Social Security Numbers:
More Could be Done to Protect SSNs
GAO-06-586T, Mar 30, 2006
In 1936, the Social Security Administration established the Social Security number (SSN) to track worker's earnings for Social Security benefit purposes. Since its creation, the SSN has evolved beyond its original purpose and has become the identifier of choice for public and private sector entities. Today, the SSN is a key piece of information often sought by identity thieves. Once the SSN is obtained fraudulently, it can then be used to create false identities for financial misuse or assuming another individual's identity. Congress and some states have recognized the importance of restricting the use and display of SSNs. GAO has issued a number of reports and testimonies about the various aspects of SSN use in both public and private sectors and what could be done to further protect individual's SSNs. Accordingly, this testimony focuses on describing (1) the use of SSNs by government agencies and certain private sector entities, (2) the federal laws that regulate the use and disclosure of SSNs, and (3) the gaps that remain in protecting the SSN and what more could be done.
SSN use is widespread by both the public and private sectors. Agencies at all levels of government frequently collect and use SSNs to administer their programs, verify applicants' eligibility for services and benefits, and perform research and evaluations of their programs. In addition, SSNs are available in a variety of public records. Certain private sector entities routinely obtain SSNs from various public and private sources, and use SSNs for various purposes, such as to build tools that verify an individual's identity or match existing records. In addition, private sector entities that engage in third party contracting sometimes share SSNs with their contractors for limited purposes. There is no one law that comprehensively regulates SSN use and protections. However, certain federal laws have been enacted to restrict the use and disclosure of consumers' personal information, including SSNs. In addition, certain states have begun to enact their own legislation restricting the use and display of SSNs by public and private sector entities, which has subsequently led other states to start enacting similar legislation. Finally, Congress is currently considering several proposals to restrict SSN use and display, similar to state legislation. Although some action has been taken at the federal and state level to protect SSNs, more could be done. In the course of this work, GAO found that there were gaps in the practices for protecting SSNs within government agencies and across industry sectors, such as a lack of uniformity at all levels of government to assure the security of the SSN; gaps in the federal law and oversight in different industries that share SSNs with their contractors; exposure of SSNs in public records and identification cards under the auspices of the government; and few restrictions on certain entities' abilities to obtain and use SSNs in the course of their business. To address some of these issues, GAO has made recommendations and proposed matters for congressional consideration. To date, OMB has implemented two of these recommendations and some agencies have begun to take steps to eliminate SSNs from their identification cards. Congress is still considering actions to take to address the issues that remain.