Social Security Numbers:
Use Is Widespread and Protections Vary in Private and Public Sectors
GAO-04-1099T, Sep 28, 2004
In 1936, the Social Security Administration (SSA) established the Social Security number (SSN) to track workers' earnings for social security benefit purposes. Today, private and public sector entities frequently ask individuals for SSNs in order to conduct their businesses and sometimes to comply with federal laws. Although uses of SSNs can be beneficial to the public, SSNs are also a key piece of information in creating false identities either for financial misuse or for assuming an individual's identity. The retention of SSNs in the public and private sectors can create opportunities for identity theft. In addition, the aggregation of personal information, such as SSNs, in large corporate databases, as well as the public display of SSNs in various records accessed by the public, may provide criminals the opportunity to easily obtain this personal information. Given the heightened awareness of identity crimes, this testimony focuses on describing (1) how private sector entities obtain, use, and protect SSNs, and (2) public sector uses and protections of SSNs.
Private sector entities rely extensively on SSNs. We reported early this year that entities such as information resellers, consumer reporting agencies, and health care organizations routinely obtain SSNs from their business clients and public sources, such as government records that can be displayed to the public. These entities then use SSNs for various purposes, such as to verify an individual's identity or to match existing records, and have come to rely on the SSN as an identifier, which helps them determine a person's identity for the purpose of providing the services they offer. There is no single federal law that regulates the overall use or restricts the disclosure of SSNs by private sector entities. However, certain federal laws have helped to place restrictions on the disclosures of personal information private sector entities are allowed to make to their customers, and certain states have enacted laws to restrict the private sector's use of SSNs. Public sector entities also extensively use SSNs. All three levels of government use the SSN to comply with certain federal laws and regulations, as well as for their own purposes. These agencies rely on the SSN to manage records, verify benefit eligibility, collect outstanding debt, and conduct research and program evaluations. In addition, given the open nature of certain government records, SSNs appear in records displayed to the public such as documents that record financial transactions or court documents. Despite the widespread reliance on and use of SSNs, government agencies are taking steps to safeguard the SSN. For example, some agencies are not using the SSN as the primary identification number. In a previous report, we proposed that Congress consider developing a unified approach to safeguarding SSNs used in all levels of government and particularly those displayed in public records, and we continue to believe that this approach has merit. The use of SSNs by both private and public sector entities is likely to continue, but the more frequently SSNs are used, the more likely they are to be misused given the continued rise in identity crimes. In considering restrictions to SSN use, policy makers will have to balance the protections that could occur from such restrictions with legitimate business needs for the use of SSNs.