A new report (PDF) from the United States Government Accountability Office (GAO) says that Americans’ Social Security numbers (SSNs) are still being exposed to potential identity theft and misuse attributed to federal laws riddled with loopholes and the lack of proper oversight of information brokers.
The GAO found that there are a number of federal laws and regulations that require agencies at all levels of government to frequently collect and use SSNs. Vulnerabilities persist in federal laws addressing SSN collection and use by private sector entities.
“For example, although federal laws place restrictions on reselling some personal information, these laws apply only to certain types of private sector entities, such as financial institutions. Consequently, information resellers are not covered by these laws, and there are few restrictions placed on these entities’ ability to obtain, use, and resell SSNs for their businesses. Vulnerabilities also exist in federal law and agency oversight for different industries that share SSNs with their contractors.” wrote Daniel Bertoni, GAO Director.
The report goes on to detail how private sector entities collect SSNs from various sources and how they use them for identity verification purposes.
In 2004 the GAO reported an estimated 42 million Medicare cards, 8 million Department of Defense (DOD) insurance cards and 7 million Department of Veterans Affairs (VA) beneficiary cards displayed entire SSNs. The Centers for Medicare and Medicaid Services does not plan to remove the SSNs from Medicare cards but the DOD and the VA have begun taking actions to remove them. The VA is issuing new cards without SSNs between 2004 and 2009 until all previous cards are replaced.
In their review of government uses of SSNs, some federal, state and local agencies do not consistently fulfill the Privacy Act requirements that they inform individuals whether SSN disclosure is mandatory or voluntary, provide the statutory or other authority under which the SSN request is made, or to indicate how the SSN will be used when they request them from individuals.
The SSN Protection Act of 2007 (federal legislation recently proposed by Representative Edward Markey) would give the Federal Trade Commission (FTC) rulemaking authority to restrict the sale and purchase of SSNs and determine appropriate exemptions such as law enforcement or national security.
Federal law that oversees the sharing of personal information in the financial services industry is very extensive, but federal law that oversees the tax preparation and telecommunications industries is somewhat lacking.
Some information resellers truncate SSNs by showing only the first 5 digits, others truncate SSNs by showing only the last 4 digits. Because of the lack of SSN truncation standards, even truncated SSNs remain vulnerable to potential misuse by identity thieves and others.
The GAO report does commend the President’s Identity Theft Task Force advocating decreased usage of SSNs at all levels of government and the guidelines (PDF) issued recently by the Office of Management and Budget (OMB) for designing data breach notification plans at all federal agencies.
The report concludes that the use of SSNs as a key identifier in both the public and private sectors will likely continue since there are currently no other widely accepted alternatives and that it would be helpful to take additional steps to protect them.
Recently the Department of Homeland Security (DHS) acknowledged to Congress that they were the victims of more than 800 hacker break-ins, virus outbreaks and other computer security problems over a two year period.
More attention is being focused on government security breaches and they’re finally beginning to take the problems seriously. It’s taken over 4 years for the federal government to slowly begin complying with the Federal Information Security Management Act (FISMA), a law created to make federal agencies aware of the information assets and the systems connected to their networks. For more information on identity theft and how to protect yourself, visit the FTC web site.