US Government Considers Regulatory Restrictions of Social Security Number Use to Combat Identity Theft

by Robert J. Rua

Frequently, we at Security Shredding and Storage News report cases of records mismanagement by businesses, universities, healthcare providers, and government agencies which lead to the compromise of sensitive personal data. In our May/June issue alone we reported a data breach at Ohio State University which compromised an estimated 14,000 employee records, a data disc lost by a company in Georgia which contained sensitive information pertaining to almost three million state residents enrolled in Medicaid and state-sponsored children's medical programs, and the theft of nearly 500 laptops containing un-encrypted taxpayer information from the Internal Revenue Service. One unfortunate commonality in each of these cases is the exposure of individuals' Social Security Numbers (SSNs) to potential theft.

SSNs have been a source of concern since the establishment of the Social Security System back in 1936, over seventy years ago. Initially, the SSN was employed merely to track earnings and determine the amount of Social Security taxes to credit each individual's account. Over the course of time, however, SSNs have been permitted to be used for a wide variety of applications outside the Social Security system. Today, the SSN is far and away the most commonly used method of identification and authentication of individuals in the US . The SSN's ubiquity and relative ease of access makes it the most attractive piece of information for criminals to obtain. SSNs can easily be found in various public records, printed on mail, and, perhaps most disturbingly, on the Internet.

Document destruction and records management outfits are playing their part in keeping individuals' SSNs secure, but in light of the ever-increasing phenomena of identity theft, it seems clear that regulatory measures are needed as well. Growing concerns about the ubiquity of the SSN have recently led to an open discussion between the Federal Trade Commission and various outside groups that believe the best way to combat the growing threat of identity theft is to regulate the use of SSNs for identification and authentication nationwide. Growing awareness of the role of SSNs in identity theft within the general populace has fueled this debate, and it is becoming increasingly clear that the prevailing sentiment among citizens in the US is that the use of SSNs as a data tracking tool must be reduced.

One recent poll, conducted by the Consumer Reports National Research Center (CRNRC), provides strong evidence that American citizens want the government to take action to curb the use of SSNs in situations in which they are not necessary. In August, the CRNRC conducted a survey of over 1,000 households to obtain a nationally representative sample of adults eighteen years and older. They found that 89% of the people interviewed support federal legislation to restrict the solicitation, use, and availability of SSNs by businesses and government agencies. 87% of the poll's participants reported that they had been asked to provide their SSN in whole or in part within the last twelve months (www.consumersunion.org).

According to the CRNRC poll, 60% of all consumers have been asked by a credit issuer to disclose their SSN, while 49% have been solicited by their health care provider within the last year. 44% of Americans polled reported they had been asked to provide their SSN to potential employers, 36% to insurance companies, 32% to government agencies other than the IRS or a state tax body, 28% by a college or other school, and 26% by service providers (ex. cell phone service carriers, cable TV services). Four in ten Americans reported being asked to provide their SSN (in whole or in part) over the telephone, and 14% reported that they had received mail containing their SSN.

The CRNRC's parent organization, Consumers Union, a nonprofit consumer advocacy organization that publishes Consumer Reports, released the poll results to the Federal Trade Commission (FTC) in an effort to motivate lawmakers to enact restrictions on the use of SSNs. The FTC is currently studying trends in SSN collection and usage within the private sector and soliciting proposals for restrictive legislation. In June, representatives of the FTC told the US House Committee on Ways and Means, Subcommittee on Social Security that businesses and government agencies should only collect information that is necessary to meet clearly defined legal or business needs, and stressed the need to implement improved data protection procedures and authentication systems to combat the country's identity theft epidemic.

In a recent press release, Jeannine Kenney, Senior Policy Analyst with Consumers Union stated “The widespread use of SSNs has made it easier for crooks to commit fraud and contributes to the estimated ten million cases of identity theft every year. It's time to restrict the availability of SSNs to prevent this sensitive information from falling into the hands of identity thieves. We need to get SSNs off the Internet, out of our wallets, and out of our mail to help reduce the threat of identity theft.”

The Electronic Privacy Information Center (EPIC), a public interest research center in Washington , D.C. that has won numerous awards for its online civil liberties newsletters, has taken a similar stance toward the SSN problem. In testimony before the House Ways and Means Committee, EPIC Executive Director Mark Rotenberg called the SSN problematic because it is a “user name and password all in one,” and encouraged the development of “more robust systems for identification that safeguard privacy and security”(www.epic.org). The use of the SSN as a de facto identifier, EPIC argues, creates unacceptable security problems that must be addressed. EPIC argues that the current widespread use of SSNs for record keeping is damaging the goodwill between individuals and institutions. The organization has recommended aggressive legislative action to change the existing infrastructure of records and data management nationwide.

Change will be no small feat. The use of SSNs as record keeping tools is a deeply embedded practice which spans all levels of US data management. Joel Winston, Associate Director of the FTC's Division of Privacy and Identity Protection, in his testimony to the House Ways and Means Committee, identified the SSN as “the key identification tool for businesses, government, and others,” to keep track of nearly 300 million American consumers (www.ftc.gov). Thus, replacing the use of SSNs will require an enormous, costly upheaval of established identification methods. Winston says, “The challenge is to find the proper balance between the need to keep SSNs out of the hands of identity thieves and the need to give business and government entities sufficient means to attribute information to the correct person.”

Gail Hillenbrand, the Consumers Union's Financial Services Campaign Manager, says, her organization recognizes the difficulties of changing the nation's data management infrastructure, but maintains there is no other better way to address the problem of identity theft. The Consumers Union is one of several organizations that have proposed tight restrictions on the sale, purchase, and display of SSNs. The Consumers Union recommends the solicitation of SSNs be prohibited except where required by law, or where needed for credit, employment, tax compliance, or investment purposes. Hillenbrand says despite the perceived costs, reducing the use of SSNs for identification is an achievable goal in the near term, “It will be costly in many cases for companies to switch to alternatives to SSNs, but there is a counterbalance – it costs money to collect information you don't need as well.”

Hillenbrand points to the example of many universities which retain the SSNs of applicants who are not admitted into their institution. “Universities don't need to keep the SSNs for people who applied but did not get into the college,” she says, “but many of them do.” Whether it's a university, business, or other institution, says Hillenbrand, obtaining unnecessary information costs money. Ultimately, she adds, the real question is one of convenience. “A single-use identification number like the SSN makes life easier on institutions, but to reduce the identity theft problem they simply must make the conscious decision to sacrifice some of their convenience to protect the consumer. Single-use identifiers are so problematic. Institutions need their own, unique tracking systems. They need to be thinking of what tech solutions they could adopt to circumvent the use of SSNs.”

The trick in motivating institutions to make the shift away from using SSNs, says Hillenbrand, is to build public awareness of the SSN's role in identity theft, “By increasing public awareness of how identity theft happens, we can encourage change,” she explains. “Customer goodwill is hard to earn but easy to lose,” Hillenbrand adds. “It is always hard to persuade institutions to spend money, but they need to realize the value of goodwill can offset the cost of developing new identification systems.”

Hillenbrand says institutions that use the services of professional document destruction and records management companies bolster the goodwill of their customers, patients, students, etc. Using professional records management services reveals an institution's sensitivity to the concerns of the public and demonstrates a responsible attitude toward maintaining the security of individuals' records. In the long run, Hillenbrand says, identity theft must be addressed at its root – by reducing the use of SSNs for identification and authentication. “The Consumers Union recognizes that we live in a world where the SSN is used extensively to identify individuals, but we would like to see the trend eventually change.”

As public awareness and concern over the role of SSNs in identity theft increase, whatever steps an institution can take to ensure the safety of their collected data, including retaining professional document destruction and records management companies, seems worth the return in general goodwill. It remains to be seen what, if any, steps lawmakers will take to reduce the use of SSNs, but it is clear the public desires action. As organizations like the Consumers Union and EPIC are pointing out, consumers want the assurance of knowing their personal data is being handled responsibly. That trust is valuable, perhaps now more than ever.