Social Security Numbers:
Stronger Protections Needed When Contractors Have Access to SSNs
GAO-06-238, Jan 23, 2006
Recent data breaches highlight how identity theft may occur when businesses share individuals' personal information, including Social Security Numbers (SSNs), with contractors. Because private sector entities are more likely to share consumers' personal information via contractors, members of Congress raised concerns about the protection of this information in contractual relationships. In response, GAO examined (1) how entities within certain industries share SSNs with contractors; (2) the safeguards and notable industry standards in place to ensure the protection of SSNs when shared with contractors; and (3) how federal agencies regulate and monitor the sharing and safeguarding of SSNs between private entities and their contractors.
Banks, securities firms, telecommunication companies, and tax preparation companies share SSNs with contractors for limited purposes. Firms GAO interviewed routinely obtain SSNs from their customers for authentication and identification purposes, and contract out various services, such as data processing and customer service functions. Although these companies may share consumer information, such as SSNs, with contractors, company officials said that they only share such information with their contractors when it is necessary or unavoidable. Companies in the four business sectors GAO studied primarily relied on accepted industry practices and used the terms of their contracts to protect the personal information shared with contractors. Most company officials stated that their contracts had provisions for auditing and monitoring to assure contract compliance. Some noted that their industry associations have also developed general guidance for their members on sharing personal information with third parties. Federal regulation and oversight of SSN sharing varied across the four industries GAO reviewed, revealing gaps in federal law and agency oversight in the four industries GAO reviewed that share SSNs with contractors. Financial services companies must comply with the Gramm-Leach-Bliley Act (GLBA) for safeguarding customers' personal information and regulators have an examination process in place to determine whether banks and securities firms are safeguarding this information. IRS has regulations and guidance in place to restrict the disclosure of SSNs by tax preparers and their contractors, but does not perform periodic reviews of tax preparers' compliance. Because the Federal Communications Commission (FCC) believes that it lacks statutory authority to do so, it has not issued regulations covering SSNs and also does not periodically review telecommunications companies to determine whether they are safeguarding such information.
- Review Pending
- Closed - implemented
- Closed - not implemented
Matter for Congressional Consideration
Matter: Congress may wish to consider possible options for addressing the gaps in existing federal requirements for safeguarding SSNs shared with contractors. One approach would be to require industry-specific protections for the sharing of SSNs with contractors where such measures are not already in place. For example, Congress could consider whether the Telecommunications Act of 1996 should be amended to address how that industry shares SSNs with contractors. Alternatively, Congress could take a broader approach. For example, in considering proposed legislation that would generally restrict the use and display of SSNs, Congress could also include a provision that would explicitly apply this restriction to third party contractors. With either approach, Congress may also want to establish a mechanism for overseeing compliance by contractors and enforcement.
Status: Closed - Implemented
Comments: Congress is considering options for addressing the gaps in existing federal requirements for safeguarding Social Security numbers (SSN) shared with contractors. The Senate's Personal Data Privacy and Security Act of 2009 (S. 1490) specifically addresses this recommendation and the conference report cites multiple GAO reports noting problems with such data. The Act specifies safeguards that contractors and other business entities must follow to ensure the security of sensitive personally identifiable information, including SSNs. For example, contractors are required to implement a comprehensive personal data privacy and security program to ensure the privacy, security and confidentiality of such data and protect against any anticipated vulnerabilities and unauthorized access. Another provision requires that contractors and others exercise due diligence in selecting service providers for responsibilities related to sensitive data and require service providers by contract to implement and maintain appropriate measures to protect and secure sensitive personal information. The House of Representatives also introduced the Social Security Number Privacy and Identity Theft Prevention Act of 2009 (H.R. 3309), which provides protections for the sharing of SSNs with contractors and others, such as trusts and estates. Provisions include measures to preclude unauthorized disclosure of SSNs and protect their confidentiality.