Social Security Numbers
Federal and State Laws Restrict Use of SSNs, yet Gaps Remain
Gao ID: GAO-05-1016T September 15, 2005
In 1936, the Social Security Administration established the Social Security number (SSN) to track worker's earnings for Social Security benefit purposes. Despite its narrowly intended purpose, the SSN is now used for a myriad of non-Social Security purposes. Today, SSNs are used, in part, as identity verification tools for services such as child support collections, law enforcement enhancements, and issuing credit to individuals. Although these uses can be beneficial to the public, the SSN is now a key piece of information in creating false identities. The aggregation of personal information, such as SSNs, in large corporate databases and the increased availability of information via the Internet may provide criminals the opportunities to commit identity theft. Although Congress and the states have enacted a number of laws to protect consumers' privacy, the public and private sectors' continued use of and reliance on SSNs, and the potential for misuse, underscore the importance of strengthening protections where possible. Accordingly, this testimony focuses on describing (1) the public use of SSNs, (2) the use of SSNs by certain private sector entities, and (3) certain federal and state laws regulating the use of SSNs and identity theft.
The public and private sector use of SSNs is widespread. Agencies at all levels of government frequently collect and use SSNs to administer their programs, verify applicants' eligibility for services and benefits, and conduct research and evaluations of their programs. Although some government agencies are taking steps to limit the use and display of SSNs, these numbers are still widely available in a variety of public records held by states, local jurisdictions, and courts. In addition, certain private sector entities that we have reviewed, such as information resellers, credit reporting agencies (CRAs), and health care organizations, also routinely obtain and use SSNs. These entities often obtain SSNs from various public sources or their clients and use SSNs for various purposes, such as building tools that aid in verifying an individual's identity or matching records from various sources. Given the extent to which government and private sector entities use SSNs, Congress has enacted federal laws to restrict the use and disclosure of consumers' personal information, including SSNs. Many states have also enacted their own legislation to restrict the use and display of SSNs, focusing on public display restrictions, SSN solicitation, and customer notifications when SSNs are compromised. Furthermore, Congress has recently introduced consumer privacy legislation similar to enacted state legislation, which in some cases includes SSN restrictions. Although there is some consistency in the various proposed and enacted federal and state laws, gaps remain in protecting individuals' personal information from fraud and identity theft. Some federal agencies are beginning to collect statistics on identity theft crime, which appears to be growing. For example, recent statistics show that identity theft is increasing in New York. In 2004, Federal Trade Commission (FTC) statistics indicated that over 17,600 New Yorkers reported being a victim of identity theft, which is up from roughly 7,000 in 2001.
GAO-05-1016T, Social Security Numbers: Federal and State Laws Restrict Use of SSNs, yet Gaps Remain
This is the accessible text file for GAO report number GAO-05-1016T
entitled 'Social Security Numbers: Federal and State Laws Restrict Use
of SSNs, yet Gaps Remain' which was released on September 15, 2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony:
Before the Committee on Consumer Affairs and Protection and Committee
on Governmental Operations, New York State Assembly:
United States Government Accountability Office:
GAO:
For Release on Delivery Expected at 10:30 a.m. EST:
Thursday, September 15, 2005:
Social Security Numbers:
Federal and State Laws Restrict Use of SSNs, yet Gaps Remain:
Statement of Barbara D. Bovbjerg, Director, Education, Workforce, and
Income Security Issues:
GAO-05-1016T:
GAO Highlights:
Highlights of GAO-05-1016T, a report to the Committee on Consumer
Affairs and Protection and the Committee on Governmental Operations,
New York State Assembly:
Why GAO Did This Study:
In 1936, the Social Security Administration established the Social
Security number (SSN) to track worker‘s earnings for Social Security
benefit purposes. Despite its narrowly intended purpose, the SSN is now
used for a myriad of non-Social Security purposes. Today, SSNs are
used, in part, as identity verification tools for services such as
child support collections, law enforcement enhancements, and issuing
credit to individuals. Although these uses can be beneficial to the
public, the SSN is now a key piece of information in creating false
identities. The aggregation of personal information, such as SSNs, in
large corporate databases and the increased availability of information
via the Internet may provide criminals the opportunities to commit
identity theft.
Although Congress and the states have enacted a number of laws to
protect consumers‘ privacy, the public and private sectors‘ continued
use of and reliance on SSNs, and the potential for misuse, underscore
the importance of strengthening protections where possible.
Accordingly, this testimony focuses on describing (1) the public use of
SSNs (2) the use of SSNs by certain private sector entities, and (3)
certain federal and state laws regulating the use of SSNs and identity
theft.
What GAO Found:
The public and private sector use of SSNs is widespread. Agencies at
all levels of government frequently collect and use SSNs to administer
their programs, verify applicants‘ eligibility for services and
benefits, and conduct research and evaluations of their programs.
Although some government agencies are taking steps to limit the use and
display of SSNs, these numbers are still widely available in a variety
of public records held by states, local jurisdictions, and courts. In
addition, certain private sector entities that we have reviewed, such
as information resellers, credit reporting agencies (CRAs), and health
care organizations, also routinely obtain and use SSNs. These entities
often obtain SSNs from various public sources or their clients and use
SSNs for various purposes, such as building tools that aid in verifying
an individual‘s identity or matching records from various sources.
Given the extent to which government and private sector entities use
SSNs, Congress has enacted federal laws to restrict the use and
disclosure of consumers‘ personal information, including SSNs. Many
states have also enacted their own legislation to restrict the use and
display of SSNs, focusing on public display restrictions, SSN
solicitation, and customer notifications when SSNs are compromised.
Furthermore, Congress has recently introduced consumer privacy
legislation similar to enacted state legislation, which in some cases
includes SSN restrictions. Although there is some consistency in the
various proposed and enacted federal and state laws, gaps remain in
protecting individuals‘ personal information from fraud and identity
theft. Some federal agencies are beginning to collect statistics on
identity theft crime, which appears to be growing. For example, recent
statistics show that identity theft is increasing in New York. In 2004,
Federal Trade Commission (FTC) statistics indicated that over 17,600
New Yorkers reported being a victim of identity theft, which is up from
roughly 7,000 in 2001.
Total Number of Fraud and Identity Theft Complaints to FTC in 2004:
[See PDF for image]
[End of figure]
www.gao.gov/cgi-bin/getrpt?GAO-05-1016T.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Barbara Bovbjerg at (202)
512-7215 or bovbjergb@gao.gov.
[End of section]
Madam Chairwomen and Members of the Committees:
I am pleased to be here today to discuss ways to better protect the
Social Security number (SSN). Although the SSN was created as a means
to track workers' earnings and eligibility for Social Security
benefits, it is now also a vital piece of information needed to
function in American society. Because of its unique nature and broad
applicability, the SSN has become the identifier of choice for public
and private sector entities, and it is used for numerous non-Social
Security purposes. Today, U.S. citizens need an SSN to pay taxes,
obtain a driver's license, or open a bank account, among other things.
For these reasons, the SSN is highly sought by individuals seeking to
create false identities for purposes such as fraudulently obtaining
credit, violating immigration laws, or fleeing the criminal justice
system.
Recent statistics suggest that the incidence of identity theft is
rapidly growing.[Footnote 1] The Federal Trade Commission (FTC)
estimated that over a one-year period nearly 10 million people--or 4.6
percent of the U.S. adult population--discovered that they were victims
of some form of identity theft, translating into reported losses
exceeding $50 billion. Identity theft also appears to be a serious and
growing crime in New York. In 2004, FTC statistics indicated that over
17,600 New Yorkers reported being victims of identity theft, up from
roughly 7,000 in 2001. However, an FTC survey found that most victims
of identity theft do not report the crime. Therefore, the total of
number of identity thefts is unknown.
Although there are enacted laws to protect the security of personal
information, the continued use of and reliance on SSNs by public and
private sector entities and the potential for misuse underscore the
importance of identifying areas that can be further strengthened.
Accordingly, you asked us to speak about the use of SSNs and the
federal and state laws that regulate such use. My remarks today will
focus on describing the (1) public use of SSNs, (2) the use of SSNs by
certain private sector entities, and (3) federal and state laws
regulating the use of SSNs and identity theft. My testimony is based on
reports GAO has done for multiple congressional committees over the
last several years.
In summary, SSN use is widespread. Agencies at all levels of government
frequently collect and use SSNs to administer their programs, verify
applicants' eligibility for services and benefits, and perform research
and evaluations of their programs. Although some government agencies
are taking steps to limit the use and display of SSNs, these numbers
are still available in a variety of public records held by states,
local jurisdictions, and courts.
Certain private sector entities that we have reviewed, such as
information resellers, credit reporting agencies (CRAs), and health
care organizations also routinely obtain and use SSNs.[Footnote 2]
These entities often obtain SSNs from various public sources or their
clients wishing to use their services. We found that these entities
used SSNs for various purposes, such as to build tools that verify an
individual's identity or match existing records.
A number of federal laws have been enacted to restrict the use and
disclosure of consumers' personal information, including SSNs. In
addition, many states have enacted their own legislation to restrict
the use and display of SSNs on items such as identification cards, and
require entities to notify customers of unauthorized access or use of
their personal information. In the last year, Congress also has
introduced consumer privacy legislation similar to enacted state
legislation, which in some cases includes SSN restrictions. To date,
enacted federal and state laws provide various ways to protect
individual's personal information and prevent identity theft. However,
while there is some consistency in the various laws protecting consumer
personal information, no single law comprehensively regulates SSN use
and protections, and no agency has primary jurisdiction over consumer
protections and identity theft.
Background:
The Social Security Act of 1935 authorized the Social Security
Administration (SSA) to establish a record-keeping system to manage the
Social Security program, which resulted in the creation of the
SSN.[Footnote 3] Through a process known as enumeration, unique numbers
are created for every person as a work and retirement benefit record.
Today, SSA issues SSNs to most U.S. citizens, but they are also
available to noncitizens lawfully admitted to the United States with
permission to work. Lawfully admitted noncitizens may also qualify for
a SSN for nonwork purposes when a federal, state, or local law requires
that they have a SSN to obtain a particular welfare benefit or service.
SSA staff collect and verify information from such applicants regarding
their age, identity, citizenship, and immigration status.
Since its creation, the SSN has evolved beyond its original intended
purpose. This is significant, because these numbers, along with a name
and birth date, are the three pieces of information most often sought
by identity thieves. Once a SSN is obtained fraudulently, it can then
be used as "breeder" information to create additional false
identification documents, such as driver's licenses.[Footnote 4] As
shown in figure 1, reported cases of identity theft are on the rise. In
addition, the reported incidents of identity theft in New York have
also risen, in an increase similar to the overall rise reported in the
United States.
Figure 1: Comparison between Reported New York Identity Theft
Complaints and Overall United States Complaints:
[See PDF for image]
[End of figure]
In 1998, Congress made identity theft a federal crime when it enacted
the Identity Theft and Assumption Deterrence Act (Identity Theft
Act).[Footnote 5] The act made it a criminal offense for a person to
"knowingly transfer, possess, or use without lawful authority," another
person's means of identification "with the intent to commit, or to aid
or abet, or in connection with, any unlawful activity that constitutes
a violation of federal law, or that constitutes a felony under any
applicable state or local law." Under the act, a name or SSN is
considered a "means of identification," and a number of cases have been
prosecuted under this law.
The Identity Theft Act mandated a specific role for FTC in combating
identity theft. To fulfill the mandate, FTC is collecting identity
theft complaints and assisting victims through a telephone hotline and
a dedicated Web site; maintaining and promoting the Identity Theft Data
Clearinghouse, a centralized database of victim complaints that serves
as an investigative tool for law enforcement; and providing outreach
and education to consumers, law enforcement, and industry. According to
FTC, it receives roughly 15,000 to 20,000 contacts per week on the
hotline, via its Web site, or through the mail from victims and
consumers who want to avoid becoming victims. FTC has said that the
callers to its hotline receive counseling from trained personnel who
provide information on prevention of identity theft and also inform
victims of the steps to take to resolve the problems resulting from the
misuse of their identities.
The increased availability and aggregation of personal information,
including SSNs, has exposed SSNs to potential misuse, and in some
cases, identity theft. Over the last year, several large companies'
databases containing personal information were compromised, but the
extent to which identity theft resulted from these reported security
breaches is unknown. However, the identity theft crimes that have
occurred illustrate how aggregated personal information can be
vulnerable. For example, a help desk employee at a New York-based
software company, which provided software to its clients to access
consumer credit reports, stole the identities of up to 30,000
individuals by using confidential passwords and subscriber codes of the
company's customers. The former employee reportedly sold these
identities for $60 each. Furthermore, given the explosion of Internet
use and the ease with which personally identifiable information is
accessible, individuals looking to steal someone's identity are
increasingly able to do so. In our work, we identified a case where an
individual obtained the names and SSNs of high-ranking U.S. military
officers from a public Web site, and used those identities to apply
online for credit cards and bank credit.
Public Sector Entities Use SSNs, and Some Agencies Limit Their Display:
As required by a number of federal laws and regulations, agencies at
all levels of government frequently collect and use SSNs to administer
their programs, to link data for verifying applicants' eligibility for
services and benefits, and to conduct program evaluations. We have also
found that SSNs are widely available in a variety of public records
held by states, local jurisdictions, and courts. However, some
government agencies are taking steps to limit the use and display of
SSNs in hopes of preventing the proliferation of false identities.
Public Sector Entities Are Required by Laws and Regulations to Collect
SSNs, and They Use Them for Various Purposes:
As required by a number of federal laws and regulations, SSNs are
widely used by federal, state, and county government agencies when they
provide services and benefits to the public.[Footnote 6] For example,
the Personal Responsibility and Work Opportunity Reconciliation Act of
1996 mandates that, among other things, states have laws in place to
require the collection of SSNs on driver's license applications. Such
laws and regulations have contributed to the widespread use of SSNs by
government agencies, because these numbers serve as a unique identifier
for such government-related activities like paying taxes.
Government agencies use SSNs for a variety of reasons. We have found
that agencies typically used the SSN to manage their records and to
facilitate data sharing to verify an applicant's eligibility for
services and benefits.[Footnote 7] For example, agency officials at all
levels of government we surveyed reported using SSNs for internal
administrative purposes, which included activities such as identifying,
retrieving, and updating records. In addition, agencies reported
sharing SSNs and other personal information to collect debts owed the
government and conduct or support research and evaluations as well as
using employees' SSNs for activities such as payroll, wage reporting,
and providing employee benefits.
Government agencies also use SSNs to ensure program integrity. For
example, agencies may use SSNs to match records with state and local
correctional facilities to identify individuals for whom the agency
should terminate benefit payments. In addition, SSNs are sometimes used
for statistics, research, and evaluation. For example, the Bureau of
the Census prepares annual population estimates for states and counties
using individual income tax return data linked over time by SSNs to
determine immigration rates between localities.[Footnote 8] SSNs also
provide government agencies and others with an effective mechanism for
linking data on program participation with data from other sources to
help evaluate the outcomes or effectiveness of government
programs.[Footnote 9]
SSNs Are Widely Available in Public Records Held by States, Local
Jurisdictions, and Courts, but Many of These Agencies Are Taking Steps
to Limit Display:
SSNs are publicly available throughout the United States, primarily at
the state and local levels of government.[Footnote 10] On the basis of
a survey of federal, state, and local governments, we reported in 2004
that state agencies in 41 states and the District of Columbia were
displaying SSNs in public records; this was also true in 75 percent of
U.S. counties.[Footnote 11] We also found that while the number and
type of records in which SSNs were displayed varied greatly across
states and counties, SSNs were most often found in court and property
records. According to our survey, only four New York state agencies
reported collecting SSNs for their operations, and none made them
available to the general public.
Public records displaying SSNs are stored in multiple formats that vary
by different levels of government. State government offices tended to
store such records electronically, while most local government records
were stored on microfiche or microfilm. However, our survey found that
public access to such records was often limited to inspection of the
individual paper copy or request by mail.[Footnote 12]
According to our survey, few state agencies make public records
available on the Internet, but as many as several hundred counties do
so. However, few state or local offices reported any plans to
significantly expand Internet access to public records that display
SSNs. Judging from our survey results, only four state agencies
indicated plans to make such records available on the Internet, and one
agency planned to remove records displaying SSNs from Internet access.
Our survey results also showed that state offices were taking measures
to change the way in which they displayed or shared SSNs in public
records. For example, we found that many state agencies had restricted
access to or redacted--covered or otherwise hidden from view--SSNs from
public versions of records. Specific restrictions and other actions
state agencies reported taking included blocking or removing SSNs from
electronic versions of records, allowing individuals identified in the
record to request removing their SSN from the publicly available
version, replacing SSNs with alternative identifiers, and restricting
access only to individuals identified in the records.
Certain Private Sector Entities Routinely Obtain and Use SSNs:
Private sector entities such as information resellers, credit reporting
agencies, and health care organizations routinely obtain and use SSNs.
Such entities obtain the SSNs from various public sources and their
clients wishing to use their services. However, given the varied nature
of SSN data found in public records, some reseller officials told us
that they are more likely to rely on receiving SSNs from their business
clients than they are on obtaining SSNs from public records. Because
the SSN is a unique identifier, we found that these entities use SSNs
for various purposes, such as building tools to aid in verifying an
individual's identity or matching existing data.
Private Sector Entities Obtain SSNs from Public and Private Sources:
Private sector entities such as information resellers, CRAs, and health
care organizations generally obtain SSNs from various public and
private sources. Large information resellers have told us they obtain
SSNs from various public records, such as records of bankruptcies, tax
liens, civil judgments, criminal histories, deaths, real estate
transactions, voter registrations, and professional licenses. To gather
SSNs from these records, resellers told us that they send employees to
courthouses or other repositories to obtain hard copies of public
records, if not easily obtainable on the Internet or public record
publications. They also said that they sometimes obtain batch files of
electronic copies of jurisdictional public records where available.
However, given the varied nature of SSN data found in public records,
some reseller officials said they are more likely to rely on SSNs
obtained directly from their clients, who would voluntarily provide
such information for a specific service or product, than those found in
public records.[Footnote 13]
Like information resellers, CRAs also obtain SSNs from public and
private sources. CRA officials have told us that they obtained SSNs
from public sources, such as bankruptcy records. We also found that
these companies obtained SSNs from other information resellers,
especially those that specialized in obtaining information from public
records. However, CRAs are more likely to obtain SSNs from businesses
that subscribe to their services, such as banks, insurance companies,
mortgage companies, debt collection agencies, child support enforcement
agencies, credit grantors, and employment screening companies.
Therefore, individuals who provide these businesses with their SSNs for
reasons such as applying for credit would subsequently have their
charges and payment transactions, accompanied by the SSN, reported to
the CRAs.
Health care organizations, including health care insurance plans and
providers, are less likely to obtain SSN data from public sources.
Health care organizations typically obtained SSNs from either
individuals themselves or from companies that offer health care plans.
For example, subscribers or policyholders enrolled in a health care
plan, provide their SSNs as part of their health care plan applications
to their company or employer group. In addition to health care plans,
health care organizations also included health care providers, such as
hospitals. Such entities often collected SSNs as part of the process of
obtaining information on insured people. However, health care provider
officials told us that, particularly with hospitals, the medical record
number is the primary identifier, rather than the SSN.
Private Sector Entities Use SSNs Mainly for Linking Data for Identity
Verifications:
Information resellers, CRAs, and health care organization officials all
said that their companies used SSNs to link data for identity
verifications. Most of the officials we spoke to said that the SSN is
the single most important identifier available, because it is truly
unique to an individual, unlike a name or address, which can change
over an individual's lifetime. For example, we found that one large
information reseller that specialized in information technology
solutions had developed a customer verification data model that used
SSNs to help financial institutions comply with federal laws regarding
"knowing your customer."[Footnote 14] Most of the large information
resellers' officials we spoke to said that although they obtained the
SSN from their clients, they rarely provided SSNs to their customers.
Furthermore, almost all of the officials said that they provided their
clients a truncated SSN (e.g., xxx-xx-6789).
We also found that Internet-based information resellers--which provide
investigative or background checks to anyone willing to pay a fee--used
the SSN as a means to collect other information about an individual to
verify their identity. These types of resellers were more dependent on
SSNs than the large information resellers. In 2003, in an effort to
determine what type of information we could obtain from these Internet-
based resellers, our investigators accessed these sites, paid the fee,
and supplied several Internet-based resellers with legitimate SSNs. Our
investigators found that these resellers provided them with
corresponding information based on the supplied SSNs, such as a name,
address, telephone number, and on two occasions, a truncated SSN. Also,
all but one reseller required our investigators to provide both the
name and SSN of the person who was the subject of our inquiry. During
our investigation, not one of the reviewed Internet-based resellers in
any apparent way attempted to audit us, determine who we were, or
verify that we were using the information for the permissible purpose
we had indicated.[Footnote 15]
CRAs used SSNs as the primary identifier of individuals, which enabled
them to match the information they received from their clients with the
information stored in their databases.[Footnote 16] Because these
companies had various commercial, financial, and government agencies
furnishing data to them, the SSN was the primary factor that ensured
that incoming data were matched correctly with an individual's
information on file. For example, CRA officials said they used several
factors to match incoming data with existing data, such as name,
address, and financial account information. However, because of its
uniqueness, they said that they use the SSN as a primary means to match
data.
We also found that health care organizations used the SSN to help
verify identities. These organizations used SSNs, along with other
information, such as name, address, and date of birth, to determine a
member's identity. Health care officials said that health care plans,
in particular, used the SSN as the primary identifier, and it often
became the customer's insurance number. Health care officials said that
they used SSNs for identification purposes, such as linking an
individual's name to an SSN to determine if premium payments have been
made. They also used the SSN as an online services identifier, as an
alternative policy identifier, and for phone-in identity verification.
Health care organizations also used SSNs to tie family members together
where family coverage is used,[Footnote 17] to coordinate member
benefits, and as a crosscheck for pharmacy transactions. Health care
industry association officials also said that SSNs are used for claims
processing, especially with regard to Medicare.
Federal and State Laws Limit Disclosure of Personal Information and
Address Identity Theft:
Certain federal laws have been enacted to restrict the use and
disclosure of consumers' personal information, including SSNs. In
addition to these federal laws, many states have enacted their own
legislation to restrict the use and display of SSNs, focusing on public
display restrictions, such as the display of SSNs on identification
cards, SSN solicitation, and customer notifications when SSNs are
compromised. In the last year, Congress has also introduced consumer
privacy legislation similar to enacted state legislation, which in some
cases includes SSN restrictions. In 1998, Congress enacted legislation
that made identity theft a crime, and state legislatures have also
enacted such legislation.
Federal and State Laws Limit the Use and Disclosure of Personal
Information, Including SSNs:
Certain federal and state laws have placed restrictions on entities'
use and disclosure of consumers' personal information, including SSNs.
At the federal level, such laws include the Fair Credit Reporting Act
(FCRA), the Fair and Accurate Credit Transaction Act (FACTA), the Gramm-
Leach-Bliley Act (GLBA), the Drivers Privacy Protection Act (DPPA), and
the Health Insurance Portability and Accountability Act (HIPAA). As
shown in table 1, these federal laws either restrict certain public and
private sector entities from disclosing personally identifiable
information to specific purposes or with whom the information is
shared. See appendix II for more information on these laws.
Table 1: Aspects of Federal Laws That Affect Private Sector Disclosure
of Personal Information:
Federal laws: Fair Credit Reporting Act;
Restrictions: Limits access to credit data that includes SSNs to those
who have a permissible purpose under the law.
Federal laws: Fair and Accurate Credit Transactions Act;
Restrictions: Amends FCRA to allow, among others things, consumers who
request a copy of their credit report to also request that the first
five digits of their SSN (or similar identification number) not be
included in the file; requires consumer reporting agencies and any
business that use a consumer report to adopt procedures for proper
disposal.
Federal laws: Gramm-Leach-Bliley Act;
Restrictions: Creates a new definition of personal information that
includes SSNs and limits when financial institutions may disclose the
information to nonaffiliated third parties.
Federal laws: Drivers Privacy Protection Act;
Restrictions: Prohibits obtaining and disclosing SSNs and other
personal information from a motor vehicle record except as expressly
permitted under the law.
Federal laws: Health Insurance Portability and Accountability Act;
Restrictions: Protects the privacy of health information that
identifies an individual (including by SSNs) and restricts health care
organizations from disclosing such information to others without the
patient's consent.
Source: GAO analysis.
[End of table]
Many states have enacted their own legislation to restrict the use and
display of SSNs by public and private sector entities. Similar to some
of New York's proposed bills, several state statutes include provisions
related to restricting the display of SSNs, the unnecessary collection
of SSNs, and the disclosure of individual's SSN without their consent.
See appendix III for some examples of states that have enacted such
legislation.
Notably, in 2001, California enacted a law to restrict the use and
display of SSNs.[Footnote 18] The law generally prohibits companies and
persons from engaging in certain activities, such as:
* posting or publicly displaying SSNs,
* printing SSNs on cards required to access the company's products or:
* services,
* requiring people to transmit an SSN over the Internet unless the
connection is secure or the number is encrypted,
* requiring people to log onto a Web site using an SSN without a
password, or:
* printing SSNs on anything mailed to a customer unless required by law
or the document is a form or application.
After its enactment, California's Office of Privacy Protection
published recommended practices for protecting the confidentiality of
the SSN, which included reducing its collection, controlling
institutional access to it, instituting safeguards to protect it, and
holding employees accountable for protecting it. These recommendations
applied to both public and private sector entities.
Subsequently, several states have enacted laws restricting the use or
display of SSNs. Specifically, we have identified 11 states--Arkansas,
Arizona, Connecticut, Illinois, Maryland, Michigan, Minnesota,
Missouri, Oklahoma, Texas, and Virginia--that have each passed laws
similar to California's.[Footnote 19] While some states, such as
Arizona, have enacted virtually identical SSN use and display
restrictions, other states have modified the restrictions in various
ways. For example, unlike the California law, which prohibits the use
of the full SSN, the Michigan statute prohibits the use of more than
four sequential digits of the SSN. The Michigan law also contains a
prohibition against the use of SSNs on identification and membership
cards, permits, and licenses. Missouri's law includes a prohibition
against requiring an individual to use his or her SSN as an employee
number. Oklahoma's law is unique in that it only limits the ways in
which employers may use their employees' SSNs, and does not apply more
generally to other types of transactions and activities.
Some states have recently enacted other types of restrictions on the
uses of SSNs as well. Both Arkansas and Colorado prohibit the use of a
student's SSN as a student identification number.[Footnote 20] New
Mexico requires businesses that have acquired consumer SSNs to adopt
internal policies to limit access to authorized employees.[Footnote 21]
Texas recently enacted a law requiring businesses to properly dispose
of business records that contain a customer's personal identifying
information, which is defined to include SSNs.[Footnote 22]
Other recent state legislation includes new restrictions on state and
local government agencies. For example, South Dakota law prohibits the
display of SSNs on all driver's licenses and nondriver's identification
cards,[Footnote 23] while Indiana law prohibits a state agency from
releasing a SSN unless otherwise required by law.[Footnote 24] In
addition, a Nevada law requires governmental agencies, except in
certain circumstances, to ensure that the SSNs recorded in their books
and on their records are maintained in a confidential manner.[Footnote
25]
We also identified three states that have passed legislation containing
notification requirements in the event of a security breach, similar to
the recently enacted New York law requiring such notifications.
California requires a business or a California state agency to notify
any California resident whose unencrypted personal information was, or
is reasonably believed to have been, acquired by an unauthorized
person.[Footnote 26] In the last year, this law forced several large
companies to notify individuals that their information was compromised
because of certain circumstances. Under a Nevada law, government
agencies and certain persons who do business in the state must notify
individuals if their personal information is reasonably believed to
have been compromised.[Footnote 27] Similarly, Georgia requires certain
private sector entities to notify their customers if a security breach
occurred that compromised their customers' personal information, such
as their SSNs.[Footnote 28]
At the time of this writing, Congress is also considering consumer
privacy legislation, which in some cases includes SSN restrictions. As
of August 18, 2005, there were approximately 22 proposed bills pending
before the U.S. House and Senate. In many cases, the provisions being
considered mirrored provisions in enacted state laws. For example, some
of the proposed legislation included prohibitions on the display of
SSNs, similar to the concept of Colorado's law prohibiting the display
of a person's SSN on a license, pass, or certificate, issued by a
public entity, except under certain circumstances.[Footnote 29] Several
other pieces of proposed federal legislation address the solicitation
of SSNs by public and private sector entities. For example, one
proposed bill prohibits business entities from denying an individual
goods or services for refusing to give an SSN for account record
purposes. Some states, such as Texas, Maine, and Colorado, have also
enacted SSN solicitation prohibitions or restrictions.[Footnote 30]
In addition, some federal privacy legislation also proposed consumer
safeguards, such as security freezes and prohibitions on the sale and
purchase of SSNs. For example, some proposed federal legislation
included provisions that allow consumers to place a security "credit"
freeze on their information to bar lenders and others from reviewing
their credit history.[Footnote 31] Five proposed bills also introduced
a prohibition on the sale or purchase of individual's SSNs by both
public and private sector entities. In one instance, legislative
provisions prohibit the sale of customer information to a nonaffiliated
third party, unless customer consent is given. Additionally, roughly
nine proposed pieces of federal legislation contain security breach
notification requirements, and two proposed federal bills required the
disposal of sensitive personal data, such as SSNs.
Finally, some of the proposed federal legislation would preempt state
law and supersede some of the states' consumer protection
statutes.[Footnote 32] According to some privacy advocates,
historically, federal privacy laws have not preempted stronger state
protections or enforcement efforts, and they have said that the
proposed preemption would reduce some consumer privacy protections.
However, some private sector entities have noted the difficulty of
doing business within the framework of many different state laws and
have advocated a uniform federal standard. See appendix IV for a list
of proposed federal legislation we identified.
Federal and State Legislation Exist to Address Identity Theft:
The Identity Theft Act of 1998, the primary federal statute,
criminalizes fraud in connection with the theft and unlawful misuse of
personal identifiable information. The Identity Theft Act establishes
the person whose identity is stolen as a "true" victim and enables that
victim to seek restitution if there is a conviction. Previously, only
the credit grantors who suffered monetary losses were considered
victims. Additionally, Congress enacted FACTA in 2003, which amended
FCRA and added several provisions that were aimed at identity theft
prevention and victim assistance. For example, Congress enacted
provisions that allow an individual to obtain a free copy of his or her
credit report annually for self-monitoring.
Many states have laws prohibiting the theft of identity information,
and where specific identity theft laws do not exist, the practices may
be prohibited under other state laws or the states may be considering
such legislation. For example, New York law makes identity theft a
crime.[Footnote 33] In other states, identity theft statutes also
address specific crimes committed under a false identity. For example,
Arizona law prohibits any person from using deceptive means to alter
certain computer functions or use software to collect bank information,
take control of another person's computer, or prevent the operator from
blocking the installation of specific software.[Footnote 34] In
addition, Idaho law makes it unlawful to impersonate any state official
to seek, demand, or obtain personally identifiable information of
another person.[Footnote 35] Furthermore, some states have also
included identity theft victim assistance provisions in their laws. For
example, Washington law requires police and sheriff's departments to
provide a police report or original incident report at the request of
any consumer claiming to be a victim of identity theft.[Footnote 36]
Because identity theft is typically not a stand-alone crime, but rather
a component of one or more complex crimes, such as computer fraud,
credit card fraud, or mail fraud, the federal laws that apply
vary.[Footnote 37] For example, with the theft of identity information,
a perpetrator may commit computer fraud when using a stolen identity to
fraudulently obtain credit on the Internet. Computer fraud may also be
the primary vehicle used to obtain identity information when the
offender obtains unauthorized access to another computer or Web site to
obtain such information. As a result, the offender may be charged with
both identity theft and computer fraud.
According to a Department of Justice official, the investigation of
identity theft is labor intensive and individual cases are usually
considered to be too small for federal prosecution. Moreover,
perpetrators usually prey on multiple victims in multiple
jurisdictions. Consequently, a number of federal law enforcement
agencies can have a role in investigating identity theft crimes. How
the thief uses an individual's identity usually dictates which federal
agency has jurisdiction in the case. For example, if an individual
finds that an identity thief has stolen the individual's mail to obtain
credit cards, bank statements, or tax information, the victim should
report the crime to the U.S. Postal Inspection Service, the law
enforcement arm of the U.S. Postal Service. In addition, violations are
investigated by other federal agencies, such as the Social Security
Administration Office of the Inspector General, the U.S. Secret
Service, the Federal Bureau of Investigation (FBI), the U.S. Securities
and Exchange Commission, the U.S. Department of State, the U.S.
Department of Education Office of Inspector General, and the Internal
Revenue Service. The Department of Justice prosecutes federal identity
theft cases. Table 2 highlights some of the jurisdictional
responsibilities of some federal agencies.
Table 2: List of Federal Agencies with Some Identity Theft
Jurisdiction:
Federal agency: Social Security Administration's Office of the
Inspector General;
Jurisdictional identity theft highlights: Investigates SSN misuse
involving the buying and selling of SSN cards.
Federal agency: U.S. Secret Service;
Jurisdictional identity theft highlights: Investigates crimes
associated with financial institutions; investigations include bank
fraud, access device fraud involving credit and debit cards,
telecommunications and computer crimes, fraudulent identification,
fraudulent government and commercial securities, and electronic funds
transfer fraud.
Federal agency: Federal Bureau of Investigation;
Jurisdictional identity theft highlights: Investigates cases of
identity theft; investigations can include bank fraud, mail fraud, wire
fraud, bankruptcy fraud, insurance fraud, and fraud against the
government. In addition, FBI sponsors a national Identity Theft Working
Group, where participants from law enforcement, federal regulatory
bodies, and the financial services industry meet regularly to discuss
identity theft- related issues.
Federal agency: U.S. Securities and Exchange Commission;
Jurisdictional identity theft highlights: Investigates investment fraud
in instances where an identity thief has tampered with securities
investments or brokerage accounts.
Federal agency: U.S. Department of State;
Jurisdictional identity theft highlights: Investigates passport fraud
in instances where a passport is used fraudulently.
Federal agency: U.S. Department of Education Office of Inspector
General;
Jurisdictional identity theft highlights: Investigates fraudulent
student loan activity.
Federal agency: Internal Revenue Service;
Jurisdictional identity theft highlights: Investigates tax fraud where
identity theft may relate directly to tax records.
Source: GAO analysis.
[End of table]
Conclusions:
SSNs are still widely used and publicly available, although they have
become less so in the last year. Given the significance of the SSN in
committing fraud or stealing a person's identity, it is imperative that
steps be taken to protect this number. This is especially true as
information technology makes it easier to access individuals' personal
information. The increased availability and aggregation of personal
information in public and private sector databases and via the Internet
has provided new opportunities for individuals to engage in fraudulent
activities. Without proper regulations or safeguards in place, SSNs
will remain vulnerable to misuse, thus adding to the growing number of
identity theft victims.
Current federal restrictions on SSNs and other personal information are
industry specific and do not apply broadly. Certain industries, such as
the financial services industry, are required to protect individuals'
personal information while others are not. In addition, given the
industry specific nature of federal laws, no single federal agency has
responsibility for ensuring the protection of individuals' personal
information. Consequently, gaps remain at the federal level in
protecting individuals' personal information.
State legislatures have also placed restrictions on SSNs by enacting
laws that restrict the use and display of SSNs and prohibit the theft
of individuals' personal information. However, gaps also remain at the
state level because not all states have enacted laws to protect
individuals' personal information. In addition, while there is some
consistency among enacted state laws, privacy protections and identity
theft prevention varies with the focus of each state's legislature.
As legislatures at both the federal and state level continue to enact
laws to protect individuals' personal information, gaps in protections
will need to be determined and addressed in order to prevent SSNs and
other personal information from being misused. We are pleased that the
Assembly is concentrating on this important policy issue, and we hope
our work will be helpful to you. That concludes my testimony, and I
would be pleased to respond to any questions.
Contacts and Acknowledgments:
For further information regarding this testimony, please contact
Barbara D. Bovbjerg, Director or Tamara Cross, Assistant Director,
Education, Workforce, and Income Security at (202) 512-7215.
Individuals making key contributions to this testimony include Margaret
Armen, Pat Bernard, Mindy Bowman, Richard Burkard, Rachael Chamberlin,
Amber Edwards, Jason Holsclaw, Joel Marus, and Sheila McCoy.
[End of section]
Appendix I: Federal Statutes That Authorize or Mandate the Collection
and Use of SSNs by Government Entities:
Federal statute: Tax Reform Act of 1976; 42 U.S.C. 405(c)(2)(c);
General purpose for collecting or using the Social Security number
(SSN): General public assistance programs, tax administration, driver's
license, motor vehicle registration;
Government entity and authorized or required use: Authorizes states to
collect and use SSNs in administering any tax, general public
assistance, driver's license, or motor vehicle registration law.
Federal statute: Food Stamp Act of 1977 as amended; 7 U.S.C.
2025(e)(1);
General purpose for collecting or using the Social Security number
(SSN): Food Stamp Program;
Government entity and authorized or required use: Mandates the
Secretary of Agriculture and state agencies to require SSNs for program
participation.
Federal statute: Deficit Reduction Act of 1984; 42 U.S.C. 1320b-7(a)
and (b);
General purpose for collecting or using the Social Security number
(SSN): Eligibility for federal benefits under state administered
program;
Government entity and authorized or required use: Requires that, as a
condition of eligibility for Medicaid benefits and other federal
benefit programs, applicants for and recipients of these benefits
furnish their SSNs to the state administering program.
Federal statute: Comprehensive Omnibus Budget Reconciliation Act of
1986; 20 U.S.C. 1091(a)(4);
General purpose for collecting or using the Social Security number
(SSN): Financial Assistance;
Government entity and authorized or required use: Requires students to
provide their SSNs when applying for federal student financial aid.
Federal statute: Housing and Community Development Act of 1987 42
U.S.C. 3543(a);
General purpose for collecting or using the Social Security number
(SSN): Eligibility for the Department of Housing and Urban Development
programs;
Government entity and authorized or required use: Authorizes the
Secretary of the Department of Housing and Urban Development to require
program applicants and participants to submit their SSNs as a condition
of eligibility.
Federal statute: Family Support Act of 1988; 42 U.S.C.
405(c)(2)(C)(ii);
General purpose for collecting or using the Social Security number
(SSN): Issuance of birth certificates;
Government entity and authorized or required use: Requires states to
obtain parents' SSNs before issuing a birth certificate unless there is
good cause for not requiring the number.
Federal statute: Technical and Miscellaneous Revenue Act of 1988 42
U.S.C. 405(c)(2)(D)(i);
General purpose for collecting or using the Social Security number
(SSN): Blood donation;
Government entity and authorized or required use: Authorizes states and
political subdivisions to require that blood donors provide their SSNs.
Federal statute: Food, Agriculture, Conservation, and Trade Act of 1990
42 U.S.C. 405(c)(2)(C)(iii);
General purpose for collecting or using the Social Security number
(SSN): Retail and wholesale businesses participation in food stamp
program;
Government entity and authorized or required use: Authorizes the
Secretary of Agriculture to require the SSNs of officers or owners of
retail and wholesale food concerns that accept and redeem food stamps.
Federal statute: Omnibus Budget Reconciliation Act of 1990 38 U.S.C.
5101(c);
General purpose for collecting or using the Social Security number
(SSN): Eligibility for Veterans Affairs compensation or pension
benefits programs;
Government entity and authorized or required use: Authorizes the
Secretary of Veterans Affairs to require individuals to provide their
SSNs to be eligible for Department of Veterans Affairs' compensation or
pension benefits programs.
Federal statute: Social Security Independence and Program Improvements
Act of 1994; 42 U.S.C. 405(c)(2)(E)(ii);
General purpose for collecting or using the Social Security number
(SSN): Eligibility of potential jurors;
Government entity and authorized or required use: Authorizes states and
political subdivisions of states to use SSNs to determine eligibility
of potential jurors.
Federal statute: Personal Responsibility and Work Opportunity
Reconciliation Act of 1996; 42 U.S.C. 666(a)(13);
General purpose for collecting or using the Social Security number
(SSN): Various license applications, divorce and child support
documents, death certificates;
Government entity and authorized or required use: Mandates that states
have laws in effect that require collection of SSNs on applications for
driver's licenses and other licenses; requires placement in the
pertinent records of the SSN of the person subject to a divorce decree,
child support order, paternity determination; requires SSNs on death
certificates.
Federal statute: Higher Education Act Amendments of 1998 20 U.S.C.
1090(a)(7);
General purpose for collecting or using the Social Security number
(SSN): Financial assistance;
Government entity and authorized or required use: Authorizes the
Secretary of Education to request SSNs of parents of dependent students
applying for federal student financial aid.
Federal statute: Internal Revenue Code (various amendments) 26 U.S.C.
6109;
General purpose for collecting or using the Social Security number
(SSN): Tax returns;
Government entity and authorized or required use: Authorizes the
Commissioner of the Internal Revenue Service to require that
individuals include their SSNs on tax returns.
Source: GAO review of applicable federal laws.
[End of table]
[End of section]
Appendix II: Federal Laws Affecting Information Resellers, CRAs, and
Health Care Organizations:
Fair Credit Reporting Act (FCRA):
Congress has limited the use of consumer reports to protect consumers'
privacy. All users must have a permissible purpose under FCRA to obtain
a consumer report. Some of these permissible purposes are:
* for the extension of credit as a result of an application from a
consumer or the review or collection of a consumer's account, for
employment purposes, including hiring and promotion decisions, where
the consumer has given written permission;
* for the underwriting of insurance as a result of an application from
a consumer;
* when there is a legitimate business need, in connection with a
business transaction that is initiated by the consumer; and:
* to review a consumer's account to determine whether the consumer
continues to meet the terms of the account.
Fair and Accurate Credit Transaction Act (FACTA):
FACTA added new sections to FCRA intended primarily to help consumers
prevent and combat identity theft. Some of the provisions include:
* allowing consumers to obtain a free copy of their credit report,
* the truncation of credit and debit card account numbers and the
truncation of SSNs if requested,
* requirements for the disposal of consumer report information or
records,
* obligations for furnishers of information to investigate and correct
inaccurate information recorded in a consumer's credit report.
Gramm-Leach-Bliley Act (GLBA):
GLBA requires companies to give consumers privacy notices that explain
the institutions' information-sharing practices. In turn, consumers
have the right to limit some, but not all, sharing of their nonpublic
personal information. Financial institutions are permitted to disclose
consumers' nonpublic personal information without offering them an opt-
out right in some of the following circumstances:
* to effect a transaction requested by the consumer in connection with
a financial product or service requested by the consumer; maintaining
or servicing the consumer's account with the financial institution or
another entity as part of a private label credit card program or other
extension of credit; or a proposed or actual securitization, secondary
market sale, or similar transaction;
* to protect the confidentiality or security of the consumer's records;
to prevent actual or potential fraud, for required institutional risk
control or for resolving customer disputes or inquiries, to persons
holding a legal or beneficial interest relating to the consumer, or to
the consumer's fiduciary;
* to the extent specifically permitted or required under other
provisions of law and in accordance with the Right to Financial Privacy
Act of 1978, to law enforcement agencies, self-regulatory
organizations, or for an investigation on a matter related to public
safety;
* to a consumer reporting agency in accordance with the Fair Credit
Reporting Act or from a consumer report reported by a consumer
reporting agency;
* to comply with federal, state, or local laws; an investigation or
subpoena; or to respond to judicial process or government regulatory
authorities. Financial institutions are required by GLBA to disclose to
consumers at the initiation of a customer relationship, and annually
thereafter, their privacy policies, including their policies with
respect to sharing information with affiliates and non-affiliated third
parties.
Drivers Privacy Protection Act (DPPA):
The DPPA specifies a list of exceptions when personal information
contained in a state motor vehicle record may be obtained and used.
Some of these permissible purposes include:
* for use by any government agency in carrying out its functions;
* for use in connection with matters of motor vehicle or driver safety
and theft; motor vehicle emissions; motor vehicle product alterations,
recalls, or advisories; motor vehicle market research activities,
including survey research;
* for use in the normal course of business by a legitimate business,
but only to verify the accuracy of personal information submitted by
the individual to the business and, if such information is not correct,
to obtain the correct information but only for purposes of preventing
fraud by pursuing legal remedies against, or recovering on a debt or
security interest against, the individual;
* for use in connection with any civil, criminal, administrative, or
arbitral proceeding in any federal, state, or local court or agency;
* for any other use specifically authorized under a state law, if such
use is related to the operation of a motor vehicle or public safety.
Health Insurance Portability and Accountability Act (HIPAA):
The HIPAA privacy rule also defines some rights and obligations for
both covered entities and individual patients and health plan members.
Some of the highlights are:
* Individuals must give specific authorization before health care
providers can use or disclose protected information in most nonroutine
circumstances, such as releasing information to an employer or for use
in marketing activities.
* Covered entities will need to provide individuals with written notice
of their privacy practices and patients' privacy rights. The notice
will contain information that could be useful to individuals choosing a
health plan, doctor, or other service provided. Patients will be
generally asked to sign or otherwise acknowledge receipt of the privacy
notice.
Covered entities must obtain an individual's specific authorization
before sending them marketing materials.
[End of section]
Appendix III: Examples of Enacted State SSN Legislation Restricting
Use:
State (year passed): Arizona (2004);
Code section: Ariz. Rev. Stat. § 44-1373;
Summary of key provisions: Generally prohibits any person or entity
from (1) intentionally communicating or otherwise making an
individual's SSN available to the general public; (2) printing an
individual's SSN on any card required to receive products or services;
(3) requiring an individual to transmit his or her SSN over the
Internet unless the number is encrypted or the connection is secure;
(4) requiring the use of a SSN to access an Internet Web site unless a
password or other security device is used; and (5) printing an
individual's SSN on any material to be mailed to the individual, unless
the inclusion of the SSN is required by law.
State (year passed): Arkansas (2005);
Code section: Ark. Code Ann. § 4- 86-107;
Summary of key provisions: Generally prohibits any person or entity
from (1) publicly posting or displaying an individual's SSN in any
manner; (2) printing an individual's SSN on any card required to
receive products or services; (3) printing an individual's SSN on a
postcard or in any other manner by which the SSN is visible from the
outside; and (4) requiring an individual to transmit his or her SSN
over the Internet unless the number is encrypted or the connection is
secure.
State (year passed): Arkansas (2005);
Code section: Ark. Code Ann. § 6- 18-208;
Summary of key provisions: Generally prohibits schools and school
districts from using, displaying, releasing, or printing a student's
SSN or any part thereof on any report, ID card or badge, or any
document that will be made available to the public, a student, or a
student's parent or guardian without the express written consent of the
parent, if the student is a minor, or the student if the student is 18
years of age or older.
State (year passed): California (2001);
Code section: Cal. Civ. Code § 1798.85;
Summary of key provisions: Generally prohibits any person or entity
from (1) publicly posting or displaying an individual's SSN in any
manner; (2) printing an individual's SSN on any card required to
receive products or services; (3) requiring an individual to transmit
his or her SSN over the Internet unless the number is encrypted or the
connection is secure; (4) requiring the use of a SSN to access an
Internet Web site unless a password or other security device is used;
and (5) printing an individual's SSN on any material to be mailed to
the individual, unless the inclusion of the SSN is required by law.
State (year passed): California (2004);
Code section: Cal. Fam. Code § 2024.5;
Summary of key provisions: Authorizes a petitioner or respondent to
redact SSNs from pleadings, attachments, documents, or other material
filed with the court pursuant to a petition for dissolution of
marriage, annulment, or legal separation, except as specified. Requires
that filing forms contain a notice of the right to redact SSNs.
State (year passed): Colorado (2003);
Code section: Colo. Rev. Stat. § 23-5-127;
Summary of key provisions: Requires each institution of higher
education to assign a unique identifying number to each student
enrolled at the institution starting. Prohibits the use of a student's
SSN as the unique identifying number. Requires institutions of higher
learning to take reasonable and prudent steps to ensure the privacy of
students' SSNs.
State (year passed): Connecticut (2003);
Code section: Conn. Gen. Stat. § 42-470;
Summary of key provisions: Generally prohibits any person or entity,
except government entities, from (1) publicly posting or displaying an
individual's SSN in any manner; (2) printing an individual's SSN on any
card required to receive products or services; (3) requiring an
individual to transmit his or her SSN over the Internet unless the
number is encrypted or the connection is secure; and (4) requiring the
use of a SSN to access an Internet Web site unless a password or other
security device is used.
State (year passed): Connecticut (2004);
Code section: Conn. Gen. Stat. § 8-64b;
Summary of key provisions: Prohibits entities purchasing all or part of
a housing project from a housing authority from disclosing to the
public tenant SSNs or bank account numbers contained in lease
agreements.
State (year passed): Delaware (2004);
Code section: Del. Code Ann., tit. 7 § 503;
Summary of key provisions: Insures that SSNs provided by hunting,
fishing, and trapping license holders would not be released to the
public.
State (year passed): Florida (2005);
Code section: Fla. Stat. ch. 97.0585;
Summary of key provisions: Exempts a voter's SSN, driver's license
number, state identification number, and signature from the public
disclosure laws.
State (year passed): Georgia (2004);
Code section: Ga. Code Ann. § 50- 18-72;
Summary of key provisions: Provides that public disclosure shall not be
required for records that would reveal the home address or telephone
number, SSN, or insurance or medical information of certain state
employees.
State (year passed): Hawaii (2005);
Code section: Haw. Rev. Stat. § 12- 3;
Summary of key provisions: Prohibits the use of a registered voter's
SSN as identifying information on candidate nomination papers.
State (year passed): Illinois (2004);
Code section: 815 Ill. Comp. Stat. 505/2QQ;
Summary of key provisions: Generally prohibits any person or entity
from (1) publicly posting or displaying an individual's SSN in any
manner; (2) printing an individual's SSN on any card required to
receive products or services; (3) requiring an individual to transmit
his or her SSN over the Internet unless the number is encrypted or the
connection is secure; (4) requiring the use of a SSN to access an
Internet Web site unless a password or other security device is used;
and (5) printing an individual's SSN on any material to be mailed to
the individual, unless the inclusion of the SSN is required by law.
State (year passed): Indiana (2005);
Code section: Ind. Code § 4-1-10- 1 et seq;
Summary of key provisions: Generally prohibits a state agency from
disclosing an individual's SSN, unless otherwise required by law.
State (year passed): Indiana (2005);
Code section: Ind. Code § 9-24-6- 2; § 9-24-9-2; § 9-24-11-5; § 9-24-16-
3;
Summary of key provisions: Removes the requirement that SSNs be
displayed on commercial driver's licenses. Requires that applications
for driver's licenses, permits, and identification cards allow
applicants to indicate whether the SSN or another distinguishing number
shall be used on the license, permit, or identification card, and
prohibits the use of the SSN if the applicant does not indicate a
preference.
State (year passed): Louisiana (2004);
Code section: La. Rev. Stat. Ann. 9:5141; 35:17;
Summary of key provisions: Requires that only last four digits of SSN
appear on mortgage records and notarial acts.
State (year passed): Maryland (2005);
Code section: Md. Code Ann., Com. Law § 14-3301 et seq;
Summary of key provisions: Generally prohibits any person or entity,
except government entities, from (1) publicly displaying or posting an
individual's SSN; (2) printing an individual's SSN on any card required
to receive products or services; (3) requiring an individual to
transmit his or her SSN over the Internet unless the number is
encrypted or the connection is secure; (4) initiating the transmission
of an individual's SSN unless the connection is secure; (5) requiring
the use of a SSN to access an Internet Web site unless a password or
other security device is used; (6) printing an individual's SSN on any
material to be mailed to the individual, unless the inclusion of the
SSN is required by law; (7) electronically transmitting an individual's
SSN unless the connection is secure or the SSN is encrypted; and (8)
faxing an individual's SSN to that individual.
State (year passed): Michigan (2004);
Code section: Mich. Comp. Laws § 445.81 et seq;
Summary of key provisions: Generally prohibits any person or entity
from (1) publicly posting or displaying more than four sequential
digits of an individual's SSN; (2) using more than four sequential
digits of an individual's SSN as the primary account number for an
individual; (3) visibly printing more than four sequential digits of an
individual's SSN on any identification badge or card, membership card,
or permit or license; (4) requiring an individual to transmit more than
four sequential digits of his or her SSN over the Internet unless the
number is encrypted or the connection is secure; (5) requiring the use
of more than four sequential digits of an individual's SSN to access an
Internet Web site unless a password or other security device is used;
and (6) printing more than four sequential digits of an individual's
SSN on any material to be mailed to the individual.
State (year passed): Minnesota (2005);
Code section: Minn. Stat. § 325E.59;
Summary of key provisions: Generally prohibits any person or entity,
except government entities, from (1) publicly posting or displaying an
individual's SSN in any manner; (2) printing an individual's SSN on any
card required to receive products or services; (3) requiring an
individual to transmit his or her SSN over the Internet unless the
number is encrypted or the connection is secure; (4) requiring the use
of a SSN to access an Internet Web site unless a password or other
security device is used; and (5) printing an individual's SSN on any
material to be mailed to the individual, unless the inclusion of the
SSN is required by law.
State (year passed): Missouri (2003);
Code section: Mo. Rev. Stat. § 407.1355;
Summary of key provisions: Generally prohibits any person or entity,
except government entities, from (1) publicly displaying or posting an
individual's SSN, including any activity that would make the SSN
available to an individual's coworkers, (2) requiring an individual to
transmit his or her SSN over the Internet unless the number is
encrypted or the connection is secure, (3) requiring the use of a SSN
to access an Internet Web site unless a password or other security
device is used, and (4) requiring an individual to use his or her SSN
as an employee number.
State (year passed): Nevada (2005);
Code section: Nev. Rev. Stat. Chapter 239; Chapter 239B; Chapter 603;
Summary of key provisions: Requires a governmental entity, except in
certain circumstances, to ensure that SSNs in its books and records are
maintained in a confidential manner. Prohibits the inclusion of SSNs in
certain documents that are recorded, filed, or otherwise submitted to a
governmental agency. Requires governmental agencies or certain persons
who do business in the state to notify individuals if personal
information is reasonably believed to have been acquired by an
unauthorized person.
State (year passed): New Jersey (2005);
Code section: N.J. Stat. Ann. § 47:1-16;
Summary of key provisions: Prohibits any person, including any public
or private entity, from printing or displaying in any manner an
individual's SSN on any document intended for public recording with any
county recording authority. Provides that, in the case of certain
documents, the county recording authority is authorized to delete,
strike, obliterate or otherwise expunge an SSN that appears on the
document without invalidating it.
State (year passed): New Mexico (2003);
Code section: N.M. Stat. Ann. § 57-12B-1 et seq;
Summary of key provisions: Prohibits a business from requiring a
consumer's SSN as a condition for the consumer to lease or purchase
products, goods or services from the business. A company acquiring or
using SSNs of consumers shall adopt internal policies that (1) limit
access to the SSNs to those employees authorized to have access to that
information to perform their duties; and (2) hold employees responsible
if the SSNs are released to unauthorized persons.
State (year passed): North Dakota (2003);
Code section: N.D. Cent. Code § 39-06-14;
Summary of key provisions: Prohibits the use of SSNs on driver's
licenses.
State (year passed): Oklahoma (2004);
Code section: Okla. Stat. tit. 40, § 173.1;
Summary of key provisions: Generally prohibits employing entity from
(1) publicly displaying or posting an employee's SSN; (2) printing the
SSN of an employee on any card required for the employee to access
information, products, or services; (3) requiring an employee to
transmit his or her SSN over the Internet unless the number is
encrypted or the connection is secure; (4) requiring an employee to use
an SSN to access an Internet Web site unless a password or other
security device is used; and (5) printing an employee's SSN on any
materials mailed to the employee, unless the SSN is required by law to
be in the materials.
State (year passed): Rhode Island (2004);
Code section: R.I. Gen. Laws § 6-13-19;
Summary of key provisions: Prohibits any person, firm, corporation, or
other business entity that offers discount cards for purchases made at
any business maintained by the offeror from requiring that a person who
applies for a discount card furnish his or her SSN or driver's license
as a condition precedent to the application for the consumer discount
card.
State (year passed): South Carolina (2004);
Code section: S.C. Code Ann. § 7-5-170;
Summary of key provisions: SSNs provided in voter registration
applications must not be open to public inspection.
State (year passed): South Dakota (2005);
Code section: S.D. Codified Laws § 32-12-17.10; § 32-12-17.13;
Summary of key provisions: Prohibits the display of SSNs on driver's
licenses or non-driver's identification cards and the use of electronic
barcodes containing SSN data. .
State (year passed): Texas (2005);
Code section: Tex. Bus. & Com. Code Ann. 35.48;
Summary of key provisions: Requires that businesses disposing of
business records containing a customer's personal identifying
information must modify, by shredding, erasing, or other means, the
personal identifying information to make it unreadable or
undecipherable.
State (year passed): Texas (2003);
Code section: Tex. Bus. & Com. Code Ann. 35.58;
Summary of key provisions: Generally prohibits any person or entity,
except government entities, from (1) intentionally communicating an
individual's SSN to the general public; (2) printing an individual's
SSN on any card required to access or receive products or services; (3)
requiring an individual to transmit his or her SSN over the Internet
unless the number is encrypted or the connection is secure; (4)
requiring the use of a SSN to access an Internet Web site unless a
password or other security device is used; and (5) printing an
individual's SSN on any materials mailed to the individual, unless the
SSN is required by law to be in the materials.
State (year passed): Texas (2003);
Code section: Tex. Elec. Code Ann. § 13.004;
Summary of key provisions: Provides that a SSN, Texas driver's license
number, or number of a personal identification card furnished on a
voter registration application is confidential and does not constitute
public information. Requires the registrar to ensure that such personal
data are excluded from disclosure.
State (year passed): Utah (2004);
Code section: Utah Code Ann. § 31A- 21-110;
Summary of key provisions: Prohibits insurers from publicly posting an
individual's SSN in any manner or printing an individual's SSN on any
card required for the individual to access products or services
provided or covered by the insurer.
State (year passed): Virginia (2005);
Code section: Va. Code Ann. § 59.1-443.2;
Summary of key provisions: Generally prohibits any person or entity
from (1) intentionally communicating an individual's SSN to the general
public; (2) printing an individual's SSN on any card required to access
or receive products or services; (3) requiring the use of a SSN to
access an Internet Web site unless a password or other security device
is used; and (4) mailing a package with the SSN visible from the
outside.
State (year passed): Wisconsin (2003);
Code section: Wis. Stat. § 36.32;
Summary of key provisions: Prohibits private institutions of higher
education from assigning to any student an identification number that
is identical to or incorporates the student's SSN.
State (year passed): West Virginia (2003);
Code section: W. Va. Code § 17E-1-11;
Summary of key provisions: Removes the requirement that a SSN appear on
commercial driver's license.
Source: GAO analysis.
[End of table]
[End of section]
Appendix IV: List of Proposed Federal Legislation as of August 2005:
Bill Number: H.R. 3375;
Title: Financial Data Security Act of 2005;
Selected Provisions: Consumer must be notified if investigation reveals
that information would cause substantial inconvenience or harm.
Bill Number: H.R. 3374;
Title: Consumer Notification and Financial Data Protection Act of 2005;
Selected Provisions: Provide written notice to consumer whose sensitive
financial personal information was compromised in a data breach;
sensitive financial personal data must be properly disposed of so that
such information or compilation cannot practicable be read or
reconstructed.
Bill Number: S. 1408;
Title: Identity Theft Protection Act;
Selected Provisions: If a covered entity determines that a breach of
security affects sensitive personal information, the entity must notify
each individual; a consumer can request a security freeze on his/her
credit report; no covered entity may solicit any SSN from an individual
unless there is a specific use of the SSN for which no other identifier
can be reasonably used; SSNs can not be printed on (1) any
identification card or tag (2) driver's licenses.
Bill Number: H.R. 3140;
Title: Consumer Data Security and Notification Act of 2005;
Selected Provisions: Amends the Fair Credit Reporting Act to cover any
persons that communicates personally identifiable or financial
information for compensation. Requires identity verification of any
person requesting consumer reports. Protects nonpublic consumer
information. Requires notice of security breach.
Bill Number: S. 1332;
Title: Personal Data Privacy and Security Act of 2005;
Selected Provisions: No person may (1) display any individual's SSN to
a third party without the voluntary and affirmatively expressed consent
of such individual, (2) sell or purchase any SSN of an individual
without the voluntary and affirmatively expressed consent of such
individual, or (3) harvest SSNs from federal public records for the
purpose of displaying or selling such number to the public.
Bill Number: S. 1336;
Title: Consumer Identity Protection and Security Act;
Selected Provisions: Customer has the right to request that a consumer
reporting agency place a security freeze on a private information file.
Bill Number: S. 810;
Title: SAFE-ID Act;
Selected Provisions: Generally, prohibits business enterprises from
disclosing personally identifiable information regarding U.S. residents
to any branch, affiliate, subcontractor, or unaffiliated third party
located in a foreign country.
Bill Number: S. 768;
Title: Comprehensive Identity Theft Prevention Act;
Selected Provisions: In general, no person may solicit any SSN unless
(1) the SSN is necessary for the normal course of business or (2) there
is a specific use for the SSN for which no other identifying number can
be used; no employer may display the SSN on any identification card
issued to its employees; it shall be unlawful for any person to (1)
sell or purchase an SSN or display to the general public an SSN or (2)
obtain or use an SSN for the purpose of locating or identifying an
individual with the intent to cause physical harm or use the identity
of such individual.
Bill Number: H.R. 220;
Title: Identity Theft Prevention Act of 2005;
Selected Provisions: Prohibits using an SSN except for specified Social
Security and tax purposes; prohibits the Social Security Administration
from divulging the Social Security account number of an individual to
any federal, state, or local government agency or instrumentality, or
to any other individual.
Bill Number: H.R. 92;
Title: To amend title XVIII of the Social Security Act to permit
Medicare beneficiaries upon request to use an identification number
other than a social security account number under the Medicare Program
in order to deter identity theft;
Selected Provisions: Directs the Secretary of Health and Human Services
to establish a procedure under which, upon the request of an individual
entitled to Medicare benefits, the Secretary shall provide for the
issuance of an (1) identification number other than the individual's
Social Security account number for Medicare purposes and (2) an
appropriate Medicare card containing such an alternative identification
number.
Bill Number: H.R. 82;
Title: Social Security On-line Privacy Protection Act;
Selected Provisions: Prohibits an interactive computer service from
disclosing to a third party an individual's Social Security number or
related personally identifiable information without the individual's
prior informed written consent.
Bill Number: H.R. 744;
Title: Internet Spyware (I-SPY) Prevention Act of 2005;
Selected Provisions: Amends the federal criminal code to prohibit
intentionally accessing a protected computer without authorization, or
exceeding authorized access, by causing a computer program or code to
be copied onto the protected computer and intentionally using that
program or code: to obtain or transmit personal information (including
an SSN or other government-issued identification number, a bank or
credit card number, or an associated password or access code) with
intent to defraud or injure a person or cause damage to a protected
computer.
Bill Number: H.R. 1069;
Title: Notification of Risk to Personal Data Act;
Selected Provisions: Amends the Gramm-Leach-Bliley Act to require a
financial institution, at which a breach of personal information is
reasonably believed to have occurred, to promptly notify each affected
customer; amends the Fair Credit Reporting Act to require a consumer
reporting agency to maintain a fraud alert file with respect to any
consumer upon receiving notice of a breach of personal information.
Bill Number: H.R. 1078;
Title: Social Security Number Protection Act of 2005;
Selected Provisions: Amends the Social Security Act to establish
criminal penalties for the sale and purchase of the Social Security
number and Social Security account number of any person, except without
consent or in certain circumstances.
Bill Number: H.R. 1745;
Title: Social Security Number Privacy and Identity Theft Prevention Act
of 2005;
Selected Provisions: Amends title II of the Social Security Act to (1)
specify restrictions on the sale and display to the general public of
by federal, state, and local governments and bankruptcy case trustees;
(2) prohibit the display of SSNs on checks issued for payment by such
governments; (3) prohibit the federal, state, or local government
display of SSNs on employee identification cards or tags (IDs); (4)
prohibit access to the SSNs of other individuals by prisoners employed
by federal, state, or local governments; and (5) prohibit the selling,
purchasing, or displaying of SSNs (with certain exceptions), or the
obtaining or use of any individual's SSN to locate or identify such
individual with the intent to physically injure or harm such individual
or to use the individual's ID for any illegal purpose by any person.
Bill Number: H.R. 2518;
Title: Stop the Theft of Our Social Security Numbers Act of 2005;
Selected Provisions: Prohibit disclosure of an individual's SSN
services on Medicare-related mailings.
Bill Number: H.R. 2840;
Title: Federal Agency Protection of Privacy Act of 2005;
Selected Provisions: Requires federal agencies when publishing a
general notice of proposed rule making and when such rule making
pertains to the collection, maintenance, use, or disclosure of
personally identifiable information from ten or more individuals to
prepare an initial assessment describing the rule's impact on
individual privacy.
Bill Number: S. 29;
Title: Social Security Number Misuse Protection Act;
Selected Provisions: Amends the federal criminal code to prohibit the
display, sale, or purchase of SSNs without the affirmatively expressed
consent of the individual, except in specified circumstances.
Bill Number: S. 115;
Title: Notification of Risk to Personal Data Act;
Selected Provisions: Requires any entity that owns or licenses
electronic data containing personal information, following the
discovery of a breach of security of the system containing such data,
to notify any U.S. resident whose personal information was, or is
reasonably believed to have been, acquired by an unauthorized person.
Bill Number: S. 116;
Title: Privacy Act of 2005;
Selected Provisions: Prohibits the sale and disclosure of personally
identifiable information by a commercial entity to a nonaffiliated
third party unless prescribed procedures for notice and opportunity to
restrict such disclosure have been followed; prohibits the display,
sale, or purchase SSNs without the affirmatively expressed consent of
the individual; prohibits the use of SSNs on (1) checks issued for
payment by governmental agencies and (2) driver's licenses or motor
vehicle registrations; prohibits a commercial entity from requiring
disclosure of an individual's SSN in order to obtain goods or services.
Bill Number: S. 751;
Title: Notification of Risk to Personal Data Act;
Selected Provisions: Requires any federal agency or person that owns,
licenses, or collects personal information data following the discovery
of a breach its personal data security system, or upon receiving notice
of a system breach, to notify (as specified) the individual whose
information was obtained by an unauthorized person.
Bill Number: S. 1216;
Title: Financial Privacy Breach Notification Act of 2005;
Selected Provisions: Amends GLBA to require a financial institution to
promptly notify the following entities whenever a breach of personal
information has occurred at such institution (1) each customer affected
by such breach, (2) certain consumer reporting agencies, and (3)
appropriate law enforcement agencies.
Source: GAO Analysis.
[End of table]
[End of section]
FOOTNOTES
[1] GAO, Identity Theft: Prevalence and Cost Appear to Be Growing, GAO-
02-363 (Washington, D.C.: March 2002).
[2] Information resellers, sometimes referred to as information
brokers, are businesses that specialize in amassing consumer
information, such as SSNs, for informational services. CRAs, also known
as credit bureaus, are agencies that collect and sell information about
the creditworthiness of individuals. Health care organizations or
health care insurers generally deliver services through a coordinated
system that includes health care providers and health care plans.
[3] The Social Security Act of 1935 created the Social Security Board,
which was renamed the Social Security Administration in 1946.
[4] United States Sentencing Commission, Identity Theft Final Alert
(Washington, D.C.: Dec. 15, 1999).
[5] Pub. L. No. 105-318, codified in part at 18 U.S.C. §1028.
[6] GAO, Social Security Numbers: Government and Commercial Use of the
Social Security Number Is Widespread, GAO/HEHS-99-28 (Washington, D.C.:
February 1999), and GAO, Social Security Numbers: Government Benefits
from SSN Use, but Could Provide Better Safeguards, GA0-02-352
(Washington, D.C.: May 2002).
[7] GA0-02-352.
[8] The Bureau of the Census is authorized by statute to collect a
variety of information and is prohibited from making it available,
except in certain circumstances.
[9] The statistical and research communities refer to the process of
matching records containing SSNs for statistical or research purposes
as "record linkage." See GAO, Record Linkage and Privacy: Issues in
Creating New Federal Research and Statistical Information, GAO-01-126SP
(Washington, D.C.: April 2001).
[10] Not all records held by government or public agents are "public"
in terms of their availability to any inquiring person. For example,
adoption records are generally sealed. Personnel records are often not
readily available to the public, although newspapers may publish the
salaries of high elected officials. There is no common definition of
public records. However, we define public records as those records
generally made available to the public in their entirety for inspection
by a federal, state, or local government agency. Such documents are
typically accessed in a public reading room or clerk's office or on the
Internet.
[11] GAO, Social Security Numbers: Governments Could Do More To Reduce
Display in Public Records and on Identity Cards, GAO-05-59 (Washington,
D.C.: November 2004).
[12] GAO-05-59.
[13] GAO-04-11.
[14] Under Section 326 of the USA PATRIOT Act, financial institutions
must verify each new account holder's identity after opening an account
in an effort to curtail money laundering and terrorist financing.
[15] GAO-04-11.
[16] We found that CRAs and information resellers can sometimes be the
same entity, a fact that blurs the distinctions between the two types
of businesses but does not affect the use of SSNs by these entities.
Five of the six large information resellers we spoke to said they were
also CRAs. Some CRA officials said that information reselling
constituted as much as 40 percent of CRAs' business.
[17] During the enrollment process, subscribers have a number of
options, one of which is deciding whether they would like single or
family coverage. In cases where family coverage is chosen, the SSNs is
the key piece of information generally allowing the family members to
be linked.
[18] Cal. Civ. Code § 1798.85 (2001).
[19] See Arkansas (Ark. Code Ann. § 4-86-107 (2005)); Arizona (Ariz.
Rev. Stat. § 44-1373 (2004)); Connecticut (Conn. Gen. Stat. § 42-470
(2003)); Illinois (815 Ill. Comp. Stat. 505/2QQ (2004)); Maryland (Md.
Code Ann., Com. Law § 14-3301 et seq. (2005)); Michigan (Mich. Comp.
Laws § 445.81 et seq. (2004)); Minnesota (Minn. Stat. § 325E.59
(2005)); Missouri (Mo. Rev. Stat. § 407.1355 (2003)); Oklahoma (Okla.
Stat. tit. 40, § 173.1 (2004)); Texas (Tex. Bus. & Com. Code Ann. 35.58
(2003)); and Virginia (Va. Code Ann. § 59.1-443.2 (2005)).
[20] Ark. Code Ann. § 6-18-208 (2005) and Colo. Rev. Stat. § 23-5-127
(2003).
[21] N.M. Stat. Ann. § 57-12B-1 et seq. (2003).
[22] Tex. Bus. & Com. Code Ann. 35.48 (2005).
[23] S.D. Codified Laws § 32-12-17.10 (2005); § 32-12-17.13 (2005).
[24] Ind. Code § 4-1-10-1 et seq. (2005).
[25] Nev. Rev. Stat. Chapter 239 (2005).
[26] Cal. Civ. Code § 1798.29 (2002); 1798.82 (2002).
[27] Nev. Rev. Stat. Chapter 239B; Chapter 603 (2005).
[28] Ga. Code Ann. § 10-1-910 et seq. (2005).
[29] Colo. Rev. Stat. § 24-72.3-102 (2004).
[30] Texas (Tex. Bus. & Com. Code Ann. § 35.581 (2005)); Maine (Me.
Rev. Stat. Ann. tit. 10, §1272-B (2003)); and Colorado (Colo. Rev.
Stat. § 24-33-110 (2004)).
[31] Because few lenders will issue credit without first seeing a
credit report, it has been argued that this may help thwart identity
thieves from opening fraudulent accounts using the name of someone who
has frozen his or her credit reports.
[32] Federal preemption may arise whenever Congress enacts a statute in
an area in which state legislatures have acted or have the authority to
act. Determining whether a federal law preempts state law may require
judicial resolution and turns on whether Congress intended that the
federal law override state law.
[33] N.Y. Penal Law § 190.77-190.84 (2002).
[34] Ariz. Rev. Stat. § 44-7301 et seq. (2005).
[35] Idaho Code § 18-3126A (2005).
[36] Wash. Rev. Code § 19.182.160 (2005) [not yet codified].
[37] 18 U.S.C. §1028(a)(1)-(6); 18 U.S.C. §1029; 18 U.S.C. §1341.