This is the accessible text file for GAO report number GAO-06-238 entitled 'Social Security Numbers: Stronger Protections Needed When Contractors Have Access to SSNs' which was released on January 23, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: January 2006: Social Security Numbers: Stronger Protections Needed When Contractors Have Access to SSNs: GAO-06-238: GAO Highlights: Highlights of GAO-06-238, a report to congressional requesters: Why GAO Did This Study: Recent data breaches highlight how identity theft may occur when businesses share individuals’ personal information, including Social Security Numbers (SSNs), with contractors. Because private sector entities are more likely to share consumers’ personal information via contractors, members of Congress raised concerns about the protection of this information in contractual relationships. In response, GAO examined (1) how entities within certain industries share SSNs with contractors; (2) the safeguards and notable industry standards in place to ensure the protection of SSNs when shared with contractors; and (3) how federal agencies regulate and monitor the sharing and safeguarding of SSNs between private entities and their contractors. What GAO Found: Banks, securities firms, telecommunication companies, and tax preparation companies share SSNs with contractors for limited purposes. Firms GAO interviewed routinely obtain SSNs from their customers for authentication and identification purposes, and contract out various services, such as data processing and customer service functions. Although these companies may share consumer information, such as SSNs, with contractors, company officials said that they only share such information with their contractors when it is necessary or unavoidable. Companies in the four business sectors GAO studied primarily relied on accepted industry practices and used the terms of their contracts to protect the personal information shared with contractors. Most company officials stated that their contracts had provisions for auditing and monitoring to assure contract compliance. Some noted that their industry associations have also developed general guidance for their members on sharing personal information with third parties. Federal regulation and oversight of SSN sharing varied across the four industries GAO reviewed, revealing gaps in federal law and agency oversight in the four industries GAO reviewed that share SSNs with contractors. Financial services companies must comply with the Gramm-Leach-Bliley Act (GLBA) for safeguarding customers’ personal information and regulators have an examination process in place to determine whether banks and securities firms are safeguarding this information. IRS has regulations and guidance in place to restrict the disclosure of SSNs by tax preparers and their contractors, but does not perform periodic reviews of tax preparers’ compliance. Because the Federal Communications Commission (FCC) believes that it lacks statutory authority to do so, it has not issued regulations covering SSNs and also does not periodically review telecommunications companies to determine whether they are safeguarding such information. Personal Information and Contracting: [See PDF for image] [End of section] What GAO Recommends: GAO recommends that Congress consider possible options for addressing gaps in federal requirements for safeguarding SSNs shared with contractors. None of the seven agencies GAO talked to provided formal written responses. However, six of the seven agencies provided technical comments, which were incorporated as appropriate. www.gao.gov/cgi-bin/getrpt?GAO-06-238. To view the full product, including the scope and methodology, click on the link above. For more information, contact Barbara D. Bovbjerg at (202) 512-7215 or bovbjergb@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Private Sector Companies We Interviewed Routinely Use Third Party Contractors and Occasionally Share SSNs with Them: Private Sector Companies We Interviewed Have Established Safeguards to Protect SSNs: Federal Regulation and Oversight of SSN Sharing Varies Widely Among the Industries We Reviewed: Conclusions: Matter for Congressional Consideration: Agency Comments: Appendix I: Scope and Methodology: Appendix II: Summary of Federal Bank Supervisory Agency Guidance on Contracting with Technology Service Providers: Appendix III: GAO Contacts and Staff Acknowledgments: Table: Table 1: Aspects of Selected Federal Laws That Affect Private Sector Disclosure of Personal Information: Abbreviations: SSN: Social Security Number: CPNI: Customer Proprietary Network Information: ERO: Electronic Return Originator: FACTA: Fair and Accurate Credit Transaction Act: FCC: Federal Communications Commission: FCRA: Fair Credit Reporting Act: FDIC: Federal Deposit Insurance Corporation: FFIEC: Federal Financial Institutions Examination Council: FTC: Federal Trade Commission: GLBA: Gramm-Leach-Bliley Act: IRC: Internal Revenue Code: IRS: Internal Revenue Service: OCC: Office of the Comptroller of the Currency: OTS: Office of Thrift Supervision: SEC: Securities and Exchange Commission: United States Government Accountability Office: Washington, DC 20548: January 23, 2006: The Honorable Jim McCrery: Chairman: Subcommittee on Social Security: Committee on Ways and Means: House of Representatives: The Honorable E. Clay Shaw: House of Representatives: Today, the Social Security number (SSN) is a vital piece of information needed to function in American society. United States' citizens and legal residents need an SSN to obtain employment, a driver's license, or government benefits, among other uses. For these reasons, the SSN is highly sought by individuals seeking to create false identities or commit financial fraud or both. In light of the number of reported data breaches over the past year and the rising reports of identity theft, there are concerns about the way businesses and other organizations obtain, use, and safeguard the SSNs in their possession. A recent series of data breaches has highlighted how identity theft may occur when governments or businesses share individuals' personal information with contractors. For example, in 2005, it was reported that one financial service company's consumer information was compromised when the shipping company it contracted with lost data storage tapes that contained the account information, including SSNs, of roughly 4 million individuals. Businesses and other institutions routinely use outside contractors to perform activities or functions related to their operations. In some cases, the businesses perform a particular function or activity but nonetheless decide to contract it out--a practice widely known as outsourcing. In other cases, outside contractors are hired to perform tasks that a company does not have the capacity to perform itself, such as computer systems maintenance or doing credit checks. When a business has collected personal information from its customers and shares that information with its contractors, the contractors become third party users of that information. Because private sector entities are increasing their use of contractors and are more likely to share personal information about customers with them, including SSNs, you asked that we determine (1) how entities within certain industries share SSNs with contractors; (2) the safeguards and notable industry standards in place to ensure the protection of SSNs shared during such contracting; and (3) how federal agencies regulate and monitor the sharing and safeguarding of SSNs between the entities they oversee and the entities' third party contractors. We focus in this report on the uses and protections of SSNs when they are shared with contractors and subcontractors within the banking, securities, telecommunications, and tax preparation industries. We selected these industries because they are known to collect personal information, including SSNs, and outsourcing and information security experts we interviewed said these industries were among the most likely to share SSNs with contractors. We conducted interviews with 12 companies in these industries, five companies that provide services under contract, and six associations for these industries to better understand why they use the SSN and the types of contracts in which SSNs are shared. To identify safeguards and notable industry practices that were followed, we reviewed standard contract forms from companies in the four selected industries. We also asked companies we met with about the safeguards they had in place to protect SSNs, and we reviewed some of their policies and procedures. However, we did not verify the extent to which these businesses comply with their own policies, procedures, and safeguards. To determine the federal and state laws relevant to the sharing of consumer information during third party contracting, we questioned federal and state agencies--such as Federal Trade Commission (FTC), Federal Communications Commission (FCC), the Internal Revenue Service (IRS), banking regulators, and California's Office of Privacy Protection--as well as company and industry association officials about the relevant laws that govern the private sector's ability to share consumer information with a third party. We conducted our work between July 2004 and January 2006 in accordance with generally accepted auditing standards. Appendix I discusses our scope and methodology in further detail. Results in Brief: Officials we interviewed from banks, securities firms, telecommunication firms, and tax preparation firms all said their companies engaged in third party contracting, but only share SSNs with their contractors for limited purposes. Company officials told us that they collect SSNs from their clients for identification purposes and, in some cases, because companies are required to by federal law, such as for taxpayer identification purposes or to verify a customer's identity in an effort to combat money laundering and other financial crimes. These officials also said that they used contractors for various reasons, such as financial statement processing, maintenance services, and information technology management. In some cases, officials said their companies shared SSNs with contractors for administrative and data management functions. For example, one tax preparation company we interviewed said that it shared SSNs with a data storage company that archived and managed its paper files. Officials from several banks said that they would share SSNs with contractors to comply with federal customer verification requirements, while officials from a securities firm told us they shared SSNs with a contractor that collects delinquent payments for a mortgage division it acquired. Additionally, one telecommunication company also told us that it shares SSNs and other personal information with its customer contact center contractor for customer verification. Companies we interviewed in the four industries relied on accepted industry practices and primarily used the terms of the companies' contracts to safeguard personal information, including SSNs they shared with outside contractors. According to our discussions with company officials and our review of contract documents, most of the companies' standard contract forms included several types of safeguards to prevent the unauthorized use or disclosure of their customers' personal information, which was consistent with documented widespread industry practices for sharing confidential information with contractors. We also found that most companies' have developed procedures for identifying and reviewing suitable contractors, and adopting safeguards for consumer information shared with those contractors. In addition, 12 companies reported that their contracts contain audit provisions to evaluate contractual compliance. Finally, some banking and securities industry associations have developed voluntary guidance for their members regarding the sharing of personal information with third parties, although banking and securities officials said they relied more on generally accepted practices for protecting personal information and guidance from federal regulators than from professional associations. Federal regulation and oversight of SSN sharing varies among the four industries: * In the banking and securities industries, companies must comply with the provisions of the Gramm-Leach-Bliley Act (GLBA) to establish safeguards that protect the confidentiality of personal information of customers or clients. GLBA generally permits financial institutions to share customers' personal information with contractors without customers' permission, provided that institutions fully disclose they are doing so and enter into contracts requiring the contractor to maintain the confidentiality of the information. However, financial institutions may share customers' personal information without their permission under other limited circumstances. Through periodic examinations of bank and securities dealers and service provider exams, the federal agencies with oversight responsibility for these entities review their compliance with the agencies' GLBA regulations. * Tax preparers are subject to Section 7216 of the Internal Revenue Code (IRC), IRS regulations, and FTC's GLBA regulations that generally prohibit disclosure of taxpayers' personal and tax-related information without the taxpayer's formal consent. IRS does not perform routine assessments to determine whether tax preparers are complying with IRS requirements. Regulations recently proposed by IRS state that tax preparers may, in certain circumstances, disclose a taxpayer's information to contractors they use, without that taxpayer's consent, for purposes related to preparing tax returns.[Footnote 1] * There are no clear federal protections for SSNs collected and shared by telecommunications firms. Although the Telecommunications Act of 1996 limits the ways in which telecommunications firms can use and disclose certain information about their customers, such as their call records, these limitations do not extend to SSNs. Therefore, the FCC-- the federal agency responsible for overseeing the telecommunication industry--does not regulate how SSNs are used by telecommunications companies. However, under its authority to prohibit unfair business practices and subject to certain limitations, FTC may be able to take action against telecommunications firms that do not comply with their own company's privacy policies, but cannot enforce GLBA requirements on telecommunications companies because such companies are not considered financial institutions under the GLBA statute. In addition to federal laws and regulations, company officials we met with also said that certain state laws affect their ability to share SSNs with third parties. Currently, California has a law affecting business interactions with nonaffiliated third parties that requires the use of reasonable security procedures to protect customers SSNs and other personal information. Although other state laws the companies cited do not explicitly regulate the sharing of SSNs or other personal information with third party contractors, company officials we met with said these laws indirectly affect how they share such information with their contractors. Because the differences in the protections for SSNs shared with contractors have allowed gaps to occur in federal law and oversight for protection of SSNs, this report includes a Matter for Congressional Consideration designed to address these gaps. In response to our draft report, no agency provided a formal written response. However, six of the seven agencies covered by our review provided technical comments, which we incorporated as appropriate. Background: In recent years, companies have increasingly relied on the use of contractors to perform certain activities and functions related to their business operations. This trend has often been referred to as outsourcing. However, no commonly recognized definition of outsourcing exists, and there has been confusion over whether it encompasses only activities a company originally performed in-house or includes any activity a company may contract out. According to outsourcing experts, approximately 90 percent of businesses contract out some activity because they find either it is more economical to do so or other companies are better able to perform these activities. Some of the activities companies outsource will require that contractors be provided personal information about the companies' customers in order to perform those activities; in some cases, this information includes SSNs. Originally, the Social Security Administration (SSA) created the SSN as part of a recordkeeping system to help manage the Social Security program.[Footnote 2] SSA uses the SSN as a means to track workers' earnings and eligibility for Social Security benefits and assigns a unique number to every person as a work and retirement benefit record. Today, SSA generally issues SSNs to all U.S. citizens, but they are also available to non-citizens lawfully admitted to the United States as permanent residents. However, because of the number's unique nature and broad applicability, the SSN has become the identifier of choice for government agencies and private businesses and is used for numerous non Social Security purposes, such as opening a bank account and receiving health insurance. As shown in table 1, certain federal laws have been enacted that place restrictions on some private sector entities' use and disclosure of consumers' personal information, including SSNs. Table 1: Aspects of Selected Federal Laws That Affect Private Sector Disclosure of Personal Information: Federal Laws: Fair Credit Reporting Act of 1970 (FCRA), 15 U.S.C. § 1681b; Restrictions: Limits access to credit data that includes SSNs to those who have a permissible purpose under the law. Federal Laws: Fair and Accurate Credit Transactions Act of 2003 (FACTA), 15 U.S.C § 1681g and § 1681w; Restrictions: Amends FCRA to allow, among other things, consumers who request a copy of their credit report to also request that the first 5 digits of their SSN (or similar identification number) not be included in the file; requires consumer reporting agencies and any business that uses a consumer report to adopt procedures for proper disposal. Federal Laws: Gramm-Leach-Bliley Act of 1999 (GLBA), 15 U.S.C. § 6801 - § 6809; Restrictions: Creates a new definition of nonpublic personal information that includes SSNs and limits when financial institutions may disclose the information to nonaffiliated third parties. It also requires that financial services regulatory agencies establish standards for the entities under their agencies' jurisdiction relating to administrative, technical, and physical safeguards to: * insure the security and confidentiality of customer records and information; * protect against any anticipated threats or hazards to the security or integrity of such records; and; * protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer. Source: GAO analysis of federal legislation. [End of table] To ensure compliance with these federal laws, some federal regulators conduct examinations of their respective institutions' operations. For example, in the financial industry, federal agencies, such as the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB), the Federal Deposit Insurance Corporation (FDIC) and the Securities and Exchange Commission (SEC) regulate banking or securities firms. OCC charters, regulates, and supervises all national banks, while FRB regulates bank holding companies and state-chartered banks that are members of the Federal Reserve System. FDIC regulates banks that are state-chartered banks that are not members of the Federal Reserve System. These banking regulators examine banking institutions for safety and soundness and compliance with applicable laws, including the Fair and Accurate Credit Transaction Act (FACTA), and GLBA. SEC regulates and examines investment advisers registered with the Commission and investment companies, including mutual funds, that engage primarily in investing, reinvesting, and trading in securities and that offer their own securities to the investing public. SEC also regulates and examines other market participants, including broker- dealers and self-regulatory organizations (SRO).[Footnote 3] As part of its examinations, SEC reviews these firms for compliance with GLBA's safeguard provisions. In addition, SRO's such as the New York Stock Exchange (NYSE) and National Association of Securities Dealers (NASD) examine their member broker-dealers to ensure compliance with applicable laws, self-regulatory rules, and SEC regulations, including GLBA's safeguard provision. In 1978, the Federal Financial Institutions Examination Council (FFIEC) was created as a formal interagency body authorized to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions. The council's membership is composed of the federal bank regulators--FDIC, FRB, OCC- -plus the regulators for credit unions and thrift institutions--the National Credit Union Administration (NCUA) and the Office of Thrift Supervision (OTS), respectively. The FFIEC has issued guidance related to outsourcing services that provides a framework for the FFIEC agencies to examine their banks' contractor management programs and exercise enforcement options if financial institutions do not establish and maintain adequate information security programs. The FFIEC also coordinates examinations of banks' information technology service providers and separate guidance has been issued for conducting these examinations. Along with OTS, the three bank regulators have jointly issued regulations that generally require each financial institution to develop, implement, and maintain, as part of its existing information security program, appropriate measures to properly dispose of consumer information derived from consumer reports.[Footnote 4] Together, these agencies have also issued interpretive guidance requiring every financial institution to develop and implement a response program, including customer notice provisions, designed to address incidents of unauthorized access to customer information maintained by the institution or its service provider[Footnote 5]. Under the Bank Service Company Act, as amended, the federal banking agencies have authority to regulate and examine certain services provided to banks by third parties--including contractors--to the same extent as if those services were performed directly by the ban[Footnote 6]k.: IRS is responsible for ensuring that tax preparers are complying with certain confidentiality provisions in the IRC, primarily Section 7216. IRC § 7216 prohibits the unauthorized use or disclosure of tax return information by tax return preparers. Tax return preparers are also subject to GLBA. However, those provisions do not supersede, alter, or affect the preexisting requirements of IRC § 7216, although FTC has oversight and enforcement authority over tax preparers' compliance with GLBA. FCC is responsible for regulating interstate and international communications by radio, television, wire, satellite, and cable, and enforcing the provisions of the Telecommunications Act of 1996, which restricts the use of customer proprietary network information (CPNI).[Footnote 7] CPNI is the data collected by telecommunications corporations on a consumer's telephone calls. It includes the time, date, duration, and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer's telephone bill. SSNs are not part of CPNI. FTC is an independent agency whose mission is, in part, to prevent business practices that are anticompetitive, deceptive, or unfair to consumers. As part of its responsibilities, FTC enforces consumer privacy provisions and safeguards of FCRA, FACTA, and GLBA not enforced by other federal agencies. FTC is also required to collect identity theft complaints. FTC statistics currently indicate that identity theft is growing. For 2004, FTC reported that it received about 247,000 complaints from individuals stating that they were victims of identity fraud, which was up from just over 86,000 complaints reported in 2001. While the reported number of victims and likely identity crimes has increased, the extent to which these statistics represent company security breaches is not well documented. However, various news reports and identity crime experts have attributed some identity thefts and credit card fraud to security breaches involving third party companies. Private Sector Companies We Interviewed Routinely Use Third Party Contractors and Occasionally Share SSNs with Them: Banks, securities firms, telecommunication companies, and tax preparation companies we interviewed routinely obtain SSNs from their customers for authentication and identification purposes. All the companies we interviewed contracted out various services, such as data processing, administrative, and customer service functions. Although these companies may share consumer information, such as SSNs, with contractors that provide services to their customers, company officials said that they only share such information with their contractors for limited purposes, generally when it is necessary or unavoidable. Private Sector Companies We Interviewed Obtain and Use SSNs Primarily for Identification Purposes: Officials from selected banking, securities, telecommunications, and tax preparation companies told us that they obtain and use SSNs primarily for authentication and identification purposes related to fraud prevention, credit verification, and complying with federal law. However, these officials told us that SSNs were not distinguished from other types of customers' personally identifiable information.[Footnote 8] Company officials also told us that the same safeguards applied to SSNs as all other pieces of their customers' personal information. Officials from banks and securities firms we interviewed said that their companies obtained SSNs directly from their customers to comply with federal law when the customer opened a new account or conducted certain financial transactions. For example, the Bank Secrecy Act, as amended by the USA Patriot Act mandates that, among other things, financial institutions must verify each new account holder's identity when opening an account, in an effort to curtail money laundering and terrorist financing. According to company officials we interviewed, other federal laws and regulations require both banks and securities firms to use SSNs for tax-reporting and customer-identity-verification purposes. In addition, some bank and securities firm officials said that due to its uniqueness, their companies also incorporated the SSN into their fraud prevention and authentication programs. Telecommunication company officials we interviewed said that their companies are not required by federal law to collect or use the SSN, but that potential customers are asked to provide their SSN before establishing an account. These officials explained that their companies primarily use the SSN to query credit reporting agencies' records in order to verify a potential customer's creditworthiness, without which their companies would not be able to extend services to an individual quickly. In those instances where an individual did not have an SSN or refused to provide it, company officials said that their companies offered customers the option of using a pre paid service or providing a monetary deposit. Telecommunication companies we interviewed also used the SSN for customer account authentication and verification as well as fraud prevention. For example, officials from one company told us that they used the SSN as a key piece of information to ensure that a person inquiring about their account was the actual account holder. Unlike the telecommunication companies, tax preparation companies are required by federal law to collect and use SSNs. IRC requires that individuals who have been assigned a number include their SSNs on their tax returns as a taxpayer identification number and that such information be kept confidential by these companies. Tax preparation officials and tax industry representatives we interviewed said that they also used the SSN as the identification number for refund payments to customers and other internal purposes. For example, officials from one tax preparation company told us that they used the SSN as the identification number for tracking any additional taxes owed in the event of an error by the preparer. Private Sector Companies We Interviewed Contract Various Services: Banks, securities firms, telecommunication companies, and tax preparation entities we interviewed all contracted out services, such as administrative, information technology, and customer service functions. We found that every company we interviewed used contractors for a variety of services, ranging from maintenance functions to software development. We found the following examples: * Officials from one bank told us that they contracted administrative functions such as financial statement processing and shipping services. * Some banks contract out services, such as Internet banking, check imaging, telephone banking, and debit and ATM processing services. * Officials from a securities firm told us that they contracted with software data vendors for the development and maintenance of specific data products. * Tax preparation representatives told us that some individual tax preparers may contract with or use electronic return originators (ERO's).[Footnote 9] * Some financial sector regulators and industry representatives had conducted surveys to determine the types of services being contracted by the financial services industry. In 2004, economists from the Federal Reserve Bank of Kansas City, Missouri, found that certain types of banks relied on third-party vendors to provide an array of services, such as electronic banking and payment processing.[Footnote 10] In addition, NYSE and NASD conducted a joint survey in 2004 of a select number of their members. The survey revealed that some of their member firms routinely contracted out accounting, finance, administrative, and information technology functions. NASD has specific restrictions that prohibit its members from contracting certain functions, such as supervisory and compliance activities. Private Sector Companies We Interviewed Only Share SSNs with Contractors for Limited Purposes: Banking, investment, telecommunication, and tax preparation officials we interviewed said that they share SSNs with their contractors only for limited purposes and even then, only when it is necessary or unavoidable. In general, most of the financial services companies we spoke to said they shared SSNs with contractors to assist with services involving: * employee background checks, * debt collections, * fraud prevention, * accessing credit reports, and: * information technology, such as data management. Officials from one securities firm said that they shared SSNs with their contractors who assisted them in complying with federal customer identification requirements. For example, some financial services company officials told us that they used service providers to cross- reference potential customers against a government-provided "watch list" of known terrorists, suspected terrorists, and individuals being investigated for possible suspicious activity. Some large financial service provider officials also told us that in most cases their client only granted them access to SSNs in those instances where they believed SSNs were needed, such as when servicing their clients' accounts or storing data. Telecommunication and tax preparation companies we interviewed also shared SSNs for limited purposes. Telecommunication companies generally shared SSNs with contractors for services, such as customer/client contact centers, debt collection, and data storage functions.[Footnote 11] For example, officials from one telecommunication company told us that they shared SSNs and other personally identifiable information with their contracted customer contact center. The company shared their customers' account information, including SSNs, with contact center employees so that the contracted employees could authenticate, identify, and service their customers' accounts. However, company officials said that these employees could only access account holder information needed to fulfill specific requests and SSNs were not needed for some types of requests. According to tax industry representatives, tax preparation companies shared SSNs with their contractors primarily for administrative and data management functions. For example, one tax preparation company told us that their contractors had access to their customers' SSNs for services involving data analysis and preparation of reports for internal company use, tracking, and processing of customer services and archiving and storage of tax return data. Company officials we spoke to from all industries told us that they are cautious about providing third party contractors access to their customers' personal information, including SSNs. In many cases, company officials cited multiple risk factors that could result if their customer's sensitive data were exposed by their service providers, such as compliance and reputation risks.[Footnote 12] For example, in the last year, several large banks experienced data security breaches in which their customers' personally identifiable information, including SSNs, was compromised, exposing individuals' information to potential misuse. Many company officials said that in order to reduce such risks, they consider multiple financial and operational factors before sharing sensitive data, such as SSNs, with their contractors. For example, bank officials from one bank told us that they request the financial statements of their prospective service providers to ensure that each service provider is financially sound. Private Sector Companies We Interviewed Have Established Safeguards to Protect SSNs: The private sector companies we contacted provided us with standard contract forms they use in contracting with service providers to safeguard customers' personal information, such as SSNs, from misuse. In general, the types of provisions these companies included in their standard contract forms included electronic and physical data protections, audit rights, data breach notifications, subcontractor restrictions, and data handling and disposal requirements. We found that most of the companies we interviewed had established some type of due diligence or credentialing process to verify the reliability of potential contractors prior to and during contract negotiations. Furthermore, we found that some industry associations have voluntarily developed guidance for their members regarding the sharing of personal information with third parties. Provisions in Selected Service Provider Contracts Help Safeguard SSNs from Misuse: Private sector companies we contacted often included provisions in their service provider standard contract forms to safeguard customers' personal information, such as SSNs, from misuse. In general, these contract provisions included but were not limited to: * electronic and physical data protections, * audit rights, * subcontractor restrictions, * data breach notifications, and: * data-handling and disposal requirements. While company officials told us that the extent to which they included safeguard provisions varied with the type of service being contracted, most said that they included the above safeguard provisions when sharing personally identifiable information, including SSNs, with their contractors. To verify these claims, we asked each company to provide us with copies of their standard information security contract provisions and any other policies and procedures associated with such agreements.[Footnote 13] Our review of the standard contract forms and the associated documentation for 10 companies found that they included most of the above safeguard provisions, but the level of specificity of the safeguard provisions varied across company contracts. For example, each standard contract form we reviewed included provisions requiring contractors to establish both electronic and physical information security safeguards.[Footnote 14] However, in many cases, the standard contract form did not require the contractor to implement a specific type of electronic or physical safeguard, but only made reference to employing overall administrative, technical, and physical safeguards to prevent the unauthorized use or disclosure of their customers' personal information, such as the SSN. Some company officials told us that the information security safeguard provisions were intentionally vague to provide the contractor with flexibility in instituting such electronic and physical safeguards. However, we found that one large service provider included specific security controls in its standard contract form, which ranged from physical seals and alarms on their data centers' exterior windows to the prohibition of printers on computer terminals with access to sensitive data. Almost all of the 10 standard contract forms we reviewed also granted companies the right to audit their service providers with notice, which is consistent with industry standards.[Footnote 15] For example, one tax preparation company's standard contract provisions stated that the company had the right to audit or independently evaluate any security processes or controls, but would only exercise such rights in a manner that limited unnecessary interference in the contractor's operations. In addition, most company standard contract forms required service providers to obtain written consent from the client company before employing a subcontractor to conduct any service on the company's behalf. Some industry sector officials told us that their standard contract forms contain provisions that explicitly require subcontractors to comply with the same safeguard requirements that the original contractor was required to follow. However, some company officials in the securities industry stated that their subcontractors are rarely granted access to consumer information, such as SSNs. Most of the standard contract forms we reviewed also included security breach notification provisions, which typically required the contractor to notify the company in the event of any information security breach. Also, the contract language varied on the type of information that would prompt a notification and the degree to which a contractor should be involved in rectifying such a breach across industries. For example, officials from one of the banks we spoke to told us that their company required their contractors to notify them within 24 hours of any security breach or suspicious behavior, and they provided their contractors with a 24 hour telephone hotline. We were also told by most industry officials that any action taken against the contractor would depend on the extent of the breach, although in most cases, these companies had established some form of initial response program to address such breaches. However, we only found that the financial services companies had included provisions in their standard contract forms specifically outlining their response program. Finally, we also identified companies that included data-handling and disposal requirements provisions in their standard contract forms. In these cases, the companies included general language restricting the use and disclosure of personal information to only those parties involved in executing the contracted service. For example, one large bank's standard contract form stated that the contractor had no legal right to access, receive, accept, transmit, or store any of its confidential information for any purpose not related to fulfilling the contract unless it was granted such rights by the bank. Selected Companies Follow a Common Process in Selecting Contractors but Monitoring of Contractors Varies: The private sector companies we contacted spoke of similar processes for acquiring and negotiating services with potential contractors. Some company officials said that before services were contracted, they conducted some form of due diligence that is part of the overall contracting process and may include on-site visits and reviews of security policies. In addition, the due diligence phase may also include reviewing financial and independent audit statements or reports, in an effort to shed light on how contractors handle consumer data. We found that the most sophisticated due diligence among the four industries, was the multi-tiered, risk-based process used by the companies in both the banking and securities industries. Officials from two banks told us that their due diligence practices include administering questionnaires to ascertain the amount of consumer data needed by the contractor to perform their duties. After reviewing the contractor's responses, these banks used their risk based classification system to assign a priority rating to indicate the level of information to which a contractor will have access--the higher the priority rating, the more personal information the contractor is cleared to use. Officials from one bank said they were in the process of developing a system to share the information obtained through the due diligence process with other banks. Bank officials said this collaboration effort is designed to minimize the disruption contractors' face when their potential clients review them. Unlike the common process for selecting contractors, we found that performance review and monitoring practices for contractors varied across companies. Two companies, from the banking and tax preparation sectors, stated that they use risk-based audit systems. This means that "high risk" contractors--which include contractors that have access to SSNs--are audited more frequently than those that are lower risk. However, a few other companies stated that they periodically audit contractors, although the impetus for the audit is not based on degree of access the contractors have to SSNs, but on other factors such as the size of the contractor. One company in particular told us that it frequently engages in spontaneous audits of its contractors when they sense something is awry with the data-sharing relationship. Some Industry Associations Provide Outsourcing Guidance, and Safeguards Used Are Generally Consistent with Established Practices for Safeguarding Information: The banking and securities firms we met with relied on established industry practices and international standards in developing contract terms and safeguards. According to officials in this sector, one of the foremost sources of guidance is from an industry-led consortium consisting of 100 of the largest financial institutions known as BITS.[Footnote 16] Among other things, this consortium has developed a framework for developing and managing outsourced relationships. The framework consists of nine sections and addresses topics such as: (1) governing the practice of outsourcing consumer information through information technology, (2) developing due diligence considerations and, (3) contractual, service level and insurance considerations. Financial companies also mentioned an international standard for information security--ISO 17799--that identifies 10 security controls used in a range of situations when exchanging consumer information through information systems. For example, this standard handles scenarios such as allowing access for traveling data users, as well as those users in remote locations, to authenticating users and passwords. Additionally, the banking sector has established a financial services roundtable which discusses a range of topics including privacy issues related to protecting consumer information. Bank officials told us that two of their specific efforts are to develop identity theft assistance and establish shared assessment centers in conjunction with BITS. The shared assessment center provides members with information about contractors based on their practices for security and privacy. The telecommunications and tax preparation industries have not developed guidance similar to that developed by BITS. According to officials at a large telecommunications company, though, their contractors are expected to abide by accepted industry practices. However, these practices were not specified in the standard contract form for this company. An official with the National Association of Tax Preparers (NATP) said that, given the many types of tax preparers, such as certified public accountants, enrolled agents, individual practitioners, attorneys and financial planners, establishing specific guidance on sharing consumer data would not be worthwhile. However, in 2004, the American Institute of Certified Public Accountants (AICPA) issued a ruling for its members clarifying their responsibilities to their clients when using third party contractors, including offshore providers. This action was prompted by congressional and regulatory concerns about the outsourcing of tax preparation work and maintaining the confidentiality of personal financial information that is provided to contractors, especially those in other countries. The ruling applies to all client services in addition to tax preparation and requires members to take the following steps: * Inform clients, preferably in writing, that the tax preparer may use an outside contractor in providing services to the client and share client information with that contractor. Members are not required to provide this notification if a contractor is only used for administrative support services such as record storage or authorized e- file tax transmittal services. * Provide adequate oversight of all services performed by the contractor and adequately plan and supervise the services provided by the contractor. The ruling does not elaborate on what is adequate as it may vary depending on the nature of the service provided. * Enter into a contractual agreement requiring the contractor to maintain the confidentiality of clients' information and be reasonably assured the contractor has appropriate procedures in place to prevent the unauthorized release of confidential client information. This provision applies to contractors that provide administrative support and professional services and does not require the member to obtain specific consent from the client to share information with the contractor. In our review, we found that information security policies and procedures of the companies we contacted were generally consistent with established industry practices for maintaining the confidentiality of personal information. For example, 12 of the companies we interviewed had incorporated or told us that they had provisions in their contracts restricting their subcontractor's access and use of consumer information, such as SSNs. In addition company documents included other types of safeguards that are consistent with considered established practices we identified such as confidentiality provisions, information disposal requirements, audit rights, data security breach procedures, and physical safeguards. In addition, several company officials from the financial sector said that they also relied on these established industry standards when developing their internal policies and procedures, although we could not determine the extent to which the companies had actually incorporated these established practices. Federal Regulation and Oversight of SSN Sharing Varies Widely Among the Industries We Reviewed: Federal regulation and oversight of SSN sharing varies across the four industries we reviewed, revealing gaps in the federal law and oversight in different industries that share SSNs with their contractors. Federal law and oversight of the sharing of personal information in the financial services industry is very extensive: Financial services companies must comply with GLBA requirements for safeguarding customer's personal information, and regulators have an examination process in place that includes determining whether banks and securities firms are safeguarding this information. Oversight in the tax preparation and telecommunications industries' sharing of SSNs is not as comprehensive as it is in the financial services industry. IRS has regulations and guidance in place to restrict the disclosure of SSNs by tax preparers and their contractors, but does not perform periodic reviews of tax preparers' compliance. Because it believes that it lacks statutory authority to do so, FCC has not issued regulations covering SSNs and also does not periodically review telecommunications companies to determine whether they are safeguarding such information. Federal Oversight in the Financial Services Sector Is Extensive: In the financial services sector, banks and securities firms, among others, must comply with the provisions of GLBA to establish safeguards that protect the confidentiality of nonpublic personal information about their customers or clients. GLBA generally permits banks to share customers' personal information with contractors without the customers' permission, provided that the bank fully discloses it is doing so and enters into a contract requiring the contractor to maintain the confidentiality of the information.[Footnote 17] Through periodic bank and securities firm examinations, the federal agencies with oversight responsibility for these entities review their compliance with the agencies' GLBA and other regulations. Bank Regulatory Agencies Monitor Compliance with GLBA through Regulations and Examinations for Compliance: The federal bank supervisory agencies jointly issued guidelines to implement the GLBA safeguarding requirements.[Footnote 18] These guidelines require banks to establish information security programs that include using due diligence in selecting contractors, requiring contractors to take steps to meet the safeguard standards, and, in certain situations, monitoring contractors to confirm that they are meeting the safeguard requirements. The three agencies base portions of their examinations and supervisory practices on these guidelines. The FFIEC has also issued guidance outlining the following four steps banks should follow in establishing contractual relationships with technology service providers: * Conduct appropriate risk assessments. * Maintain adequate due diligence procedures. * Closely evaluate all contracts to ensure necessary provisions for assuring security and confidentiality are included. * Establish ongoing monitoring and oversight procedures. These steps are also incorporated into FFIEC's examination procedures manual for reviewing technology service providers. Appendix II describes these steps in more detail. The bank regulatory agencies conduct periodic examinations in which compliance with GLBA and the guidance for sharing information with contractors are assessed. The frequency of examinations at a particular bank depends on a series of risk assessments. For example, OCC examiners we met with said that, in general, the more a bank shares nonpublic personal information (as defined by GLBA) with contractors, the greater its risk potential is, and therefore, the more scrutiny information security will receive. OCC performs targeted examinations that focus on specific subjects along with ongoing supervision activities to assess the banks' overall operations and performance.[Footnote 19] Information security, contractor management, and compliance with GLBA and other privacy laws are among the targeted examinations that have been conducted or planned at the three banks we met with. The targeted examinations can also include reviews of offshore contractors. One such examination was aimed exclusively at reviewing risk management practices and controls of the banks' contractor management unit in India. FDIC and FRB also conduct examinations of state-chartered banks and bank holding companies in which two regulators also assess information security, contractor management, and GLBA compliance.[Footnote 20] We reviewed examination reports and related workpapers for three large national banks supervised by OCC that we met with. Our review of the examination reports found that they draw overall conclusions on whether the bank is satisfactorily meeting both OCC's requirements for complying with GLBA and its guidance for sharing sensitive information with contractors and then the reports discuss any areas of weakness in detail. When there are findings that require corrective action by bank management, the examiners will report these as matters requiring attention.[Footnote 21] In some instances, concerns were raised about banks consistently implementing their information security policies among all their business units; However, the reports indicate that the banks' management is addressing these issues. Certain bank contractors are also examined periodically under the purview of the FFIEC, using examiners from all FFIEC member agencies. These bank service contractors--referred to as technology service providers--often have access to sensitive personal information. We reviewed 66 bank contractor examination reports and found the examinations addressed information security issues including GLBA compliance, the sufficiency of both internal and independent IT audits, the adequacy of system controls and written policies and procedures, and the use of or need for risk and vulnerability assessments.[Footnote 22] About two thirds of the examination reports concluded that the service providers' overall information security is satisfactory but make recommendations for specific improvements. Some of the examinations focused on GLBA compliance, and examiners recommended improvements that contractors could make to their internal processes to better ensure they are complying with GLBA. SEC and Self-Regulatory Agencies Also Use Examinations to Oversee Requirements for Safeguarding Sensitive Customer Information: Securities firms are also required to meet the GLBA standards for safeguarding customer's personal information. To implement GLBA, SEC issued regulation S-P, which applies to the financial institutions subject to SEC's jurisdiction under GLBA--investment advisors registered with SEC, investment companies and broker-dealers.[Footnote 23] Regulation S-P directs these securities firms to adopt policies and procedures that are reasonably designed to: * insure the security and confidentiality of customer records and information, * protect against anticipated threats or hazards to the security and integrity to customer records and information, and: * protect against unauthorized access to or use of customer records and information that could bring substantial harm or inconvenience to any customer. Under Regulation S-P, securities firms, similar to banks, generally may share customers' personal information with contractors without customers' permission, provided that the firms notify customers they are doing so, and prohibit contractors, through the terms of the contract, from disclosing or using the information for any purposes other than those for which the information was provided.[Footnote 24] SEC's Office of Compliance, Inspections, and Examinations (OCIE) conducts periodic exams of securities firms that include compliance with Regulation S-P. OCIE uses a risk assessment framework to target firms for examination. Any known concerns or questions about a firm's practices for protecting customer information are among the components factored into the risk assessment. OCIE's examination process covers such steps in the contract management process as due diligence in selecting contractors, contract provisions for protecting information privacy, and monitoring compliance with the contract terms including the use of audits or other reviews of contractors' procedures and performance.[Footnote 25] Examiners are also expected to obtain and review certain documents in addition to the contracts, such as any relating to specific security controls. Although the bank regulatory agencies have authority to examine contractors, SEC officials told us that they cannot examine contractors unless they happen to be another securities firm. In addition to its ongoing examinations, OCIE initiated two examination sweeps focused solely on firms' protection of personal information. The first--performed during 2002 and 2003--focused on large securities firms policies and procedures for preventing identity theft. The examinations reviewed how well they complied with the safeguarding requirements and also scrutinized the firms' vendor management processes to see if they were designed to ensure compliance with the safeguarding requirements. These examinations found that, while the firms were generally in compliance, some were confused about specific things they needed to do to meet the requirements. In the fall of 2005, OCIE began the second sweep--examining the outsourcing practices of securities firms. OCIE plans to conduct these examinations with NYSE at a small number of firms selected to be as representative of the industry as possible. According to the procedures developed by OCIE, the examinations will be very detailed and explore what specific measures have been taken by firms in the areas of: * Due diligence in selecting contractors; * Adequacy of privacy and security provisions in the contracts; * Contractors' policies and procedures for safeguarding customer information; * Oversight and monitoring for compliance with the contract terms, including offshore contractors' ability to comply with applicable U.S. information privacy laws. After completing this program, OCIE plans to incorporate the procedures for examining outsourcing activities into its regular examinations. NASD and NYSE have issued their own guidance on safeguarding customer information. NASD has issued guidance outlining procedures and safeguards for sharing customer information with contractors, and overseeing compliance with any applicable securities laws and NASD rules.[Footnote 26] In response to concerns about the growing use of contractors in the securities industry, NYSE has proposed a similar rule governing its members' use of contractors, which will require member firms to follow certain steps in selecting and overseeing contractors. NASD and NYSE also examine member firms to ensure compliance with Regulation S-P. However, similar to SEC, neither SRO has the authority to examine or review contractors that are not member firms. NASD officials said a Regulation S-P review will be included in an examination if their examiners believe there is a Regulation S-P compliance or information security issue at a member firm. They added that the examiners review the firm's procedures and internal controls for monitoring contractors and review each contract to ensure it includes clauses protecting the confidentiality of customer information and barring the contractor from using it for purposes not related to the contracted service.[Footnote 27] NYSE examinations review third- party contracts to ensure that they contain confidentiality clauses prohibiting the contractor from using or disclosing customer information for any use other than the purposes the contractor was provided the information. We reviewed 10 NYSE examination reports, documenting each instance of noncompliance with Regulation S-P found by NYSE examiners since January 2003. We found several cases where the examiners found that third party contracts did not contain the necessary confidentiality clauses. Tax Preparers Must Follow IRS and FTC Information Nondisclosure Requirements, but IRS Has No Process for Routinely Monitoring Compliance: Tax return preparers are required to protect the confidentiality of taxpayer information under IRS provisions and FTC's GLBA regulations. Under Sections 6713 and 7216 of IRC and IRS regulations, tax return preparers may, under certain circumstances, disclose tax information to other tax preparers, including contractors, or to other employees of the tax preparers' firm. Tax return preparers and contractors who provide certain services in connection with the preparation of tax returns--including contractors used in preparing and processing electronic tax returns---are required to protect the confidentiality of taxpayer information, and they may be subject to civil and criminal penalties for the unauthorized use or disclosure of tax return information, including SSNs.[Footnote 28] Tax return preparers must also follow FTC's GLBA regulations for maintaining the security and confidentiality of customer information. Among other protective measures, FTC's GLBA regulations state that entities such as tax return preparers may use contractors and provide customers' information to those contractors, but only if certain conditions are fulfilled. Thus, in the case of tax return preparers, the preparer must provide its customers with initial notice of its privacy policies and practices before it shares sensitive information with contractors, and contracts the tax return preparer enters into with its contractors must prohibit the contractors from disclosing or using customers' tax return information for any purposes other than those for which the information was provided. FTC's GLBA regulations also specify that entities such as tax return preparers oversee their contractors by (1) taking reasonable steps to select and retain service providers that can maintain appropriate safeguards for the customer information being shared and (2) requiring provisions in the contracts to implement and maintain these safeguards. Unlike the bank regulatory agencies and SEC, IRS does not conduct periodic examinations of tax preparers. IRS monitors and oversees tax preparers, including how well they safeguard taxpayer information, by investigating complaints, which may come from clients or referrals from local IRS offices. IRS officials said the agency has plans to start conducting more self-initiated reviews of a sample of tax preparers but the agency has limited resources for this effort. IRS also performs background checks of applicants who provide electronic return services and plans to review a sample of Electronic Return Originators each year. During the course of our work we found that some IRS and professional association officials were concerned that IRS regulations did not adequately cover tax return preparers who submit taxpayer returns electronically. For example, officials from a professional association for tax return preparers said there were no explicit provisions restricting what various third party providers participating in electronic filing could do with taxpayer information once they possess it. In response to this concern, however, IRS officials stated that any participant in its e-file program performing any role that handles tax return data is covered by IRC 7216.[Footnote 29] IRS has also recently issued proposed regulations intended to, among other things, clarify that the rules also apply to tax return preparers who submit taxpayer returns electronically.[Footnote 30] The proposed regulations also clarify that a tax return preparer may disclose tax return information to another tax return preparer located in the United States, including a contractor, without the taxpayer's consent under certain conditions.[Footnote 31] They also provide that contractors, under certain circumstances, are subject to criminal penalties for unauthorized use or disclosure of tax return information. In addition, the proposed regulations contain a new provision that states that disclosure of tax information may be made to certain types of contractors, but only if the tax return preparer ensures that all individuals who are to receive tax information receive written notice that criminal penalties for improper disclosure apply to them. No Federal Law Requires Safeguards for SSNs Collected or Shared by the Telecommunications Industry: FCC officials told us that they know of no federal law that restricts the sharing of SSNs by telecommunications firms with their contractors and that they do not regulate or oversee the privacy of customer information maintained or shared by telecommunications firms unless the information is included in customer proprietary network information (CPNI). The Telecommunications Act of 1996 restricts the use and disclosure of CPNI, which is defined as information relating to the quantity, technical configuration, type, destinations, location and amount of use of a telecommunications service subscribed to, and information contained in the bills pertaining to telephone service received by a customer. Currently, the act does not include SSNs in its definition of CPNI. Agency officials also stated that FCC has enacted regulations governing disclosure of CPNI (but not SSNs) to certain types of third parties.[Footnote 32] Although FCC has authority to take enforcement action against telecommunications companies for inappropriate use and disclosure of CPNI, the limited definition of CPNI precludes FCC from taking enforcement action when SSNs are used or disclosed. It also has no authority to oversee the use of contractors by telecommunications firms other than its authority to oversee compliance with its regulations affecting the sharing of CPNI. Agency officials told us FCC is considering a request by the Federal Bureau of Investigation to regulate foreign storage of CPNI and foreign-based access to CPNI based on national security and law enforcement concerns. Despite FCC's lack of authority with regard to SSNs being shared by telecommunications companies, under certain circumstances, FTC may be able to take action against telecommunications companies for improperly sharing SSNs. An FTC staff member and representatives from the telecommunications companies we met with said that under Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive business practices, FTC may be able to take action against companies that fail to meet the terms of their own privacy policies in certain circumstances.[Footnote 33] For example, if a telecommunications company stated in its privacy policy that it would only share a consumer's personal information with contractors for certain purposes and a contractor used the SSNs for a purpose not covered by the privacy policy, FTC could consider this a deceptive business practice. However, according to FTC, no actions have been taken against telecommunications carriers under Section 5 because of a failure to comply with statements made in their privacy policies about information shared with contractors. State Laws Also Affect the Disclosure and Sharing of SSNs with Third Parties: Company officials informed us of laws in 15 states they believe either affect how they share sensitive personal information including SSNs with their contractors or limit both their own and their contractors use and handling of this information. The laws cover areas such as limiting the use and display of SSNs, specifying record disposal requirements, prohibiting requiring SSNs to complete a business transaction, privacy policy provisions, and security breach notification requirements.[Footnote 34] A few of the company officials we spoke to said that California's privacy laws were particularly significant to the development of their information confidentiality and security policies. As a result, many told us that their companies have adapted the requirements of the California laws for companywide application. The California law that most directly affects how businesses can share personal information with their contractors was enacted in September 2004 and requires that businesses incorporate provisions to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, disclosure, use, modification, or destruction into their contracts with third party service providers.[Footnote 35] This law identifies SSNs, when used in conjunction with customer names, as one of several forms of personal information covered. Some company officials also said California's security breach notification statute significantly affected their information security and confidentiality procedures. These officials also told us this statute was the impetus for formulating their own breach notification requirements and procedures. Company officials in each of the industry sectors said that they will incorporate the requirements of state laws they believe affect how they share sensitive personal information into their company's security and confidentiality policies or operations, effectively applying them to all states they do business in. For example, officials from one company told us it is more efficient to apply these state requirements nationwide than to design systems for specific states. Conclusions: With millions of Americans at risk of identity theft, it is vital that any entity with access to personal information, especially to SSNs, take every precaution to protect this information from misuse. Inadequate database security and improper handling, disposal, and sharing of such personal information creates vulnerability to identity theft, with its attendant costs to individuals and businesses. Officials from each of the industries we met with clearly felt that safeguarding SSNs and other personal information was very important and had taken steps to do so. However, as we found in the telecommunications sector, companies are not always required to include in their service-provider contracts provisions that would safeguard SSNs. Gaps in existing federal law or agency oversight, such as what we found in the industries we looked at, do not provide incentives for companies to commit to protecting personal information. Each industry is subject to different federal oversight and is often left to decide what established practices for safeguarding SSNs and other consumer information it wishes to follow. Federal action to strengthen safeguards for SSNs that companies in non-financial service industries collect could avert disclosures of this important personal information and better protect Americans from the cost and inconvenience of identity theft. Matter for Congressional Consideration: We recommend that Congress consider possible options for addressing the gaps in existing federal requirements for safeguarding SSNs shared with contractors. One approach would be to require industry-specific protections for the sharing of SSNs with contractors where such measures are not already in place. For example, Congress could consider whether the Telecommunications Act of 1996 should be amended to address how that industry shares SSNs with contractors. Alternatively, Congress could take a broader approach. For example, in considering proposed legislation that would generally restrict the use and display of SSNs, Congress could also include a provision that would explicitly apply this restriction to third party contractors. With either approach, Congress will also want to establish a mechanism for overseeing compliance by contractors and enforcement. Agency Comments: We requested comments on a draft of this report from FCC, FDIC, the Federal Reserve Board, FTC, IRS, OCC, and SEC. None of the agencies provided formal, written comments. With the exception of FDIC, all provided technical, editorial, and other clarifying comments which we incorporated in the report as appropriate. We are sending copies of this report to the Secretary of the Treasury, the Chairmen of the Federal Reserve Board, FDIC, FTC, FCC, SEC, the Office of the Comptroller of the Currency, the Commissioner of the IRS, and other interested parties. Copies will also be made available at no charge on GAO's Web site at http://www.gao.gov. If you have questions concerning this report, please call me on (202) 512-7215. Key contributors to this report are listed in appendix VI. Signed by: Barbara D. Bovbjerg: Director, Education, Workforce, and Income Security: [End of section] Appendix I: Scope and Methodology: In this report, we focused on the uses and protections of SSNs when they are shared with contractors and subcontractors within the financial services, telecommunications, and tax preparation industries. To describe the types of services that companies in these industry sectors contract, we identified and interviewed company officials in the banking, securities, telecommunication, and tax preparation industries. We selected these industries because they collect large volumes of personal information including SSNs and experts in the fields of outsourcing and information security we interviewed believed these industries were among the most likely to share SSNs with contractors. We contacted 17 of the largest companies, based on asset size, from each of the industry sectors. We also contacted seven large service providers--companies whose sole business is to provide services to other businesses under contract.[Footnote 36] Based on the response to our request, we conducted structured interviews with a total of 17 of these companies--3 banks, 4 securities firms, 4 telecommunication companies, 1 tax preparation company, and 5 service providers-- regarding the types of services they contracted and whether SSNs were shared between the companies and contractors. The remaining seven companies did not respond to our request. Furthermore, we conducted structured interviews with six industry associations. These included three associations that represented enrolled agents and tax professionals within the tax preparation industry. We contacted these to obtain more perspectives from the tax preparation industry since only one tax preparation firm agreed to meet with us. However, we were unable to determine the extent to which some of the member's responses were representative of associations with similar membership. Our interviews with the companies and industry associations are not statistically representative of either their industries or the business sector as a whole, and therefore should not be considered to represent the views of the sectors as a whole. In addition, we also reviewed academic and consultant's studies, a professional trade associations' outsourcing survey, self-regulatory organizations' research, and bank examinations to determine the types of services that companies from the different industry sectors commonly contracted. To identify company safeguards to protect SSNs during the contracting process, we conducted structured interviews with company officials from each industry to gain a better understanding of their safeguards and the stages of the contracting process. We requested copies of standard contract forms from each of the companies. Ten companies provided copies to us. We reviewed the forms to identify specific provisions that addressed the security and confidentiality of personal information. We also obtained and reviewed internal security policies and procedures from companies willing to provide them and compared these security measures across the different industry sectors. We did not verify the extent to which these businesses complied with their own policies, procedures, and safeguards. Finally, we contacted these industries' trade associations to identify any best practices or notable industry practices for the safeguarding of customer's personally identifiable information. Because of the sensitive nature of the information we were obtaining, we agreed not to identify the companies in our report and to treat any information they provided, including their standard contract forms, as proprietary. To identify how federal agencies regulate and monitor the sharing and safeguarding of SSNs and other personal information between entities they oversee and their contractors, we interviewed agency officials and reviewed documents from the following agencies with jurisdiction over the four industry sectors in our review: * Federal Deposit Insurance Corporation, * Federal Reserve System, * Office of the Comptroller of the Currency, * Federal Financial Institutions Examination Council, * Federal Trade Commission, * Federal Communications Commission, * Internal Revenue Service, and: * Securities and Exchange Commission. We also met with officials from self-regulatory agencies---the New York Stock Exchange and the National Association of Securities Dealers--and reviewed documents they prepared. Documents we obtained and reviewed included applicable statutes, regulations, guidance to regulated entities, examination manuals and related materials, examination reports and related workpapers, survey reports, and any other related materials. We limited our review to identifying steps and procedures the agencies follow in overseeing compliance with federal requirements for safeguarding personal information. We did not assess the adequacy or effectiveness of their oversight and enforcement measures. For bank examination reports, we limited our analysis to reviewing those for the three banks we met with. Our purpose was to, in general, identify what the examinations covered, if they followed OCC's examination procedures, and the types of issues they found. We reviewed only those reports relating to GLBA, information security, or contractor management that were issued since 2002. In addition, we reviewed the most recent examination report for 66 contractors. Most of the reports are maintained in the regional or field offices of the bank regulatory agency that had lead responsibility for the exam. Examination reports for 16 multi-regional service providers--which FFIEC classifies separately--are maintained in FFIEC headquarters. Because of this dispersion, we requested the reports for the 16 multi- regional service providers and any other reports that were available electronically--which were the remaining 50. As a result, our sample of both the bank and contractor examination reports is not representative, and our findings from them cannot be generalized. In order to ensure we obtained complete information from the federal agencies, we also asked the companies we interviewed to tell us the federal requirements for protecting personal information they were responsible for complying with and compared their responses with what we obtained from the agencies. [End of section] Appendix II: Summary of Federal Bank Supervisory Agency Guidance on Contracting with Technology Service Providers: * Conduct appropriate risk assessments. When considering contracting out a particular activity, banks should evaluate factors such as the strategic goals, objectives, and business needs of the financial institution; the ability to evaluate and oversee contractual relationships; the importance and criticality of the services to the bank; defined requirements for the contracted activity; necessary controls and reporting processes; contractual obligations and requirements for the contractor; contingency plans, including availability of alternative contractors, costs and resources required to switch contractors; ongoing assessment of contractual arrangements to evaluate consistency with strategic objectives and contractor performance; and regulatory requirements and guidance for the business lines affected and technologies used. * Maintain adequate due diligence procedures. Banks should evaluate prospective contractors to determine their ability, both operationally and financially, to meet the bank's needs, and should convey the bank's needs, objectives, and necessary controls to the prospective contractor. Some of the specific factors banks should consider in selecting contractors include their technology and industry expertise, financial condition, and operations and controls including the adequacy of their standards, policies and procedures relating to internal controls, security, privacy protections, and maintenance of records and also determining if contractors provide sufficient security precautions such as encryption and customer identity authentication. * Closely evaluate all contracts to ensure necessary provisions for assuring security and confidentiality are included. Consideration should be given to including contract provisions that address control over operations. Contracts should address, among other matters, the scope of service, performance standards, security and confidentiality of the bank's information and other resources, controls, audit rights, frequency and type of reporting to the bank, and sub-contracting. Security and confidentiality provisions should include prohibiting the contractor and its agents or subcontractors from using or disclosing the bank's information except as needed to or be consistent with providing the contracted service, protecting against unauthorized use, and requiring the contractor to fully disclose security breaches that result in unauthorized intrusions that may materially affect the bank or its customers and report corrective actions taken. * Establish ongoing monitoring and oversight procedures. Banks should implement an oversight program to monitor each contractor's financial conditions and operations, the quality of service and support in fulfilling the contract, contract compliance and revision needs, and maintenance of business resumption contingency plans. [End of section] Appendix III: GAO Contacts and Staff Acknowledgments: GAO Contacts: Barbara D. Bovbjerg, Director, (202) 512-7215: Staff Acknowledgments: The following team members made key contributions to this report: Margaret Armen, Pat Bernard, Richard Burkard, Tamara Cross, Amber Edwards, Michele Fejfar, Jason Holsclaw, Joel Marus, Sheila McCoy, Jonathan McMurray, and Amanda Miller. FOOTNOTES [1] Specifically, the proposed regulations would allow tax return preparers to disclose tax return information to contractors in connection with the programming, maintenance, repair, testing, or procurement of equipment or software used for purposes of tax return preparation only to the extent necessary for the person to provide the contracted services, and only if the tax preparer ensures that all individuals who are to receive disclosures of tax return information receive a written notice that informs them of the applicability of IRC sections 6713 and 7216 to them and describes the requirements and penalties of section 6713 and 7216. 70 Fed. Reg. 72954 (Dec. 8, 2005). [2] The Social Security Act of 1935 created the Social Security Board and authorized it to establish a record-keeping system. The board was renamed the Social Security Administration in 1946. [3] A broker-dealer is any individual or firm in the business of buying and selling securities for itself and others. Broker-dealers generally must register with the SEC. When acting as a broker, a broker-dealer executes orders on behalf of his/her client. When acting as a dealer, a broker-dealer executes trades for his/her firm's own account. [4] 69 Fed. Reg. 77610 (Dec. 28, 2004). [5] 70 Fed. Reg. 15736 (Mar. 29, 2005). The bank regulatory agencies jointly issued this as interpretive guidance for GLBA and the joint guidelines issued by the agencies for implementing GLBA's safeguard requirements--Interagency Guidelines Establishing Information Security Standards. [6] 12 U.S.C. § 1867(c). [7] 47 U.S.C. § 222. [8] Personally identifiable information refers to any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains. This includes information that can easily be derived, including, but not limited to, name, address, phone number, fax number, email address, financial profiles, SSN, and credit card information. [9] EROs are individuals or companies that can file and transmit tax returns to the IRS on behalf of individual preparers. However, ERO's generally do not prepare the return. [10] Federal Reserve Bank of Kansas City, "Technology Outsourcing: A Community Bank Perspective." Financial Industry Perspectives (Fourth Quarter 2004). [11] A customer contact center services a company's customers by providing a focused customer service orientation for priority requirements. For example, some customer contact centers provide immediate access to worldwide customers and customer service representatives 24 hours a day, 7 days a week for all supply and logistics problems and concerns. [12] Compliance risk is the risk to earnings or capital arising from violations of laws, rules, or regulations or from nonconformance with internal policies and procedures or ethical standards. Reputation risk is the risk to earnings or capital arising from negative public opinion. [13] Although the majority of the companies we met with agreed to provide us with this documentation, only 10 of the companies subsequently provided it. Furthermore, some of the companies that did provide us with their contracts only supplied us with excerpts of their contracts pertaining to information security and privacy. [14] In general, electronic safeguards restrict access to system resources and involve effective control mechanisms that can limit access to key information system assets. Physical safeguards include protections from risks, such as physical penetration by malicious or unauthorized people through the use of detection devices like alarms and surveillance cameras or damage resulting from environmental contaminants, such as fire or water. [15] According to some industry standards, companies should retain the right to audit their service providers' general controls environment, implementation of certain policies, adherence to customer-specific processing policies, adherence to security and customer-information requirements, and adherence to procedures associated with the relationships with the company. [16] BITS is a nonprofit, CEO-driven industry consortium whose members are 100 of the largest financial institutions, which includes banks and securities firms, in the United States. BITS was formed by the CEOs of these institutions to address issues in financial services, technology and commerce. BITS also facilitates cooperation between the financial services industry and other sectors of the nation's critical infrastructure, government organizations, technology providers, and third-party service providers. At its inception, BITS stood for "Banking Industry Technology Secretariat." However, with financial modernization and the emergence of integrated financial services companies involving insurance, securities and banking, that term is no longer used. [17] Banks may share customers' nonpublic personal information without their permission under other limited circumstances. See 15 U.S.C. § 6802(b) and (e). [18] 66 Fed. Reg. 8616 (Feb.1, 2001). [19] Based on our discussions with the OCC examiners for these banks and our review of related documentation, the process of ongoing supervision starts with development of an annual examination strategy outlining subjects for targeted examinations to be undertaken that year. The strategy also outlines ongoing large bank supervision activities such as holding regular meetings with bank officials and reviewing internal and management reports. OCC also has a separate supervisory program for community banks. [20] We did not review FDIC or FRB examination reports because banks they supervise were not included in the scope of our review. [21] These are typically requirements to improve such things as clarifying contractor management roles and responsibilities in the bank's organization, formalizing strategic planning for contractor management, or adding components to employee training programs. [22] Because this sample was not representative, our findings cannot be generalized. We reviewed the most recent examination reports for 16 large national service providers and any others that were available electronically. [23] 17 C.F.R. Part 248. [24] Securities firms may share customers' nonpublic personal information without their permission under other limited circumstances. See 17 C.F.R. § 248.14 and § 248.15. [25] The International Organization of Securities Commissions (IOSCO) and the Joint Forum (established under the aegis of the Basel Committee on Banking Supervision, the International Association of Insurance Supervisors and IOSCO) have issued guidance on the principles of outsourcing in financial services. SEC is a member of both of these organizations and, according to agency officials, participated in the process by which these organizations issued this guidance. SEC does not currently contemplate developing a separate advisory guidance for securities firms to follow in using outside contractors. [26] NASD Notice to Members 05-49, Safeguarding Confidential Customer Information (July, 2005). [27] NASD took one enforcement action in 2005 for a Regulation S-P violation, but the action did not involve contractors' safeguarding of customer information. [28] In 2000, IRS issued clarifying guidance that stated that contractors used in preparing and processing electronic tax returns are also considered tax return preparers and are therefore covered by Sections 6713 and 7216 of IRC. Revenue Procedure 2000-31. This guidance was updated and superseded in August 2005. Revenue Procedure 2005-60. [29] Revenue Procedure 2005-60, Section 6.01. [30] 70 Fed. Reg. 72954 (Dec. 8, 2005). [31] Such conditions include for the purposes of preparing or assisting in the preparation of a tax return so long as the contractor does not make any substantive determinations or provide advice affecting the taxpayer's tax liability. [32] 47 C.F.R. § 64.2007(b)(2). [33] FTC action is limited to the extent that a company's activities are covered by the common carrier exemption in Section 4 of the Federal Trade Commission Act (15 U.S.C. § 44). Telecommunications companies are also not considered to be financial institutions under GLBA and therefore, not subject to GLBA's safeguard requirements. [34] We found some instances in which the laws cited either did not affect the industries we reviewed or did not apply to the sharing of personal information. We did not include these in our analysis. [35] California Civil Code 1798.81.5(c). [36] We selected the companies we interviewed in the banking, securities and telecommunications industries from industry sector rankings for the 2004 Fortune 500 list of the largest American companies. However, these listings could not be used to select tax preparation firms, because too few were included. We identified other tax preparation firms from information compiled by professional and industry associations. In addition, we selected service providers to contact based on our discussions with company and government officials and published information about large bank service providers. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site (www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: