Locals leave SSNs unprotected
Millions of Social Security numbers are available online and for sale in bulk from local government records, GAO says
- By William Jackson
- Oct 22, 2008
Official records containing Social Security numbers are available online or for bulk sale to private companies from most of the nation's counties, raising the specter of possible misuse and identity theft for millions of Americans, according to a report from the Government Accountability Office.
'Many counties make public records that may contain Social Security Numbers [SSNs] available in bulk to businesses and individuals in response to state open-records laws, and also because private companies often request access to these records to support their business operations,' GAO found by surveying 247 counties in 45 states. 'Our sample allows us to estimate that 85 percent of the largest counties make records with full or partial SSNs available in bulk or online, while smaller counties are less likely to do so (41 percent).'
Companies interviewed for the survey said they use SSNs as unique identifiers and to cross-identify persons across government documents. Although many companies claim they restrict access to the data, records sometimes are sent overseas for processing.
GAO conducted the survey, which included the 97 most populous counties in the country, at the request of Sen. Charles E. Schumer (D-N.Y.), chairman of the Senate Judiciary Committee's Administrative Oversight and the Courts Subcommittee. His staff was briefed on the results of the survey in September; the results were published
'We focused on county recordkeepers because, in scoping our review, we determined that records with SSNs are most likely to be made available in bulk or online at the county level,' GAO said.
ID theft has become a growing concern with the increasing availability of online data and the increase in online commerce and financial transactions. The Federal Trade Commission has estimated that 8.7 million people were victims of ID theft in 2005. SSNs frequently are used as unique identifiers and can be critical to establishing or stealing an identity.
GAO found that although the percentage of records containing SSNs is relatively small, the number of SSNs exposed is great because of the sheer volume of records available. Although federal policy calls for avoiding the use of SSNs where not necessary, legal protection of the numbers is not well established.
'In recent years, 25 states have enacted some form of statutory restriction on displaying SSNs in public records,' GAO stated. 'But these actions are a recent phenomenon. Based on our survey, we estimate that about 12 percent of counties have completed redacting or truncating SSNs that are in public records ' that is, removing the full SSN from display or showing only part of it'and another 26 percent are in the process of doing so.'
Meanwhile, the federal government offers even less protection.
'We did not identify any federal laws restricting state or local governments from making public records available in bulk or governing how private entities may use SSNs obtained from public records, including the off-shoring of records with SSNs,' GAO said.
A number of bills have been introduced that would limit the display or sale of SSNs:
<>S. 238, the Social Security Number Misuse Prevention Act, would prohibit the display or purchase of SSNs without the consent of the holder, with exceptions for some public records. The bill was referred to the Senate Judiciary Committee's Terrorism, Technology and Homeland Security Subcommittee.
S. 2915, the Safeguarding Social Security Numbers Act of 2008, would prohibit display of SSNs to the general public on the Internet by state and local governments unless truncated. The Social Security Administration would set standards for truncating numbers. The bill considers some unencrypted transmission over the Internet as a public display. The bill was referred to the Senate Judiciary Committee.
H.R. 948, the Social Security Number Protection Act of 2007, would make it illegal to sell or purchase SSNs in violation of regulations to be established by SSA. The bill was referred to the House Ways and Means Subcommittee on Social Security.
H.R. 3046, the Social Security Number Privacy and Identity Theft Prevention Act of 2007, would restrict the sale and display of SSNs to the general public by governments, but does not specifically address SSNs in public records. It would require SSA to develop uniform truncation standards. The bill was approved by the House Ways and Means Committee.
GAO warned that in protecting SSNs, Congress would have to balance the tradition of open records with the needs of confidentiality, and recognize the rights of state and local governments to regulate their own records.
'Recent actions taken by the IRS, [the] Justice [Department], and states to truncate SSNs represent one effort that may strike an appropriate balance between protecting SSNs from misuse and making a portion available for appropriate parties to firmly establish the identity of specific individuals,' GAO concluded.
William Jackson is freelance writer and the author of the CyberEye blog.