Social Security Numbers:
Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information
GAO-04-11, Jan 22, 2004
In 1936, the Social Security Administration (SSA) established the Social Security number (SSN) to track workers' earnings for Social Security benefit purposes. However, the SSN is also used for a myriad of non-Social Security purposes. Today, public and private sector entities view the SSN as a key piece of information that enables them to conduct their business and deliver services. However, given the apparent rise in identity crimes as well as the rapidly increasing availability of information over the Internet, Congress has raised concern over how certain private sector entities obtain, use, and safeguard SSN data. In previous reports, we discussed the benefits of government and commercial entities using SSNs. We also examined how certain private sector entities and the government obtain, use, and safeguard SSNs. This report provides additional information on private sector uses of SSNs. The Chairman, Subcommittee on Social Security, House Committee on Ways and Means, asked that GAO examine the private sector use of SSNs by businesses most likely to obtain and use them including information resellers, consumer reporting agencies (CRAs), and health care organizations. Specifically, our objectives were to (1) describe how information resellers, CRAs, and some health care organizations obtain and use SSNs and (2) discuss the laws and practices relevant to safeguarding SSNs and consumers' privacy. GAO makes no recommendations.
Information resellers, consumer reporting agencies, and some health care organizations routinely obtain SSNs from their customers and have come to rely on SSNs as identifiers that help them determine an individual's identity and accumulate information about individuals. Larger information resellers usually obtain SSNs from their customers and use them to determine the identity of an individual for purposes such as employment screening, credit information, and criminal history. Other Internet-based information resellers whose Web sites we accessed also obtain SSNs from their customers and scour public records and other publicly available information to provide the information to persons willing to pay a fee. CRAs, too, are large users of SSNs. They obtain SSNs from businesses that furnish individuals' data to them and use SSNs to determine consumers' identities and match the information they receive from businesses with information stored in consumers' credit files. Finally, health care organizations obtain SSNs from individuals themselves and companies that offer health care plans and use them as identifiers. Some health care organizations use SSNs as member identification numbers. Certain federal laws help to safeguard consumers' personal information, including SSNs, by restricting the disclosure of and access to such information, and private sector officials we spoke with said that they indeed take steps to safeguard the SSN information they collect. Information resellers, CRAs, and health care organizations told us they take steps to safeguard SSN data in part for business purposes but also because of federal and state laws that require such safeguards. Finally, some states are taking steps, legislatively, to address consumer concerns regarding SSN use and privacy of their personal information. Of the 18 states we examined, at least 6 had enacted laws specifically restricting private sector use and display of SSNs. California's law, in particular, has had some nationwide effect on business practices in places where some businesses have discontinued the display of SSNs in all of their locations. Also, our review shows that several state laws are similar to California's. In addition, while some state laws and regulations we reviewed did not restrict or prohibit SSN use or display specifically, they did extend beyond federal restrictions regarding the sharing of personal information.