Various public records in the United States, including some generated by the federal government, contain Social Security numbers (SSN) and other personal identifying information that could be used to commit fraud and identity theft. Public records are generally defined as government agency-held records made available to the public in their entirety for inspection, such as property records and court records. Although public records were traditionally accessed locally in county courthouses and government record centers, in recent years, some state and local public record keepers have begun to make these records available to the public through the Internet. While it is important for the public to have access to these records, concerns about the use of information in these records for criminal purposes have been raised. In 2006, these concerns were heightened when an Ohio woman pled guilty to conspiracy, bank fraud, and aggravated identity theft as the leader of a group that stole citizens' personal identifying information from a local public record keeper's Web site and other sources, resulting in over $450,000 in losses to individuals, financial institutions, and other businesses. Although we previously reported on the types of public records that contain SSNs and access to those records, less is known about the federal government's direct provision of records with SSNs to state and local public record keepers. Because of Congress's interest in information on these issues, we agreed to answer the following questions: (1) Which federal agencies commonly provide records containing SSNs to state and local public record keepers, and what actions have been taken to protect SSNs in these records? (2) What significant vulnerabilities, if any, remain to protecting SSNs in public records?
Recommendations for Executive Action
|Internal Revenue Service||To the extent that truncation provides an added level of protection from identity theft, the Commissioner of IRS should implement a policy requiring the truncation of all SSNs in lien releases the agency generates.|
|Office of the Attorney General||To the extent that truncation provides an added level of protection from identity theft, the Attorney General should implement a policy requiring, at a minimum, SSN truncation in all lien records generated by its judicial districts. Truncation should be in the same format as is currently used by IRS on lien notices.|