Social Security Administration

Concerns have been raised in Congress about whether the Social Security Administration's (SSA) interactive benefits estimates service adequately protects the privacy of Americans and whether unauthorized access to confidential information is taking place over the Internet. Although GAO has just begun a review of SSA's use of the Internet to disseminate benefits estimates, earlier reports have discussed computer and Internet security as well as the risks facing agencies in providing electronic access to data. (See GAO/AIMD-96-84, May 1996, and GAO/T-AIMD-96-108, June 1996.) This testimony focuses on general privacy and security considerations that federal agencies must address to safeguard sensitive information made available as a public service via the Internet.

GAO noted that: (1) SSA has recently tried to educate the public about the importance of its programs and availability of information, such as the Personal Earnings and Benefit Estimate Statement (PEBES); (2) as part of this initiative, SSA last year began permitting individuals to request PEBES through the Internet, with the document being sent by mail; (3) according to SSA officials, before taking the step of transmitting PEBES data over the Internet, they spent a year testing and consulting with outside experts, including those in the areas of privacy and computer security; (4) among the security features intended to preserve individual privacy was the requirement for an individual to enter five authenticating elements into the system in order to access the data; (5) on April 9, after public outcry and concerns about the privacy of sensitive information, the Acting Commissioner of Social Security suspended on-line receipt of PEBES data; (6) despite the growth and leap in ease of use, the Internet has inherent security risks because of the way it was designed; (7) computer hackers have for years exploited the security weaknesses of systems connected to the Internet; (8) as a result, the need for secure information systems and networks has never been greater; (9) for most organizations, a prudent approach involves determining an appropriate level of protection, then ensuring that any security breaches that do occur can be effectively detected and countered; (10) this generally means establishing: (a) a comprehensive program with top management commitment, sufficient resources, and clearly defined roles and responsibilities; (b) clear, consistent, and up-to-date security policies and procedures; (c) periodic vulnerability assessments to identify security weaknesses; (d) security awareness training; (e) sufficient time and training for systems administrators and information security personnel; (f) efficient use of automated security tools; and (g) a robust incident-response capability, so that attacks can be detected and a response initiated quickly in order to aggressively track and prosecute the offenders; (11) along with phased testing of "PEBES-By-Mail" and interactive PEBES, SSA took a number of measures that officials believed would adequately safeguard requesters' privacy, the system itself, and the data it contains; and (12) GAO has just initiated its work and therefore cannot yet conclude whether SSA implemented a prudent approach to address the security risks in providing Internet PEBES Service.