Social Security Numbers:
Internet Resellers Provide Few Full SSNs, but Congress Should Consider Enacting Standards for Truncating SSNs
GAO-06-495, May 17, 2006
GAO previously reported on how large information resellers like consumer reporting agencies obtain and use Social Security numbers (SSNs). Less is known about information resellers that offer services to the general public over the Internet. Because these resellers provide access to personal information, SSNs could be obtained over the Internet. GAO was asked to examine (1) the types of readily identifiable Internet resellers that have SSN-related services and characteristics of their businesses, (2) the extent to which these resellers sell SSNs, and (3) the applicability of federal privacy laws to Internet resellers.
We found 154 Internet information resellers with SSN-related services. Most of these resellers offered a range of personal information, such as dates of birth, drivers' license information, and telephone records. Many offered this information in packages, such as background checks and criminal checks. Most resellers also frequently identified individuals, businesses, attorneys, and financial institutions as their typical clients, and public or nonpublic sources, or both as their sources of information. In attempting to purchase SSNs from 21 of the 53 resellers advertising the sale of such information, we received 1 full SSN, 4 truncated SSNs displaying only the first five digits, and no SSNs from the remaining 16. In one case, we also received additional unrequested personal information including truncated SSNs of the search subject's neighbors. We also found that some other entities truncate SSNs by displaying the last four digits. According to experts we spoke to, there are few federal laws and no specific industry standards on whether to display the first five or last four digits of the SSN, and SSA officials told us the agency does not have the authority to regulate how other public or private entities use SSNs, including how they are truncated. We could not determine if federal privacy laws were applicable to the Internet resellers because such laws depend on the type of entity and the source of information, and most of the resellers' Web sites did not include this information. However, these laws could apply to resellers; 4 of the resellers we examined had Web sites identifying the type of entity they were. About one-half of the resellers cited adherence to one or more federal privacy laws and a few referenced state laws.
- Review Pending
- Closed - implemented
- Closed - not implemented
Matter for Congressional Consideration
Matter: Since there is no consistently practiced method for truncating SSNs, and no federal agency has the authority to regulate how SSNs should be truncated, Congress may wish to consider enacting standards for truncating SSNs or delegating authority to SSA or some other governmental entity to issue standards for truncating SSNs.
Status: Closed - Implemented
Comments: In July 2009, Representative Tanner introduced H.R.3306, which included a provision that any truncation of SSN used by a government entity would be not more than the last four digits of the number. The bill delegates authority to the Commissioner of Social Security to enforce the measure and was referred to the House Committee on Ways and Means for discussion. In August 2009, Senator Schumer introduced S. 1618, which includes a provision requiring the Commissioner of Social Security to issue uniform standards for truncation of SSNs to apply to federal, state and local governments as well as private entities. This provision was included based on multiple recommendations GAO has made since 2005 to establish uniform standards for truncation of SSNs. GAO findings from this report were specifically mentioned in this legislation.