as there is currently no other widely accepted alternative. However, because of this widespread use of SSNs, and the vulnerabilities that remain to protecting this identifier in both sectors, SSNs continue to be accessible to misuse by identity thieves and others. Given the significance of the SSN in committing fraud or stealing an individual’s identity, it would be helpful to take additional steps to protect this number. As the Congress moves forward in pursuing legislation to address SSN protection and identity theft, focusing the debate on vulnerabilities that have already been documented may help target efforts and policy directly toward immediate improvements in SSN protection. To this end, we look forward to supporting the Subcommittee and the Congress however we can to further ensure the integrity of SSNs. Related to this, we have issued a report on the federal government’s provision of SSNs to state and local public record keepers, and we have also recently begun a review of the bulk sale of public records containing SSNs, including how federal law protects SSNs in these records when they are sold to entities both here and overseas. Mr. Chairman, this concludes my prepared testimony. I would be pleased to respond to any questions you or other members of the subcommittee may have. GAO Contacts For further information regarding this testimony, please contact me at bertonid@gao.gov or (202) 512-7215. In addition, contact points for our Offices of Congressional Relations and Public Affairs can be found on the last page of this statement. Individuals making key contributions to this testimony include Jeremy Cox, Rachel Frisk, Ayeke Messam, and Dan Schwimer. Page 13 GAO-07-1023T Related GAO Products Social Security Numbers: Internet Resellers Provide Few Full SSNs, but Congress Should Consider Enacting Standards for Truncating SSNs. GAO-06-495. Washington, D.C.: May 17, 2006. Social Security Numbers: More Could Be Done to Protect SSNs. GAO-06-586T. Washington, D.C.: March 30, 2006. Social Security Numbers: Stronger Protections Needed When Contractors Have Access to SSNs. GAO-06-238. Washington, D.C.: January 23, 2006. Social Security Numbers: Federal and State Laws Restrict Use of SSNs, yet Gaps Remain. GAO-05-1016T. Washington, D.C.: September 15, 2005. Social Security Numbers: Governments Could Do More to Reduce Display in Public Records and on Identity Cards. GAO-05-59. Washington, D.C.: November 9, 2004. Social Security Numbers: Use Is Widespread and Protections Vary in Private and Public Sectors. GAO-04-1099T. Washington, D.C.: September 28, 2004. Social Security Numbers: Use Is Widespread and Protections Vary. GAO-04-768T. Washington, D.C.: June 15, 2004. Social Security Numbers: Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information. GAO-04-11. Washington, D.C.: January 22, 2004. Social Security Numbers: Ensuring the Integrity of the SSN. GAO-03-941T. Washington, D.C.: July 10, 2003. Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards. GAO-02-352. Washington, D.C.:May 31, 2002. (130787) Page 14 GAO-07-1023T This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO’s Mission The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s Web site (www.gao.gov). Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to www.gao.gov and select “Subscribe to Updates.” Order by Mail or Phone The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548 To order by Phone: Voice: TDD: Fax: (202) 512-6000 (202) 512-2537 (202) 512-6061 Contact: To Report Fraud, Waste, and Abuse in Federal Programs Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470 Congressional Relations Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, D.C. 20548 Public Affairs Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548 PRINTED ON RECYCLED PAPER