Recent data breaches highlight how identity theft may occur when businesses share individuals' personal information, including Social Security Numbers (SSNs), with contractors. Because private sector entities are more likely to share consumers' personal information via contractors, members of Congress raised concerns about the protection of this information in contractual relationships. In response, GAO examined (1) how entities within certain industries share SSNs with contractors; (2) the safeguards and notable industry standards in place to ensure the protection of SSNs when shared with contractors; and (3) how federal agencies regulate and monitor the sharing and safeguarding of SSNs between private entities and their contractors.
Matter for Congressional Consideration
|Congress may wish to consider possible options for addressing the gaps in existing federal requirements for safeguarding SSNs shared with contractors. One approach would be to require industry-specific protections for the sharing of SSNs with contractors where such measures are not already in place. For example, Congress could consider whether the Telecommunications Act of 1996 should be amended to address how that industry shares SSNs with contractors. Alternatively, Congress could take a broader approach. For example, in considering proposed legislation that would generally restrict the use and display of SSNs, Congress could also include a provision that would explicitly apply this restriction to third party contractors. With either approach, Congress may also want to establish a mechanism for overseeing compliance by contractors and enforcement.||Congress is considering options for addressing the gaps in existing federal requirements for safeguarding Social Security numbers (SSN) shared with contractors. The Senate's Personal Data Privacy and Security Act of 2009 (S. 1490) specifically addresses this recommendation and the conference report cites multiple GAO reports noting problems with such data. The Act specifies safeguards that contractors and other business entities must follow to ensure the security of sensitive personally identifiable information, including SSNs. For example, contractors are required to implement a comprehensive personal data privacy and security program to ensure the privacy, security and confidentiality of such data and protect against any anticipated vulnerabilities and unauthorized access. Another provision requires that contractors and others exercise due diligence in selecting service providers for responsibilities related to sensitive data and require service providers by contract to implement and maintain appropriate measures to protect and secure sensitive personal information. The House of Representatives also introduced the Social Security Number Privacy and Identity Theft Prevention Act of 2009 (H.R. 3309), which provides protections for the sharing of SSNs with contractors and others, such as trusts and estates. Provisions include measures to preclude unauthorized disclosure of SSNs and protect their confidentiality.|