[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
More "paranoia" re: misuse of social security numbers
More "paranoia" from the United States General Accounting Office:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GAO
United States General Accounting Office
SOCIAL SECURITY
Report to the Chairman, Subcommittee on Social Security,
Committee on Ways and Means, House of Representatives
Government and Commercial Use of the Social Security Number Is
Widespread
GAO/HEHS-99-28
United States
General Accounting Office
Washington, D.C. 20548
Health, Education, and Human Services Division
February 16, 1999
----------------------------------------
[PDF version]
----------------------------------------
The Honorable E. Clay Shaw
Chairman, Subcommittee on Social Security
Committee on Ways and Means
House of Representatives
Dear Mr. Chairman:
The Social Security number (SSN) was created in 1936 as a means of
tracking workers’ earnings and eligibility for Social Security
benefits. For a
number of reasons, most Americans have an SSN, each of which is unique
to the individual. Today, the SSN is used for a myriad of non-Social
Security purposes, some legal and some illegal. Both private businesses
and government agencies frequently ask individuals for SSNs in order to
comply with federal laws requiring these numbers or because these
entities
need the SSNs to conduct their business.
Responding to public concerns about how organizations use SSNs and
mounting occurrences of identity theft, sometimes involving misuse of
SSNs, several members of the Congress have introduced bills to regulate
the use of SSNs. To obtain information on how the SSN is currently used,
the Subcommittee asked us to describe:
- federal laws and regulations requiring or restricting SSN use,
- how extensively the private and public sectors use SSNs for purposes
not
required by federal law, and
- what businesses and governments believe the impact would be if federal
laws limiting the use of SSNs were passed.
To develop this information, we reviewed private businesses that sell
information of a personal nature about members of the general public,
including individuals’ SSNs; businesses involved in providing
financial and
health care services to individuals; and two large state programs that
frequently use SSNs for administrative purposes. Appendix I contains a
list
of the organizations and agencies we contacted. For more details about
our
scope and methodology, see appendix II. We conducted our work between
January and December 1998 in accordance with generally accepted
government auditing standards.
Page 1
Results in Brief
No single federal law regulates the overall use of SSNs. The Social
Security Act, which created the Social Security programs for which the
SSN
was developed, did not require the Social Security Administration
(SSA) to
devise SSNs. However, once SSA created and began using SSNs to help
administer its programs, the Congress recognized the universal nature of
the SSN and subsequently enacted laws requiring SSN uses for some
purposes not related to Social Security. Federal laws now require that
SSNs be used in the administration of some programs, including the
federal
personal income tax program; the Supplemental Security Income (SSI),
Medicaid, Food Stamp, and Child Support Enforcement programs; and
state commercial driver licensing programs. Some of these laws impose
restrictions on SSN use relating to the programs or activities
involved. No
federal law, however, imposes broad restrictions on businesses’ and state
and local governments’ use of SSNs when that use is unrelated to a
specific
federal requirement.
Businesses and governments are not limited to using SSNs only for
purposes required by federal law. Officials of all the organizations we
reviewed — businesses that sell personal information, those that offer
financial and health care services, and state personal income tax and
driver
licensing agencies — routinely choose to use SSNs as a management tool
to conduct their business or program activities. These uses can affect
large
numbers of people. Credit bureau and state personal income tax officials,
for example, said they use the SSN as a primary record identifier for
internal activities, such as maintaining individual consumer credit
histories
and identifying income tax filers, whereas officials of the other
organizations said they generally assign their own identifiers for
internal
activities. Officials of all the organizations we contacted said they
use SSNs
to match records with those of other organizations to carry out the data
exchanges necessary to conduct their business. Data exchanges are
conducted for such purposes as obtaining information to assess credit
risk,
locate assets, and ensure compliance with program rules and regulations.
Both private business and government officials said their organizations
could be adversely affected if the federal government passed laws that
limited their use of SSNs. Credit bureau officials and state tax
administrators said federal restrictions could impede their ability to
conduct
routine internal activities, such as maintaining consumer histories and
identifying tax filers, activities for which members of their
industries use
the SSN as the primary record identifier. Many of the officials we
interviewed believed federally imposed restrictions could adversely
affect
Page 2
their organizations’ ability to conduct data exchanges with others. For
example, health care officials said such restrictions could limit
health care
providers’ ability to track patient care among multiple providers.
American
Association of Motor Vehicle Administrators (AAMVA) officials said such
restrictions could make it difficult for states to detect noncommercial
drivers who were trying to conceal driving infractions under other state
licenses. In general, credit bureau and other officials said that if
credit
reports could not be requested using SSNs, organizations would have less
assurance of receiving information on the individuals in question.
However,
given the public’s concern about the disclosure of SSNs, some
officials said
their organizations have taken steps to limit disclosure. Officials of
businesses that sell personal information said that as of December 31,
1998, some members of their industry are voluntarily restricting the
disclosure of SSNs when they sell information, and Ohio and Georgia
driver licensing officials said their states have discontinued
practices that
routinely disclose SSNs.
Background
In 1935, title II of the Social Security Act created the Social Security
retirement program to pay benefits to retired workers. Subsequent federal
laws added benefits for workers’ dependents and survivors and, later, for
disabled workers. Workers now earn entitlement to benefits on the
basis of
the number of Social Security credits they have earned while working in
jobs covered by Social Security. Because the act required SSA to maintain
records of wage amounts employers report having paid to individuals, in
1936, SSA created SSNs as a means of maintaining individual earnings
records and issued cards to workers as records of their SSNs. The act now
requires individuals to provide SSA their number when they apply for
Social Security benefits. SSA uses the SSN to identify applicants’
personal
earnings records, which contain information the agency uses to compute
benefits payable to beneficiaries. Over the years, the SSN has come to be
viewed by many as a national identifier because almost every American
has an SSN, and each is unique.[1]
SSA estimates that about 277 million individuals currently have SSNs.
Furthermore, the boom in computer technology over the past several
decades has prompted private businesses and government agencies to rely
Page 3
on SSNs as a way to accumulate and identify information in their
databases.
Simply stated, the uniqueness and broad applicability of the SSN have
made it the identifier of choice for government agencies and private
businesses, both for compliance with federal requirements and for the
agencies’ and businesses’ own purposes.[2]
Federal Laws and Regulations Require and Restrict Certain SSN Uses
No federal law regulates overall use of SSNs. However, a number of
federal laws and regulations enacted since the 1960s require certain
programs and federally funded activities to use the SSN for
administrative
purposes. These laws and regulations generally limit the use of the
SSN to
the required purpose by explicitly prohibiting other uses or disclosures.
Federal law neither requires nor prohibits many of the public and private
sectors’ other uses of SSNs.
Federal Laws and Regulations Require SSN Use in Some Public Programs
A number of federal laws and regulations require the use of the SSN as an
individual’s identifier to facilitate automated exchanges that help
administrators enforce compliance with federal laws, determine
eligibility
for benefits, or both. The Internal Revenue Code and regulations, which
govern the administration of the federal personal income tax program,
require that individuals’ SSNs serve as taxpayer identification
numbers.[3]
This means that employers and others making payments to individuals
must include the individuals’ SSNs in reporting to IRS many of these
payments. Reportable payments include interest payments to customers,
wages paid to employees, dividends provided to stockholders, and
retirement benefits paid to individuals. Other reportable transactions
include purchases involving more than $10,000 in cash, such as the
purchase of an automobile or a boat, or mortgage interest payments
totaling more than $600. In addition, the Code and regulations require
individuals filing personal income tax returns to include their SSNs
as their
taxpayer identification number, the SSNs of people whom they claim as
dependents, and the SSNs of spouses to whom they paid alimony. Using the
SSNs, IRS matches the information supplied by entities reporting
payments or other transactions with returns filed by taxpayers to monitor
individuals’ compliance with federal income tax laws.
Page 4
A number of federal laws require program administrators to use SSNs in
determining applicants’ eligibility for federally funded benefits. The
Social
Security Act requires individuals to provide their SSNs in order to
receive
benefits under the SSI, Food Stamp, Temporary Assistance for Needy
Families (TANF), and Medicaid programs.[4] These programs provide
benefits to people with limited income and resources as well as medical
care for the needy. Applicants give program administrators information on
their income and resources, and program administrators use applicants’
SSNs to match records with those of other organizations to verify the
information. For example, SSA uses SSNs to determine whether applicants
for SSI benefits have accurately reported their income by matching
records
with the Department of Veterans Affairs, the Office of Personnel
Management, and the Railroad Retirement Board to identify any
retirement or disability payments to these applicants. In addition to
using
SSNs to match records with other federal benefit-paying agencies,
administrators of these programs said they also match records with state
unemployment agencies, IRS, and employers to verify earned and
unearned income, such as unemployment benefits, wages, retirement
benefits, and interest paid to applicants. In fact, we have
recommended in
numerous reports that administrators of programs paying federally funded
benefits match data in their payment files with SSA records to identify
deceased beneficiaries, and that SSA match its records with other
state and
federal program records to reduce SSI payments to individuals whom the
agency finds residing in nursing homes and prisons as well as those
receiving benefits under other programs.[5] Using SSNs to identify such
recipients enhances program payment controls and reduces fraud and
abuse.
Another federal law that requires the use of SSNs to identify
individuals is
the Commercial Motor Vehicle Safety Act of 1986. This law established the
Commercial Driver’s License Information System (CDLIS), a nationwide
database. States are required to use individuals’ SSNs to search this
database for other state-issued licenses commercial drivers may hold.
This
checking is necessary because commercial drivers are limited to owning
Page 5
one state-issued driver’s license. If a state grants a license, the
state is
required to record the license information, including the driver’s
SSN, in
the CDLIS. States may also use SSNs to search another database, the
National Driver’s Registry, to determine whether an applicant’s license
has been cancelled, suspended, or revoked by another state. In these
situations, the states use SSNs to limit the possibility of
inappropriately
licensing applicants.
Federal law also requires the use of SSNs in state child support programs
to help states locate noncustodial parents, establish and enforce support
orders, and recoup state welfare payments from parents.[6] The Personal
Responsibility and Work Opportunity Act of 1996 expanded the Federal
Parent Locator Service — an automated database searchable by SSN — to
include information helpful for tracking delinquent parents across state
lines. The law requires states to maintain records that include
(1)SSNs for
individuals who owe or are owed support for cases in which the state has
ordered child support payments to be made, the state is providing
support,
or both, and (2)employers’ reports of new hires identified by SSN. States
must transmit this information to the Federal Parent Locator Service. The
law also requires states to record SSNs on many other state documents,
such as professional, occupational, and marriage licenses; divorce
decrees;
paternity determinations; and death certificates, and to make SSNs
associated with these documents available for state child support
agencies
to use in locating and obtaining child support payments from noncustodial
parents.
Some Federal Laws Restrict SSN Use
Federal laws that require the use of an SSN generally limit its use to
the
statutory purposes described in each of the laws. For example, the
Internal
Revenue Code, which requires the use of SSNs for certain purposes,
declares tax return information, including SSNs, to be confidential and
prescribes both civil and criminal penalties for unauthorized disclosure.
Similarly, the Social Security Act, which requires the use of SSNs for a
number of different purposes, declares that SSNs obtained or maintained
by authorized individuals on or after October 1, 1990, are
confidential and
prohibits their disclosure. The Personal Responsibility and Work
Opportunity Act of 1996 explicitly restricts the use of SSNs to
purposes set
out in the act, such as locating absentee parents to enforce child
support
payments.
Page 6
In addition to the restrictions contained in laws that require the use of
SSNs, the Privacy Act of 1974 also restricts federal agencies in
collecting
and disclosing personal information, which includes SSNs. The act
requires
federal agencies that collect information from individuals to inform the
individuals of the agencies’ authority for requesting the information,
whether providing the information is optional or mandatory, and how the
agencies plan to use the information. The act, which also prohibits
federal
agencies from disclosing information without the individuals’ consent,
does
not apply to other levels of government and private businesses.
Except as discussed above, federal law does not regulate the use of SSNs.
Thus, legitimate businesses and nonfederal agencies have devised uses of
SSNs not covered by federal law, as discussed in the following section.
Businesses and Governments Use SSNs Extensively
The advent of computerized record keeping has led private businesses and
government agencies to routinely use SSNs for activities other than those
required by federal laws and regulations. Businesses and government
agencies may ask for SSNs when individuals apply for benefits or
services,
such as worker’s compensation, driver’s licenses, credit, checking
accounts, insurance, apartment rentals, and public utilities. Law
enforcement agencies may also use SSNs for investigative purposes.
Because there are so many users of the SSN, we focused on describing
SSN use by organizations that routinely use these numbers for activities
that affect a large number of people: organizations that sell personal
information, provide financial services, and offer health care
services and
state government agencies that are responsible for collecting personal
income tax and licensing drivers. In general, organizations may record
SSNs in their databases for two purposes: to locate records for routine
internal activities, such as maintaining and updating account
information,
and, more frequently, to facilitate information exchanges with other
organizations.
Businesses That Sell Personal Information
Continuing advances in computer technology and the ready availability of
computerized data have spurred the growth of a new business activity:
amassing vast amounts of personal information, including SSNs, about
members of the public for resale. Businesses involved in this activity
act as
information brokers.[7] One information broker official told us his
organization has more than 12,000 discrete databases. The increasing
Page 7
proliferation of information brokers has aroused concerns about
individuals’ personal identifying information, including SSNs, being made
easily available to others. Federal law does not prohibit such
disclosure of
SSNs.
Brokers buy information from public and private sources in various
markets throughout the nation. The information may include public records
of bankruptcy, tax liens, civil judgments, criminal histories, deaths,
real
estate ownership, driving histories, voter registration, and professional
licenses. This information may also include privately owned information
such as telephone directories and copyrighted publications, which are
often
made public, and certain information from consumer credit reports.
Generally, each record provides details about the specific event for
which it
was created as well as some personal identifying data — for example, an
individual’s name; date of birth; current and prior addresses; telephone
number; and, sometimes, SSN. An information broker official told us that
not every record his organization buys includes an SSN and that public
records are more likely to contain SSNs than those from nonpublic
sources.
Brokers may provide their services (that is, information products) to a
variety of customers either over private networks or over the Internet.
Brokers that provide information over private networks generally limit
their services to businesses that establish accounts with them. Brokers
providing services over the Internet generally offer their services to
the
public at large. Law firms, businesses, law enforcement agencies,
research
organizations, and individuals are among those who use brokers’ services.
For example, lawyers, debt collectors, and private investigators may
request information on an individual’s bank accounts and real estate
holdings for use in civil or divorce proceedings; automobile insurers may
want information on whether insurance applicants have been involved in
accidents or have been issued traffic citations; employers may want
background checks on new hires; pension plan administrators may want
information to locate pension beneficiaries; and individuals may ask for
information to help locate birth parents. When requesting information,
customers may ask for nationwide database searches or searches of only
specific geographical areas.
Information brokers’ databases can be searched by identifiers that may
include SSNs; brokers may also include SSNs along with information they
provide customers. When possible, information brokers retrieve data by
Page 8
SSN because it is more likely to produce records unique to the individual
than other identifiers are.
Financial Services Businesses
Three national credit bureaus serve as clearinghouses, receiving charge
and payment transaction information from businesses that grant consumer
credit and providing businesses consumer credit reports. Officials
representing a bank and a credit card company — businesses that provide
credit — told us that because it serves their interests for credit
bureaus to
have the most to up-to-date consumer payment histories, businesses in
their industries voluntarily report customers’ charge and payment
transactions, accompanied by SSNs, to credit bureaus. SSNs are one of the
principal identifiers credit bureaus use to update individuals’ credit
records
with the monthly reports of credit and payment activity creditors send
them. In addition, credit bureaus use SSNs provided by customers to
retrieve credit reports on individuals. Credit bureau officials told
us that
customers are not required to provide SSNs when requesting reports, but
requests without SSNs need to include enough information to sufficiently
identify the individual. An official for a credit bureau trade
association
estimated that each national credit bureau has more than 180 million
credit
records.[8] A publication by this official’s trade association
estimated that,
combined, all three bureaus sell 600 million credit reports annually.
Businesses such as insurance companies, collection agencies, and credit
granters use SSNs to request information about customers from credit
bureaus. To determine a customer’s likelihood of repaying a loan,
businesses — banks and credit card companies in particular — want
information on customers’ histories of repaying debts and whether
customers have filed for bankruptcy or have monetary judgments against
them, such as tax liens. Officials representing credit granters said most
banks and credit card companies ask applicants to provide their SSNs, and
these credit granters may choose to deny services to individuals who
refuse. These officials said their organizations generally do not use
SSNs
as internal identifiers but instead assign an account number as a
customer’s primary identifier.
Health Care Services Organizations
Health care services are generally delivered through a coordinated system
that includes health care providers and insurers. Officials representing
hospitals, a health maintenance organization (HMO), and a health
insurance
Page 9
trade association told us that their organizations always ask for an SSN,
but they do not deny services if a patient refuses to provide the
number.
A hospital and an HMO official said that their organizations assign
patients
other identifying numbers, which they use internally as primary
identifiers
for patient medical records, and that they use SSNs as a backup to
identify
records when a patient either forgets or does not know the patient number
he or she was assigned. The HMO official said SSNs are also used to
integrate patients’ records when providers merge, a trend that is
growing.
In data exchanges, hospital and HMO officials said they use SSNs to track
patients’ medical care across multiple providers, which helps
establish the
patients’ medical history and avoid duplicate tests.
A trade association official told us that some health insurers use the
SSN
or a variation of the number as a primary identifier, which becomes the
customer’s insurance number. We were told that the BlueCross BlueShield
health insurance plans and the Medicare program frequently use this
method. In addition, the trade association official said insurers and
providers frequently match records among themselves, using SSNs to
determine whether individuals have other insurance to coordinate payment
of insurance benefits.
Officials in the health care industry expect their use of SSNs to
increase.
For example, the hospital official said that to ensure it has a valid
address
to bill patients, her hospital plans to use SSNs during the admission
process
to obtain on-line verification of patients’ addresses from credit
bureaus.
State Agencies
The states use SSNs to support state government operations and offer
services to residents. The Social Security Act authorizes states to use
SSNs to administer any tax, general public assistance, driver’s
license, or
motor vehicle registration law in order to identify individuals
affected by
such laws. Officials of the Maryland and Virginia personal income tax and
Ohio and Georgia driver licensing programs told us that they use SSNs in
both administering these programs and enforcing compliance with
regulations governing the programs.
State income tax administrators routinely use the SSN as a primary
identifier in their programs. An official from an organization
representing
state tax administrators said that all states levying personal income
taxes
use SSNs to administer their programs. Tax officials said that states use
SSNs to make state tax systems compatible with the federal system and to
Page 10
reduce taxpayer reporting burden. Maryland and Virginia tax
administrators told us their state tax returns require individuals to
provide
their SSNs, and individuals who omit SSNs risk being considered nonfilers
if tax administrators cannot otherwise identify the submitter of the
return.
Tax administrators also use SSNs internally for auditing purposes. For
example, tax administration officials said they use SSNs to
cross-reference
owners’ or officers’ business income tax returns with their personal
income
tax returns so that an audit of one triggers an audit of the other.
Also, in
the course of monitoring compliance with state income tax laws, states
use
SSNs to exchange data with other organizations. For example, in order to
monitor taxpayer income reporting, states rely on SSNs for data matches
with IRS and state tax agencies to identify residents who received income
from out-of-state employers and businesses and to verify credits for
income
taxes that filers report paying to other states. Also, when tax
administrators assess liens against taxpayers, states may use SSNs to
request information from information brokers and credit bureaus to
identify
taxpayer assets, such as bank accounts and real estate. In addition,
federal
and state agencies, such as IRS and state child support agencies, use
SSNs
when asking state tax administrators to offset state refunds otherwise
due
to taxpayers.
State driver licensing agencies are more likely to use SSNs to exchange
data with other organizations than to support internal activities. A few
states print SSNs on licenses and use the SSNs either as license numbers
or along with the state-assigned license numbers. Most state driver
licensing agencies that request SSNs, however, include SSNs in driver
records as a secondary identifier and devise their own license numbers.
Information from the AAMVA and other sources suggests that many states
request, but may not require, applicants for noncommercial driver’s
licenses to provide their SSNs. AAMVA officials estimate that there are
about 175 million noncommercial drivers nationwide.
To monitor driver compliance with state laws, state officials said
they use
SSNs during the licensing process to search national databases maintained
by AAMVA to identify driver’s licenses the applicant may hold in other
states and determine whether the applicant has had a license suspended or
revoked in another state. These officials also told us that organizations
such as the courts and law enforcement agencies may choose to request
driver records by SSN when they do not know the driver’s license number.
Page 11
AAMVA officials expect states’ use of SSNs to increase as the result of a
recent federal law. Effective October 1, 2000, the Illegal Immigration
Reform and Immigrant Responsibility Act of 1996 prohibits federal
agencies from accepting state-issued driver’s licenses as proof of
identification, unless licenses satisfy federal requirements set out
in the
act. Specifically, states must either verify a driver’s SSN with SSA and
record the number in their database or display the number, visually or
electronically, on the license.
States’ practices for disclosing SSNs contained in driver records
vary. In
states in which driver records are public information, states may
disclose
SSNs to individuals and organizations such as credit card companies,
direct
marketers, and credit bureaus.[9] For example, Massachusetts driver
licensing officials told us that their driver records are public and
that the
state includes individuals’ license numbers (usually the SSN) when
providing information to organizations or people requesting driver
records.
Business and State Officials Believe Federal Laws Restricting Uses of
SSNs Would Have a Negative Impact
Officials of the programs and activities we reviewed believed their
entities
would be negatively affected if federal laws were enacted restricting
use of
SSNs. Businesses that sell personal information and state driver
licensing
officials, however, told us that their organizations have already
voluntarily
responded to concerns about their practices for disclosing SSNs. State
tax
administrators and credit bureau officials said that federal restrictions
could hamper their ability to conduct routine internal activities. For
example, representatives of these organizations said such restrictions
could
impede credit bureaus’ ability to accurately post consumer payment and
credit transactions and state tax agencies’ ability to identify tax
filers.
Moreover, many of the officials we interviewed believed that federal
restriction of their use of SSNs would hamper their ability to conduct
data
exchanges with other organizations. Without SSNs, state tax
administrators
said, it would be difficult to associate tax return information
received from
other tax agencies with tax information reported by residents. In
addition, a
health care provider said federal restrictions on SSN use could impede
providers’ ability to track patients’ medical histories over time and
among
multiple providers. Also, AAMVA officials said federal restrictions could
hinder states’ ability to screen for applicants who try to conceal
traffic
violations they have acquired under other state licenses. Many of the
officials we interviewed said federal restrictions on their use of
SSNs could
Page 12
make it difficult for their organizations to be assured of receiving
credit
reports for the specific individuals they requested. Officials of bank
and
credit card companies said they rely heavily on credit reports to make
decisions about providing customers service on credit.
Officials of businesses that sell personal information and driver
licensing
agencies also believed that federal restrictions on SSN use could make it
difficult for others to obtain specific records from them. For
example, driver
licensing officials said that if “outsiders,” such as government and law
enforcement agencies, do not know the driver’s license number and cannot
request driver records by SSNs, these agencies can only use the driver’s
name and are more likely, therefore, to receive the records of other
people
with the same name.
Because of privacy concerns raised by disclosure of personal information,
businesses and states have become more sensitive to this issue and are
voluntarily restricting the disclosure of some personal information,
including SSNs. In December 1997, 14 businesses that sell personal
information — the self-identified industry leaders — responded to these
concerns by, among other things, voluntarily executing a written
agreement
stating their intent to restrict disclosure of SSNs associated with
data they
obtain from nonpublic sources.[10] These 14 businesses essentially agreed
to make SSNs from such sources available to only a limited range of
customers identified as having appropriate uses for the information, such
as law enforcement. The 14 organizations also agreed to annual compliance
reviews by independent contractors. When an organization fails to comply
with the agreement, the Federal Trade Commission can cite the
organization for unfair and deceptive business practices. Because the
agreement was not scheduled to be fully implemented until December 31,
1998, its effectiveness could not be determined during our review.
In addition, some states are discontinuing practices that result in
routine
disclosure of SSNs. For example, since July 1, 1997, Georgia no longer
automatically prints SSNs on licenses but rather assigns its own numbers
for driver licenses and uses SSNs as license numbers only if requested by
the license holder to do so. Ohio, which before July 29, 1998, routinely
printed SSNs along with state-assigned numbers on driver’s licenses, now
allows drivers the option of not having SSNs printed on their
licenses. Also,
Page 13
AAMVA officials believe most states in which driver records are public
now exclude SSNs when responding to requests for driver records.
Agency Comments
SSA provided technical comments on a draft copy of this report, which we
have incorporated as appropriate.
We are providing copies of this report to the Commissioner of Social
Security, officials of organizations and agencies we interviewed
concerning
their use of SSNs, and other interested congressional parties.
Copies will also be made available to others upon request. Please contact
me on (202) 512-7215 if you have any questions about this report. Other
major contributors to this report are listed in appendix III.
Sincerely yours,
Cynthia M. Fagnoni
Director, Income Security Issues
Page 14
[page 15 is blank]
CONTENTS
Letter......................................................................
...................1
Appendix
I...........................................................................
....18
Organizations and Agencies We Contacted Concerning
Their Use of Social Security Numbers
Appendix
II..........................................................................
...19
Scope and Methodology
Appendix
III.........................................................................
..21
GAO Contacts and Staff Acknowledgments
Abbreviations:
AAMVA American Association of Motor Vehicle Administrators
CDLIS Commercial Driver’s License Information System
HMO health maintenance organization
IRS Internal Revenue Service
SSA Social Security Administration
SSI Supplemental Security Income
SSN Social Security number
TANF Temporary Assistance for Needy Families
Page 16
[Page 17 is blank]
APPENDIX I
Organizations and Agencies We Contacted Concerning Their Use of Social
Security Numbers
American Association of Motor Vehicle Administrators, Arlington, VA
American Bankers Association, Washington, DC
Associated Credit Bureaus, Inc.; Washington, DC
BlueCross BlueShield Association, Washington, DC
Commonwealth of Virginia, Department of Taxation; Richmond, VA
Credit Plus Solution Group, Harrisburg, PA
Experian, Silver Spring, MD
Federation of Tax Administrators, Washington, DC
Georgia Department of Public Safety, Division of Driver Services;
Atlanta,
GA
Independent Bankers Association of America, Washington, DC
Information Industry Association, Washington, DC
Kaiser Permanente, Rockville, MD
Lexis-Nexis, Miamisburg, OH
Maryland Hospital Association, Lutherville, MD
MasterCard, Washington, DC
Mutual Fund Education Alliance, Kansas City, MO
Ohio Bureau of Motor Vehicles, Columbus, OH
State of Maryland, Comptroller of the Treasury, Revenue Administration
Division; Annapolis, MD
Wachovia Corporation, Special Services; Atlanta, GA
Washington Hospital Center, Washington, DC
Page 18
Appendix II
Scope and Methodology
We identified federal requirements and restrictions governing Social
Security numbers (SSN) by using a list prepared by the Social Security
Administration (SSA) that identified federal laws addressing SSNs. We
developed information on programs’ required uses of SSNs by interviewing
officials at the following: SSA’s Retirement, Survivors, and Disability
Insurance and Supplemental Security Income programs; the Internal
Revenue Service’s federal personal income tax program; the Department
of Health and Human Services’ Medicare, Medicaid, Temporary
Assistance for Needy Families, and Child Support Enforcement programs;
and the Department of Agriculture’s Food Stamp program.
On the basis of literature searches and interviews with Federal Trade
Commission, SSA, and other cognizant officials, we identified numerous
types of businesses and government activities and programs that use SSNs
extensively. We then selected two areas of commercial activity (the
financial services and health care services industries) and two state
government activities (personal income tax and driver licensing programs)
for a detailed examination of their SSN use. In addition, we included
in our
review the industry that gathers and sells personal information. Although
organizations in this industry do not obtain SSNs directly from the
people
they provide information about, these organizations do provide customers
personal information about individuals that may include their SSNs.
Because there are no readily available data on how extensively businesses
and states use SSNs, we selected entities that are commonly known to use
SSNs routinely and that affect a large number of the general public by
this
use. We developed information on SSN use for these entities through
interviews with officials representing the selected businesses, trade
organizations, and state programs. We obtained officials’ statements
about
the prevalence of the use of SSNs among other similar businesses and
state agencies as well as officials’ opinions about the potential
impact on
their operations if they were restricted in how they could use SSNs.
We performed our work at SSA headquarters in Baltimore, Maryland;
Washington, D.C.; and some of their suburbs and at selected other
locations including Annapolis, Maryland; Atlanta, Georgia; Harrisburg,
Pennsylvania; and Richmond, Virginia. We conducted telephone interviews
with officials in Columbus, Ohio; Boston, Massachusetts; and Kansas City,
Missouri. We selected both large and small organizations to determine if
size altered the organization’s use of SSNs or its views about the
effect of
limiting the use of SSNs.
Page 19
APPENDIX II
Scope and Methodology
Information in this report was obtained primarily through interviews
and is
not generalizable to the universe of government and business communities
of the officials we interviewed. We did not verify the accuracy of the
information provided. This report does not address SSN use for illegal
activities, such as credit card or program fraud, which are punishable
under
criminal statutes, because such an investigation was beyond the scope of
the work we were asked to do. (In May 1998, we reported to the Congress
on identity fraud, which can involve misuse of SSNs.)[11]
Page 20
APPENDIX III
GAO Contacts and Staff Acknowledgments:
GAO Contacts Barbara Bovbjerg, Associate Director, (202) 512-5491
Roland H. Miller, Assistant Director, (202) 512-7246
Jacquelyn Stewart, Evaluator-in-Charge, (202) 512-7232
Staff Acknowledgments:
The following people also made important contributions to this report:
Dennis Gehley and William Staab, Senior Evaluators, conducted work in
the health care and financial communities, and Roger Thomas, Senior
Attorney, provided legal counsel.
Ordering Information:
The first copy of each GAO report and testimony is free. Additional
copies
are $2 each. Orders should be sent to the following address, accompanied
by a check or money order made out to the Superintendent of Documents,
when necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.
Orders by mail:
U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013
or visit:
Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC
Orders may also be placed by calling (202) 512-6000 or by using fax
number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a
list of newly available reports and testimony. To receive facsimile
copies of
the daily list or any list from the past 30 days, please call (202)
512-6000
using a touchtone phone. A recorded menu will provide information on how
to obtain these lists.
For information on how to access GAO reports on the INTERNET, send an
e-mail message with "info" in the body to:
info@www.gao.gov
or visit GAO’s World Wide Web Home Page at:
http://www.gao.gov
PRINTED ON RECYCLED PAPER
United States
General Accounting Office
Washington, D.C. 20548-0001
Official Business
Penalty for Private Use $300
Address Correction Requested
Bulk Rate
Postage & Fees Paid
GAO
Permit No. G100
Page 21
1 Some individuals do not have an SSN either because they do not want
one or because they are ineligible to receive one. Prior to 1996, SSA
issued
an SSN to any lawful alien requesting a number. Since then, the only
noncitizens to whom SSA has issued SSNs have been those with one of two
valid nonwork reasons for needing a number. That is, the federal
government requires applicants for benefits or services under certain
federal programs to have an SSN, and states require applicants for
driver’s
licenses to have SSNs.
2 In cases in which individuals do not have SSNs or choose not to provide
them, organizations may use alternative identifiers.
3 The Internal Revenue Service (IRS) assigns permanent taxpayer
identification numbers to individuals who need identifiers for tax
purposes
but are not eligible to obtain SSNs.
4 As of July 1, 1997, the Personal Responsibility and Work Opportunity
Act replaced Aid to Families With Dependent Children with TANF.
5 See Social Security: Better Payment Controls for Benefit Reduction
Provisions Could Save Millions (GAO/HEHS-98-76, Apr. 30, 1998),
Supplemental Security Income: Opportunities Exist for Improving Payment
Accuracy (GAO/HEHS-98-75, Mar. 27, 1998), Supplemental Security
Income: Timely Data Could Prevent Millions in Overpayments to Nursing
Home Residents (GAO/HEHS-97-62, June 3, 1997), Supplemental Security
Income: SSA Efforts Fall Short in Correcting Erroneous Payments to
Prisoners (GAO/HEHS-96-152, Aug. 30, 1996), Supplemental Security
Income: Administrative and Program Savings Possible by Directly
Accessing State Data (GAO/HEHS-96-163, Aug. 29, 1996), and Social
Security: Most Social Security Death Information Accurate but
Improvements Possible (GAO/HEHS-92-11, Aug. 29, 1994).
6 States’ receipt of federal funding for TANF is contingent upon their
compliance with federal child support enforcement initiatives.
7 Information brokers are also referred to as “individual reference
services” or “look-up services.”
8 Many individuals may be included in more than one national credit
bureau’s database.
9 Since Sept. 1997, states have been required by the federal Driver
Privacy Protection Act to honor individuals’ requests that their
records not
be made available for mass distribution.
10 An official of the information industry said businesses that signed
the
agreement handle about 90 percent of the industry’s business.
11 Identity Fraud: Information on Prevalence, Cost, and Internet
Impact Is
Limited (GAO/GGD-98-100BR, May 1, 1998).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Of course, this is just my opinion. I could be wrong." Dennis Miller
http://www.geocities.com/CapitolHill/5285/connector1.html
Reality Pump: http://www.onelist.com/subscribe.cgi/Reality_Pump2
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~