Social Security Numbers:
OMB and Federal Efforts to Reduce Collection, Use, and Display
GAO-17-655T: Published: May 23, 2017. Publicly Released: May 23, 2017.
- Highlights Page:
- Full Report:
- Accessible Version:
What GAO Found
In its draft report, GAO noted that several governmentwide initiatives aimed at eliminating the unnecessary collection, use, and display of Social Security numbers (SSN) have been underway in response to recommendations that the presidentially appointed Identity Theft Task Force made in 2007 to the Office of Personnel Management (OPM), the Office of Management and Budget (OMB), and the Social Security Administration (SSA). However, these initiatives have had limited success. In 2008, OPM proposed a new regulation requiring the use of an alternate federal employee identifier but withdrew its proposed regulation because no such identifier was available. OMB required agencies to develop SSN reduction plans and continues to require annual reporting on SSN reduction efforts. SSA developed an online clearinghouse of best practices associated with the reduction of SSN use; however, the clearinghouse is no longer available online.
All 24 agencies covered by the Chief Financial Officers (CFO) Act developed SSN reduction plans and reported taking actions to curtail the use and display of the numbers. Nevertheless, in their responses to GAO's questionnaire and follow-up discussions, the agencies cited impediments to further reductions, including (1) statutes and regulations mandating the collection of SSNs, (2) the use of SSNs in necessary interactions with other federal entities, and (3) technological constraints of agency systems and processes.
Further, poor planning by agencies and ineffective monitoring by OMB have limited efforts to reduce SSN use. Lacking direction from OMB, many agencies' reduction plans did not include key elements, such as time frames and performance indicators, calling into question their utility. In addition, OMB has not required agencies to maintain up-to-date inventories of their SSN holdings or provided criteria for determining “unnecessary use and display,” limiting agencies' ability to gauge progress. In addition, OMB has not ensured that agencies update their annual progress nor has it established performance metrics to monitor agency efforts to reduce SSN use. Until OMB adopts more effective practices for guiding agency SSN reduction efforts, overall governmentwide reduction will likely remain limited and difficult to measure, and the risk of SSNs being exposed and used to commit identity theft will remain greater than it need be.
Why GAO Did This Study
SSNs are key pieces of identifying information that potentially may be used to perpetrate identity theft. Thieves find SSNs valuable because they are the identifying link that can connect an individual's information across many agencies, systems, and databases.
This statement summarize GAO's draft report that: (1) describes what governmentwide initiatives have been undertaken to assist agencies in eliminating their unnecessary use of SSNs and (2) assesses the extent to which agencies have developed and executed plans to eliminate the unnecessary use and display of SSNs and have identified challenges associated with those efforts. For the draft report on which this testimony is based, GAO analyzed documentation, administered a questionnaire, and interviewed officials from the 24 CFO Act agencies that led or participated in SSN elimination efforts.
What GAO Recommends
GAO's draft report contains five recommendations to OMB to require agencies to submit complete plans for ongoing reductions in the collection, use, and display of SSNs; require inventories of systems containing SSNs; provide criteria for determining “unnecessary” use and display of SSNs; ensure agencies update their progress in reducing the collection, use, and display of the numbers in annual reports; and monitor agency progress based on clearly defined performance measures.
For more information, contact Gregory C. Wilshusen at (202) 512-6244 or firstname.lastname@example.org.