Summary: In 1936, the Social Security Administration (SSA) established the Social Security number (SSN) to track workers' earnings for social security benefit purposes. Today, private and public sector entities frequently ask individuals for SSNs in order to conduct their businesses and sometimes to comply with federal laws. Although uses of SSNs can be beneficial to the public, SSNs are also a key piece of information in creating false identities either for financial misuse or for assuming an individual's identity. The retention of SSNs in the public and private sectors can create opportunities for identity theft. In addition, the aggregation of personal information, such as SSNs, in large corporate databases, as well as the public display of SSNs in various records accessed by the public, may provide criminals the opportunity to easily obtain this personal information. Given the heightened awareness of identity crimes, this testimony focuses on describing (1) how private sector entities obtain, use, and protect SSNs, and (2) public sector uses and protections of SSNs.
Private sector entities rely extensively on SSNs. We reported early this year that entities such as information resellers, consumer reporting agencies , and health care organizations routinely obtain SSNs from their business clients and public sources, such as government records that can be displayed to the public. These entities then use SSNs for various purposes, such as to verify individual's identity or match existing records, and have come to rely on the SSN as an identifier, which helps then determine a person's identity for the purpose of providing the services they offer. There is no single federal law that regulates the overall use or restricts the disclosure of SSNs by private sector entities. However, certain federal laws have helped to place restrictions on the disclosures of personal information private sector entities are allowed to make to their customers, and certain states have enacted laws to restrict the private sector's use of SSNs. Public sector entities also extensively use SSNs. All three levels of government use the SSN to comply with certain federal laws and regulations, as well as for their own purposes. These agencies rely on the SSN to manage records, verify benefit eligibility, collect outstanding debt, and conduct research and program evaluations. Despite their widespread reliance on and use of SSNs, government agencies are taking steps to safeguard the SSN. For example, some agencies are not using the SSN as the primary identification number. However, given the open nature of certain government records, SSNs appear in records displayed to the public such as documents that record financial transactions or court documents. Current GAO work under way for this subcommittee is focusing on the storage, display, and protection of SSNs in public records. Our preliminary survey data show that the types of records most likely to contain SSNs and be made available to the general public by state government entities are court records, death records, Uniform Commercial Code filings, and professional licensing records. In addition, our preliminary data suggest that responding state offices reported over 35 instances where they had no specific use for collecting SSNs. In a previous report, we proposed that Congress consider developing a unified approach to safeguarding SSNs used in all levels of government and particularly those displayed in public records, and we continue to believe that this approach has merit.