Social Security Numbers:
Federal Actions Could Further Decrease Availability in Public Records, though Other Vulnerabilities Remain
GAO-07-752: Published: Jun 15, 2007. Publicly Released: Jun 21, 2007.
- Accessible Text:
Various public records in the United States, including some generated by the federal government, contain Social Security numbers (SSN) and other personal identifying information that could be used to commit fraud and identity theft. Public records are generally defined as government agency-held records made available to the public in their entirety for inspection, such as property records and court records. Although public records were traditionally accessed locally in county courthouses and government record centers, in recent years, some state and local public record keepers have begun to make these records available to the public through the Internet. While it is important for the public to have access to these records, concerns about the use of information in these records for criminal purposes have been raised. In 2006, these concerns were heightened when an Ohio woman pled guilty to conspiracy, bank fraud, and aggravated identity theft as the leader of a group that stole citizens' personal identifying information from a local public record keeper's Web site and other sources, resulting in over $450,000 in losses to individuals, financial institutions, and other businesses. Although we previously reported on the types of public records that contain SSNs and access to those records, less is known about the federal government's direct provision of records with SSNs to state and local public record keepers. Because of Congress's interest in information on these issues, we agreed to answer the following questions: (1) Which federal agencies commonly provide records containing SSNs to state and local public record keepers, and what actions have been taken to protect SSNs in these records? (2) What significant vulnerabilities, if any, remain to protecting SSNs in public records?
IRS and DOJ are the only federal agencies that commonly provide records containing SSNs to state and local public record keepers, and in recent years, both have taken steps to truncate or remove SSNs in those records. These agencies provide property lien records to public record keepers, on which they traditionally included full SSNs for identity verification purposes. However, both agencies have recently taken steps to better protect SSNs in these records. Currently, IRS mandates the use of a truncated version of SSNs on tax lien notices, which displays only the last four digits of the SSN. However, the agency does not mandate SSN truncation on all lien releases it issues. In addition, many of DOJ's districts have begun to truncate or fully remove SSNs on the lien records they provide to public record keepers. However, because DOJ's districts act independently to issue lien notices, some continue to display full SSNs in these records. Independent of IRS and DOJ efforts in this area, some states have begun to remove SSNs in all public records they maintain, though this approach can be costly and may not be fully effective at protecting SSNs. Both full and truncated SSNs in federally generated public records remain vulnerable to potential misuse, in part because different truncation methods used by the public and private sectors may enable the reconstruction of full SSNs. While the display of truncated SSNs in federally generated public records is a step toward improved SSN protection, we previously reported that information resellers--companies that specialize in amassing personal information--sometimes provide truncated SSNs to customers that show the first five digits. Consequently, it is possible to reconstruct an individual's full nine-digit SSN by combining a truncated SSN from a federally generated lien record with a truncated SSN from an information reseller. In addition, while IRS and DOJ have recently taken actions to limit disclosure of full SSNs in records they generate going forward, full SSNs remain in the millions of lien records provided to public record keepers before the agencies implemented these changes. Increased access to these records through bulk sales to private companies and Internet access also creates the potential for identity theft. For example, public record keepers in some states have been selling complete copies of their records to private companies, such as title companies and information resellers, for many years. Because of this practice, current efforts to remove SSNs in records maintained by public record keepers do not apply to all copies of the record already made available. In addition, some public record keepers now provide potentially unlimited Web site access to personal identifying information in the records they maintain.
- Review Pending
- Closed - implemented
- Closed - not implemented
Recommendations for Executive Action
Recommendation: To the extent that truncation provides an added level of protection from identity theft, the Commissioner of IRS should implement a policy requiring the truncation of all SSNs in lien releases the agency generates.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: In January 2008, the Internal Revenue Service implemented a new policy to partially redact Social Security numbers (SSNs) on all lien documents it generates. This policy includes the partial redaction of SSNs on all lien releases.
Recommendation: To the extent that truncation provides an added level of protection from identity theft, the Attorney General should implement a policy requiring, at a minimum, SSN truncation in all lien records generated by its judicial districts. Truncation should be in the same format as is currently used by IRS on lien notices.
Agency Affected: Department of Justice: Office of the Attorney General
Status: Closed - Implemented
Comments: In June 2007, DOJ issued a memo directing all of its districts to immediately truncate or completely redact SSNs on all documents filed with state and local recording offices. This memo noted that GAO recently made this recommendation and that with this memo, the agency is implementing the recommendation immediately.