oversight

Social Security: Government and Commercial Use of the Social Security Number Is Widespread

Published by the Government Accountability Office on 1999-02-16.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                 United States General Accounting Office

GAO              Report to the Chairman, Subcommittee
                 on Social Security, Committee on Ways
                 and Means, House of Representatives


February 1999
                 SOCIAL SECURITY
                 Government and
                 Commercial Use of the
                 Social Security
                 Number Is Widespread




GAO/HEHS-99-28
          United States
GAO       General Accounting Office
          Washington, D.C. 20548

          Health, Education, and
          Human Services Division

          B-278798

          February 16, 1999

          The Honorable E. Clay Shaw
          Chairman, Subcommittee on Social
            Security
          Committee on Ways and Means
          House of Representatives

          Dear Mr. Chairman:

          The Social Security number (SSN) was created in 1936 as a means of
          tracking workers’ earnings and eligibility for Social Security benefits. For a
          number of reasons, most Americans have an SSN, each of which is unique
          to the individual. Today, the SSN is used for a myriad of non-Social Security
          purposes, some legal and some illegal. Both private businesses and
          government agencies frequently ask individuals for SSNs in order to comply
          with federal laws requiring these numbers or because these entities need
          the SSNs to conduct their business.

          Responding to public concerns about how organizations use SSNs and
          mounting occurrences of identity theft, sometimes involving misuse of
          SSNs, several members of the Congress have introduced bills to regulate
          the use of SSNs. To obtain information on how the SSN is currently used, the
          Subcommittee asked us to describe

      •   federal laws and regulations requiring or restricting SSN use,
      •   how extensively the private and public sectors use SSNs for purposes not
          required by federal law, and
      •   what businesses and governments believe the impact would be if federal
          laws limiting the use of SSNs were passed.

          To develop this information, we reviewed private businesses that sell
          information of a personal nature about members of the general public,
          including individuals’ SSNs; businesses involved in providing financial and
          health care services to individuals; and two large state programs that
          frequently use SSNs for administrative purposes. Appendix I contains a list
          of the organizations and agencies we contacted. For more details about
          our scope and methodology, see appendix II. We conducted our work
          between January and December 1998 in accordance with generally
          accepted government auditing standards.




          Page 1                                 GAO/HEHS-99-28 Social Security Number Use
                   B-278798




                   No single federal law regulates the overall use of SSNs. The Social Security
Results in Brief   Act, which created the Social Security programs for which the SSN was
                   developed, did not require the Social Security Administration (SSA) to
                   devise SSNs. However, once SSA created and began using SSNs to help
                   administer its programs, the Congress recognized the universal nature of
                   the SSN and subsequently enacted laws requiring SSN uses for some
                   purposes not related to Social Security. Federal laws now require that SSNs
                   be used in the administration of some programs, including the federal
                   personal income tax program; the Supplemental Security Income (SSI),
                   Medicaid, Food Stamp, and Child Support Enforcement programs; and
                   state commercial driver licensing programs. Some of these laws impose
                   restrictions on SSN use relating to the programs or activities involved. No
                   federal law, however, imposes broad restrictions on businesses’ and state
                   and local governments’ use of SSNs when that use is unrelated to a specific
                   federal requirement.

                   Businesses and governments are not limited to using SSNs only for
                   purposes required by federal law. Officials of all the organizations we
                   reviewed—businesses that sell personal information, those that offer
                   financial and health care services, and state personal income tax and
                   driver licensing agencies—routinely choose to use SSNs as a management
                   tool to conduct their business or program activities. These uses can affect
                   large numbers of people. Credit bureau and state personal income tax
                   officials, for example, said they use the SSN as a primary record identifier
                   for internal activities, such as maintaining individual consumer credit
                   histories and identifying income tax filers, whereas officials of the other
                   organizations said they generally assign their own identifiers for internal
                   activities. Officials of all the organizations we contacted said they use SSNs
                   to match records with those of other organizations to carry out the data
                   exchanges necessary to conduct their business. Data exchanges are
                   conducted for such purposes as obtaining information to assess credit
                   risk, locate assets, and ensure compliance with program rules and
                   regulations.

                   Both private business and government officials said their organizations
                   could be adversely affected if the federal government passed laws that
                   limited their use of SSNs. Credit bureau officials and state tax
                   administrators said federal restrictions could impede their ability to
                   conduct routine internal activities, such as maintaining consumer histories
                   and identifying tax filers, activities for which members of their industries
                   use the SSN as the primary record identifier. Many of the officials we
                   interviewed believed federally imposed restrictions could adversely affect



                   Page 2                                  GAO/HEHS-99-28 Social Security Number Use
             B-278798




             their organizations’ ability to conduct data exchanges with others. For
             example, health care officials said such restrictions could limit health care
             providers’ ability to track patient care among multiple providers. American
             Association of Motor Vehicle Administrators (AAMVA) officials said such
             restrictions could make it difficult for states to detect noncommercial
             drivers who were trying to conceal driving infractions under other state
             licenses. In general, credit bureau and other officials said that if credit
             reports could not be requested using SSNs, organizations would have less
             assurance of receiving information on the individuals in question.
             However, given the public’s concern about the disclosure of SSNs, some
             officials said their organizations have taken steps to limit disclosure.
             Officials of businesses that sell personal information said that as of
             December 31, 1998, some members of their industry are voluntarily
             restricting the disclosure of SSNs when they sell information, and Ohio and
             Georgia driver licensing officials said their states have discontinued
             practices that routinely disclose SSNs.


             In 1935, title II of the Social Security Act created the Social Security
Background   retirement program to pay benefits to retired workers. Subsequent federal
             laws added benefits for workers’ dependents and survivors and, later, for
             disabled workers. Workers now earn entitlement to benefits on the basis
             of the number of Social Security credits they have earned while working in
             jobs covered by Social Security. Because the act required SSA to maintain
             records of wage amounts employers report having paid to individuals, in
             1936, SSA created SSNs as a means of maintaining individual earnings
             records and issued cards to workers as records of their SSNs. The act now
             requires individuals to provide SSA their number when they apply for Social
             Security benefits. SSA uses the SSN to identify applicants’ personal earnings
             records, which contain information the agency uses to compute benefits
             payable to beneficiaries.

             Over the years, the SSN has come to be viewed by many as a national
             identifier because almost every American has an SSN, and each is unique.1
             SSA estimates that about 277 million individuals currently have SSNs.
             Furthermore, the boom in computer technology over the past several
             decades has prompted private businesses and government agencies to rely


             1
              Some individuals do not have an SSN either because they do not want one or because they are
             ineligible to receive one. Prior to 1996, SSA issued an SSN to any lawful alien requesting a number.
             Since then, the only noncitizens to whom SSA has issued SSNs have been those with one of two valid
             nonwork reasons for needing a number. That is, the federal government requires applicants for
             benefits or services under certain federal programs to have an SSN, and states require applicants for
             driver’s licenses to have SSNs.



             Page 3                                              GAO/HEHS-99-28 Social Security Number Use
                          B-278798




                          on SSNs as a way to accumulate and identify information in their databases.
                          Simply stated, the uniqueness and broad applicability of the SSN have made
                          it the identifier of choice for government agencies and private businesses,
                          both for compliance with federal requirements and for the agencies’ and
                          businesses’ own purposes.2


                          No federal law regulates overall use of SSNs. However, a number of federal
Federal Laws and          laws and regulations enacted since the 1960s require certain programs and
Regulations Require       federally funded activities to use the SSN for administrative purposes.
and Restrict Certain      These laws and regulations generally limit the use of the SSN to the
                          required purpose by explicitly prohibiting other uses or disclosures.
SSN Uses                  Federal law neither requires nor prohibits many of the public and private
                          sectors’ other uses of SSNs.


Federal Laws and          A number of federal laws and regulations require the use of the SSN as an
Regulations Require SSN   individual’s identifier to facilitate automated exchanges that help
Use in Some Public        administrators enforce compliance with federal laws, determine eligibility
                          for benefits, or both. The Internal Revenue Code and regulations, which
Programs                  govern the administration of the federal personal income tax program,
                          require that individuals’ SSNs serve as taxpayer identification numbers.3
                          This means that employers and others making payments to individuals
                          must include the individuals’ SSNs in reporting to IRS many of these
                          payments. Reportable payments include interest payments to customers,
                          wages paid to employees, dividends provided to stockholders, and
                          retirement benefits paid to individuals. Other reportable transactions
                          include purchases involving more than $10,000 in cash, such as the
                          purchase of an automobile or a boat, or mortgage interest payments
                          totaling more than $600. In addition, the Code and regulations require
                          individuals filing personal income tax returns to include their SSNs as their
                          taxpayer identification number, the SSNs of people whom they claim as
                          dependents, and the SSNs of spouses to whom they paid alimony. Using the
                          SSNs, IRS matches the information supplied by entities reporting payments
                          or other transactions with returns filed by taxpayers to monitor
                          individuals’ compliance with federal income tax laws.




                          2
                           In cases in which individuals do not have SSNs or choose not to provide them, organizations may use
                          alternative identifiers.
                          3
                          The Internal Revenue Service (IRS) assigns permanent taxpayer identification numbers to individuals
                          who need identifiers for tax purposes but are not eligible to obtain SSNs.



                          Page 4                                             GAO/HEHS-99-28 Social Security Number Use
B-278798




A number of federal laws require program administrators to use SSNs in
determining applicants’ eligibility for federally funded benefits. The Social
Security Act requires individuals to provide their SSNs in order to receive
benefits under the SSI, Food Stamp, Temporary Assistance for Needy
Families (TANF), and Medicaid programs.4 These programs provide benefits
to people with limited income and resources as well as medical care for
the needy. Applicants give program administrators information on their
income and resources, and program administrators use applicants’ SSNs to
match records with those of other organizations to verify the information.
For example, SSA uses SSNs to determine whether applicants for SSI benefits
have accurately reported their income by matching records with the
Department of Veterans Affairs, the Office of Personnel Management, and
the Railroad Retirement Board to identify any retirement or disability
payments to these applicants. In addition to using SSNs to match records
with other federal benefit-paying agencies, administrators of these
programs said they also match records with state unemployment agencies,
IRS, and employers to verify earned and unearned income, such as
unemployment benefits, wages, retirement benefits, and interest paid to
applicants. In fact, we have recommended in numerous reports that
administrators of programs paying federally funded benefits match data in
their payment files with SSA records to identify deceased beneficiaries, and
that SSA match its records with other state and federal program records to
reduce SSI payments to individuals whom the agency finds residing in
nursing homes and prisons as well as those receiving benefits under other
programs.5 Using SSNs to identify such recipients enhances program
payment controls and reduces fraud and abuse.

Another federal law that requires the use of SSNs to identify individuals is
the Commercial Motor Vehicle Safety Act of 1986. This law established the
Commercial Driver’s License Information System (CDLIS), a nationwide
database. States are required to use individuals’ SSNs to search this
database for other state-issued licenses commercial drivers may hold. This
checking is necessary because commercial drivers are limited to owning


4
As of July 1, 1997, the Personal Responsibility and Work Opportunity Act replaced Aid to Families
With Dependent Children with TANF.
5
 See Social Security: Better Payment Controls for Benefit Reduction Provisions Could Save Millions
(GAO/HEHS-98-76, Apr. 30, 1998), Supplemental Security Income: Opportunities Exist for Improving
Payment Accuracy (GAO/HEHS-98-75, Mar. 27, 1998), Supplemental Security Income: Timely Data
Could Prevent Millions in Overpayments to Nursing Home Residents (GAO/HEHS-97-62, June 3, 1997),
Supplemental Security Income: SSA Efforts Fall Short in Correcting Erroneous Payments to Prisoners
(GAO/HEHS-96-152, Aug. 30, 1996), Supplemental Security Income: Administrative and Program
Savings Possible by Directly Accessing State Data (GAO/HEHS-96-163, Aug. 29, 1996), and Social
Security: Most Social Security Death Information Accurate but Improvements Possible
(GAO/HEHS-92-11, Aug. 29, 1994).



Page 5                                             GAO/HEHS-99-28 Social Security Number Use
                    B-278798




                    one state-issued driver’s license. If a state grants a license, the state is
                    required to record the license information, including the driver’s SSN, in the
                    CDLIS. States may also use SSNs to search another database, the National
                    Driver’s Registry, to determine whether an applicant’s license has been
                    cancelled, suspended, or revoked by another state. In these situations, the
                    states use SSNs to limit the possibility of inappropriately licensing
                    applicants.

                    Federal law also requires the use of SSNs in state child support programs to
                    help states locate noncustodial parents, establish and enforce support
                    orders, and recoup state welfare payments from parents.6 The Personal
                    Responsibility and Work Opportunity Act of 1996 expanded the Federal
                    Parent Locator Service—an automated database searchable by SSN—to
                    include information helpful for tracking delinquent parents across state
                    lines. The law requires states to maintain records that include (1) SSNs for
                    individuals who owe or are owed support for cases in which the state has
                    ordered child support payments to be made, the state is providing support,
                    or both, and (2) employers’ reports of new hires identified by SSN. States
                    must transmit this information to the Federal Parent Locator Service. The
                    law also requires states to record SSNs on many other state documents,
                    such as professional, occupational, and marriage licenses; divorce
                    decrees; paternity determinations; and death certificates, and to make SSNs
                    associated with these documents available for state child support agencies
                    to use in locating and obtaining child support payments from noncustodial
                    parents.


Some Federal Laws   Federal laws that require the use of an SSN generally limit its use to the
Restrict SSN Use    statutory purposes described in each of the laws. For example, the
                    Internal Revenue Code, which requires the use of SSNs for certain
                    purposes, declares tax return information, including SSNs, to be
                    confidential and prescribes both civil and criminal penalties for
                    unauthorized disclosure. Similarly, the Social Security Act, which requires
                    the use of SSNs for a number of different purposes, declares that SSNs
                    obtained or maintained by authorized individuals on or after October 1,
                    1990, are confidential and prohibits their disclosure. The Personal
                    Responsibility and Work Opportunity Act of 1996 explicitly restricts the
                    use of SSNs to purposes set out in the act, such as locating absentee
                    parents to enforce child support payments.



                    6
                     States’ receipt of federal funding for TANF is contingent upon their compliance with federal child
                    support enforcement initiatives.



                    Page 6                                               GAO/HEHS-99-28 Social Security Number Use
                       B-278798




                       In addition to the restrictions contained in laws that require the use of
                       SSNs, the Privacy Act of 1974 also restricts federal agencies in collecting
                       and disclosing personal information, which includes SSNs. The act requires
                       federal agencies that collect information from individuals to inform the
                       individuals of the agencies’ authority for requesting the information,
                       whether providing the information is optional or mandatory, and how the
                       agencies plan to use the information. The act, which also prohibits federal
                       agencies from disclosing information without the individuals’ consent,
                       does not apply to other levels of government and private businesses.

                       Except as discussed above, federal law does not regulate the use of SSNs.
                       Thus, legitimate businesses and nonfederal agencies have devised uses of
                       SSNs not covered by federal law, as discussed in the following section.



                       The advent of computerized record keeping has led private businesses and
Businesses and         government agencies to routinely use SSNs for activities other than those
Governments Use        required by federal laws and regulations. Businesses and government
SSNs Extensively       agencies may ask for SSNs when individuals apply for benefits or services,
                       such as worker’s compensation, driver’s licenses, credit, checking
                       accounts, insurance, apartment rentals, and public utilities. Law
                       enforcement agencies may also use SSNs for investigative purposes.

                       Because there are so many users of the SSN, we focused on describing SSN
                       use by organizations that routinely use these numbers for activities that
                       affect a large number of people: organizations that sell personal
                       information, provide financial services, and offer health care services and
                       state government agencies that are responsible for collecting personal
                       income tax and licensing drivers. In general, organizations may record SSNs
                       in their databases for two purposes: to locate records for routine internal
                       activities, such as maintaining and updating account information, and,
                       more frequently, to facilitate information exchanges with other
                       organizations.


Businesses That Sell   Continuing advances in computer technology and the ready availability of
Personal Information   computerized data have spurred the growth of a new business activity:
                       amassing vast amounts of personal information, including SSNs, about
                       members of the public for resale. Businesses involved in this activity act as
                       information brokers.7 One information broker official told us his
                       organization has more than 12,000 discrete databases. The increasing

                       7
                        Information brokers are also referred to as “individual reference services” or “look-up services.”



                       Page 7                                               GAO/HEHS-99-28 Social Security Number Use
B-278798




proliferation of information brokers has aroused concerns about
individuals’ personal identifying information, including SSNs, being made
easily available to others. Federal law does not prohibit such disclosure of
SSNs.


Brokers buy information from public and private sources in various
markets throughout the nation. The information may include public
records of bankruptcy, tax liens, civil judgments, criminal histories,
deaths, real estate ownership, driving histories, voter registration, and
professional licenses. This information may also include privately owned
information such as telephone directories and copyrighted publications,
which are often made public, and certain information from consumer
credit reports. Generally, each record provides details about the specific
event for which it was created as well as some personal identifying
data—for example, an individual’s name; date of birth; current and prior
addresses; telephone number; and, sometimes, SSN. An information broker
official told us that not every record his organization buys includes an SSN
and that public records are more likely to contain SSNs than those from
nonpublic sources.

Brokers may provide their services (that is, information products) to a
variety of customers either over private networks or over the Internet.
Brokers that provide information over private networks generally limit
their services to businesses that establish accounts with them. Brokers
providing services over the Internet generally offer their services to the
public at large. Law firms, businesses, law enforcement agencies, research
organizations, and individuals are among those who use brokers’ services.
For example, lawyers, debt collectors, and private investigators may
request information on an individual’s bank accounts and real estate
holdings for use in civil or divorce proceedings; automobile insurers may
want information on whether insurance applicants have been involved in
accidents or have been issued traffic citations; employers may want
background checks on new hires; pension plan administrators may want
information to locate pension beneficiaries; and individuals may ask for
information to help locate birth parents. When requesting information,
customers may ask for nationwide database searches or searches of only
specific geographical areas.

Information brokers’ databases can be searched by identifiers that may
include SSNs; brokers may also include SSNs along with information they
provide customers. When possible, information brokers retrieve data by




Page 8                                 GAO/HEHS-99-28 Social Security Number Use
                       B-278798




                       SSNbecause it is more likely to produce records unique to the individual
                       than other identifiers are.


Financial Services     Three national credit bureaus serve as clearinghouses, receiving charge
Businesses             and payment transaction information from businesses that grant consumer
                       credit and providing businesses consumer credit reports. Officials
                       representing a bank and a credit card company—businesses that provide
                       credit—told us that because it serves their interests for credit bureaus to
                       have the most to up-to-date consumer payment histories, businesses in
                       their industries voluntarily report customers’ charge and payment
                       transactions, accompanied by SSNs, to credit bureaus. SSNs are one of the
                       principal identifiers credit bureaus use to update individuals’ credit
                       records with the monthly reports of credit and payment activity creditors
                       send them. In addition, credit bureaus use SSNs provided by customers to
                       retrieve credit reports on individuals. Credit bureau officials told us that
                       customers are not required to provide SSNs when requesting reports, but
                       requests without SSNs need to include enough information to sufficiently
                       identify the individual. An official for a credit bureau trade association
                       estimated that each national credit bureau has more than 180 million
                       credit records.8 A publication by this official’s trade association estimated
                       that, combined, all three bureaus sell 600 million credit reports annually.

                       Businesses such as insurance companies, collection agencies, and credit
                       granters use SSNs to request information about customers from credit
                       bureaus. To determine a customer’s likelihood of repaying a loan,
                       businesses—banks and credit card companies in particular—want
                       information on customers’ histories of repaying debts and whether
                       customers have filed for bankruptcy or have monetary judgments against
                       them, such as tax liens. Officials representing credit granters said most
                       banks and credit card companies ask applicants to provide their SSNs, and
                       these credit granters may choose to deny services to individuals who
                       refuse. These officials said their organizations generally do not use SSNs as
                       internal identifiers but instead assign an account number as a customer’s
                       primary identifier.


Health Care Services   Health care services are generally delivered through a coordinated system
Organizations          that includes health care providers and insurers. Officials representing
                       hospitals, a health maintenance organization (HMO), and a health insurance


                       8
                        Many individuals may be included in more than one national credit bureau’s database.



                       Page 9                                             GAO/HEHS-99-28 Social Security Number Use
                 B-278798




                 trade association told us that their organizations always ask for an SSN, but
                 they do not deny services if a patient refuses to provide the number.

                 A hospital and an HMO official said that their organizations assign patients
                 other identifying numbers, which they use internally as primary identifiers
                 for patient medical records, and that they use SSNs as a backup to identify
                 records when a patient either forgets or does not know the patient number
                 he or she was assigned. The HMO official said SSNs are also used to
                 integrate patients’ records when providers merge, a trend that is growing.
                 In data exchanges, hospital and HMO officials said they use SSNs to track
                 patients’ medical care across multiple providers, which helps establish the
                 patients’ medical history and avoid duplicate tests.

                 A trade association official told us that some health insurers use the SSN or
                 a variation of the number as a primary identifier, which becomes the
                 customer’s insurance number. We were told that the BlueCross BlueShield
                 health insurance plans and the Medicare program frequently use this
                 method. In addition, the trade association official said insurers and
                 providers frequently match records among themselves, using SSNs to
                 determine whether individuals have other insurance to coordinate
                 payment of insurance benefits.

                 Officials in the health care industry expect their use of SSNs to increase.
                 For example, the hospital official said that to ensure it has a valid address
                 to bill patients, her hospital plans to use SSNs during the admission process
                 to obtain on-line verification of patients’ addresses from credit bureaus.


State Agencies   The states use SSNs to support state government operations and offer
                 services to residents. The Social Security Act authorizes states to use SSNs
                 to administer any tax, general public assistance, driver’s license, or motor
                 vehicle registration law in order to identify individuals affected by such
                 laws. Officials of the Maryland and Virginia personal income tax and Ohio
                 and Georgia driver licensing programs told us that they use SSNs in both
                 administering these programs and enforcing compliance with regulations
                 governing the programs.

                 State income tax administrators routinely use the SSN as a primary
                 identifier in their programs. An official from an organization representing
                 state tax administrators said that all states levying personal income taxes
                 use SSNs to administer their programs. Tax officials said that states use
                 SSNs to make state tax systems compatible with the federal system and to




                 Page 10                                GAO/HEHS-99-28 Social Security Number Use
B-278798




reduce taxpayer reporting burden. Maryland and Virginia tax
administrators told us their state tax returns require individuals to provide
their SSNs, and individuals who omit SSNs risk being considered nonfilers if
tax administrators cannot otherwise identify the submitter of the return.

Tax administrators also use SSNs internally for auditing purposes. For
example, tax administration officials said they use SSNs to cross-reference
owners’ or officers’ business income tax returns with their personal
income tax returns so that an audit of one triggers an audit of the other.
Also, in the course of monitoring compliance with state income tax laws,
states use SSNs to exchange data with other organizations. For example, in
order to monitor taxpayer income reporting, states rely on SSNs for data
matches with IRS and state tax agencies to identify residents who received
income from out-of-state employers and businesses and to verify credits
for income taxes that filers report paying to other states. Also, when tax
administrators assess liens against taxpayers, states may use SSNs to
request information from information brokers and credit bureaus to
identify taxpayer assets, such as bank accounts and real estate. In
addition, federal and state agencies, such as IRS and state child support
agencies, use SSNs when asking state tax administrators to offset state
refunds otherwise due to taxpayers.

State driver licensing agencies are more likely to use SSNs to exchange data
with other organizations than to support internal activities. A few states
print SSNs on licenses and use the SSNs either as license numbers or along
with the state-assigned license numbers. Most state driver licensing
agencies that request SSNs, however, include SSNs in driver records as a
secondary identifier and devise their own license numbers. Information
from the AAMVA and other sources suggests that many states request, but
may not require, applicants for noncommercial driver’s licenses to provide
their SSNs. AAMVA officials estimate that there are about 175 million
noncommercial drivers nationwide.

To monitor driver compliance with state laws, state officials said they use
SSNs during the licensing process to search national databases maintained
by AAMVA to identify driver’s licenses the applicant may hold in other states
and determine whether the applicant has had a license suspended or
revoked in another state. These officials also told us that organizations
such as the courts and law enforcement agencies may choose to request
driver records by SSN when they do not know the driver’s license number.




Page 11                                GAO/HEHS-99-28 Social Security Number Use
                      B-278798




                      AAMVA officials expect states’ use of SSNs to increase as the result of a
                      recent federal law. Effective October 1, 2000, the Illegal Immigration
                      Reform and Immigrant Responsibility Act of 1996 prohibits federal
                      agencies from accepting state-issued driver’s licenses as proof of
                      identification, unless licenses satisfy federal requirements set out in the
                      act. Specifically, states must either verify a driver’s SSN with SSA and record
                      the number in their database or display the number, visually or
                      electronically, on the license.

                      States’ practices for disclosing SSNs contained in driver records vary. In
                      states in which driver records are public information, states may disclose
                      SSNs to individuals and organizations such as credit card companies, direct
                      marketers, and credit bureaus.9 For example, Massachusetts driver
                      licensing officials told us that their driver records are public and that the
                      state includes individuals’ license numbers (usually the SSN) when
                      providing information to organizations or people requesting driver
                      records.


                      Officials of the programs and activities we reviewed believed their entities
Business and State    would be negatively affected if federal laws were enacted restricting use of
Officials Believe     SSNs. Businesses that sell personal information and state driver licensing

Federal Laws          officials, however, told us that their organizations have already voluntarily
                      responded to concerns about their practices for disclosing SSNs. State tax
Restricting Uses of   administrators and credit bureau officials said that federal restrictions
SSNs Would Have a     could hamper their ability to conduct routine internal activities. For
                      example, representatives of these organizations said such restrictions
Negative Impact       could impede credit bureaus’ ability to accurately post consumer payment
                      and credit transactions and state tax agencies’ ability to identify tax filers.
                      Moreover, many of the officials we interviewed believed that federal
                      restriction of their use of SSNs would hamper their ability to conduct data
                      exchanges with other organizations. Without SSNs, state tax administrators
                      said, it would be difficult to associate tax return information received from
                      other tax agencies with tax information reported by residents. In addition,
                      a health care provider said federal restrictions on SSN use could impede
                      providers’ ability to track patients’ medical histories over time and among
                      multiple providers. Also, AAMVA officials said federal restrictions could
                      hinder states’ ability to screen for applicants who try to conceal traffic
                      violations they have acquired under other state licenses. Many of the
                      officials we interviewed said federal restrictions on their use of SSNs could

                      9
                       Since Sept. 1997, states have been required by the federal Driver Privacy Protection Act to honor
                      individuals’ requests that their records not be made available for mass distribution.



                      Page 12                                             GAO/HEHS-99-28 Social Security Number Use
B-278798




make it difficult for their organizations to be assured of receiving credit
reports for the specific individuals they requested. Officials of bank and
credit card companies said they rely heavily on credit reports to make
decisions about providing customers service on credit.

Officials of businesses that sell personal information and driver licensing
agencies also believed that federal restrictions on SSN use could make it
difficult for others to obtain specific records from them. For example,
driver licensing officials said that if “outsiders,” such as government and
law enforcement agencies, do not know the driver’s license number and
cannot request driver records by SSNs, these agencies can only use the
driver’s name and are more likely, therefore, to receive the records of
other people with the same name.

Because of privacy concerns raised by disclosure of personal information,
businesses and states have become more sensitive to this issue and are
voluntarily restricting the disclosure of some personal information,
including SSNs. In December 1997, 14 businesses that sell personal
information—the self-identified industry leaders—responded to these
concerns by, among other things, voluntarily executing a written
agreement stating their intent to restrict disclosure of SSNs associated with
data they obtain from nonpublic sources.10 These 14 businesses essentially
agreed to make SSNs from such sources available to only a limited range of
customers identified as having appropriate uses for the information, such
as law enforcement. The 14 organizations also agreed to annual
compliance reviews by independent contractors. When an organization
fails to comply with the agreement, the Federal Trade Commission can
cite the organization for unfair and deceptive business practices. Because
the agreement was not scheduled to be fully implemented until
December 31, 1998, its effectiveness could not be determined during our
review.

In addition, some states are discontinuing practices that result in routine
disclosure of SSNs. For example, since July 1, 1997, Georgia no longer
automatically prints SSNs on licenses but rather assigns its own numbers
for driver licenses and uses SSNs as license numbers only if requested by
the license holder to do so. Ohio, which before July 29, 1998, routinely
printed SSNs along with state-assigned numbers on driver’s licenses, now
allows drivers the option of not having SSNs printed on their licenses. Also,



10
 An official of the information industry said businesses that signed the agreement handle about
90 percent of the industry’s business.



Page 13                                             GAO/HEHS-99-28 Social Security Number Use
                  B-278798




                  AAMVA officials believe most states in which driver records are public now
                  exclude SSNs when responding to requests for driver records.


                  SSA provided technical comments on a draft copy of this report, which we
Agency Comments   have incorporated as appropriate.


                  We are providing copies of this report to the Commissioner of Social
                  Security, officials of organizations and agencies we interviewed
                  concerning their use of SSNs, and other interested congressional parties.
                  Copies will also be made available to others upon request. Please contact
                  me on (202) 512-7215 if you have any questions about this report. Other
                  major contributors to this report are listed in appendix III.

                  Sincerely yours,




                  Cynthia M. Fagnoni
                  Director, Income Security Issues




                  Page 14                               GAO/HEHS-99-28 Social Security Number Use
Page 15   GAO/HEHS-99-28 Social Security Number Use
Contents



Letter                                                                                           1


Appendix I                                                                                      18
Organizations and
Agencies We
Contacted Concerning
Their Use of Social
Security Numbers
Appendix II                                                                                     19
Scope and
Methodology
Appendix III                                                                                    21
GAO Contacts and
Staff
Acknowledgments




                       Abbreviations

                       AAMVA     American Association of Motor Vehicle Administrators
                       CDLIS     Commercial Driver’s License Information System
                       HMO       health maintenance organization
                       IRS       Internal Revenue Service
                       SSA       Social Security Administration
                       SSI       Supplemental Security Income
                       SSN       Social Security number
                       TANF      Temporary Assistance for Needy Families


                       Page 16                            GAO/HEHS-99-28 Social Security Number Use
Page 17   GAO/HEHS-99-28 Social Security Number Use
Appendix I

Organizations and Agencies We Contacted
Concerning Their Use of Social Security
Numbers
              American Association of Motor Vehicle Administrators, Arlington, VA
              American Bankers Association, Washington, DC
              Associated Credit Bureaus, Inc.; Washington, DC
              BlueCross BlueShield Association, Washington, DC
              Commonwealth of Virginia, Department of Taxation; Richmond, VA
              Credit Plus Solution Group, Harrisburg, PA
              Experian, Silver Spring, MD
              Federation of Tax Administrators, Washington, DC
              Georgia Department of Public Safety, Division of Driver Services;
                Atlanta, GA
              Independent Bankers Association of America, Washington, DC
              Information Industry Association, Washington, DC
              Kaiser Permanente, Rockville, MD
              Lexis-Nexis, Miamisburg, OH
              Maryland Hospital Association, Lutherville, MD
              MasterCard, Washington, DC
              Mutual Fund Education Alliance, Kansas City, MO
              Ohio Bureau of Motor Vehicles, Columbus, OH
              State of Maryland, Comptroller of the Treasury, Revenue Administration
                Division; Annapolis, MD
              Wachovia Corporation, Special Services; Atlanta, GA
              Washington Hospital Center, Washington, DC




              Page 18                              GAO/HEHS-99-28 Social Security Number Use
Appendix II

Scope and Methodology


              We identified federal requirements and restrictions governing Social
              Security numbers (SSN) by using a list prepared by the Social Security
              Administration (SSA) that identified federal laws addressing SSNs. We
              developed information on programs’ required uses of SSNs by interviewing
              officials at the following: SSA’s Retirement, Survivors, and Disability
              Insurance and Supplemental Security Income programs; the Internal
              Revenue Service’s federal personal income tax program; the Department
              of Health and Human Services’ Medicare, Medicaid, Temporary Assistance
              for Needy Families, and Child Support Enforcement programs; and the
              Department of Agriculture’s Food Stamp program.

              On the basis of literature searches and interviews with Federal Trade
              Commission, SSA, and other cognizant officials, we identified numerous
              types of businesses and government activities and programs that use SSNs
              extensively. We then selected two areas of commercial activity (the
              financial services and health care services industries) and two state
              government activities (personal income tax and driver licensing programs)
              for a detailed examination of their SSN use. In addition, we included in our
              review the industry that gathers and sells personal information. Although
              organizations in this industry do not obtain SSNs directly from the people
              they provide information about, these organizations do provide customers
              personal information about individuals that may include their SSNs.
              Because there are no readily available data on how extensively businesses
              and states use SSNs, we selected entities that are commonly known to use
              SSNs routinely and that affect a large number of the general public by this
              use. We developed information on SSN use for these entities through
              interviews with officials representing the selected businesses, trade
              organizations, and state programs. We obtained officials’ statements about
              the prevalence of the use of SSNs among other similar businesses and state
              agencies as well as officials’ opinions about the potential impact on their
              operations if they were restricted in how they could use SSNs.

              We performed our work at SSA headquarters in Baltimore, Maryland;
              Washington, D.C.; and some of their suburbs and at selected other
              locations including Annapolis, Maryland; Atlanta, Georgia; Harrisburg,
              Pennsylvania; and Richmond, Virginia. We conducted telephone interviews
              with officials in Columbus, Ohio; Boston, Massachusetts; and Kansas City,
              Missouri. We selected both large and small organizations to determine if
              size altered the organization’s use of SSNs or its views about the effect of
              limiting the use of SSNs.




              Page 19                               GAO/HEHS-99-28 Social Security Number Use
Appendix II
Scope and Methodology




Information in this report was obtained primarily through interviews and
is not generalizable to the universe of government and business
communities of the officials we interviewed. We did not verify the
accuracy of the information provided. This report does not address SSN use
for illegal activities, such as credit card or program fraud, which are
punishable under criminal statutes, because such an investigation was
beyond the scope of the work we were asked to do. (In May 1998, we
reported to the Congress on identity fraud, which can involve misuse of
SSNs.)11




11
 Identity Fraud: Information on Prevalence, Cost, and Internet Impact Is Limited
(GAO/GGD-98-100BR, May 1, 1998).



Page 20                                            GAO/HEHS-99-28 Social Security Number Use
Appendix III

GAO Contacts and Staff Acknowledgments


                  Barbara Bovbjerg, Associate Director, (202) 512-5491
GAO Contacts      Roland H. Miller, Assistant Director, (202) 512-7246
                  Jacquelyn Stewart, Evaluator-in-Charge, (202) 512-7232


                  The following people also made important contributions to this report:
Staff             Dennis Gehley and William Staab, Senior Evaluators, conducted work in
Acknowledgments   the health care and financial communities, and Roger Thomas, Senior
                  Attorney, provided legal counsel.




(207023)          Page 21                              GAO/HEHS-99-28 Social Security Number Use
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested