United States General Accounting Office GAO Report to the Chairman, Subcommittee on Social Security, Committee on Ways and Means, House of Representatives February 1999 SOCIAL SECURITY Government and Commercial Use of the Social Security Number Is Widespread GAO/HEHS-99-28 United States GAO General Accounting Office Washington, D.C. 20548 Health, Education, and Human Services Division B-278798 February 16, 1999 The Honorable E. Clay Shaw Chairman, Subcommittee on Social Security Committee on Ways and Means House of Representatives Dear Mr. Chairman: The Social Security number (SSN) was created in 1936 as a means of tracking workers’ earnings and eligibility for Social Security benefits. For a number of reasons, most Americans have an SSN, each of which is unique to the individual. Today, the SSN is used for a myriad of non-Social Security purposes, some legal and some illegal. Both private businesses and government agencies frequently ask individuals for SSNs in order to comply with federal laws requiring these numbers or because these entities need the SSNs to conduct their business. Responding to public concerns about how organizations use SSNs and mounting occurrences of identity theft, sometimes involving misuse of SSNs, several members of the Congress have introduced bills to regulate the use of SSNs. To obtain information on how the SSN is currently used, the Subcommittee asked us to describe • federal laws and regulations requiring or restricting SSN use, • how extensively the private and public sectors use SSNs for purposes not required by federal law, and • what businesses and governments believe the impact would be if federal laws limiting the use of SSNs were passed. To develop this information, we reviewed private businesses that sell information of a personal nature about members of the general public, including individuals’ SSNs; businesses involved in providing financial and health care services to individuals; and two large state programs that frequently use SSNs for administrative purposes. Appendix I contains a list of the organizations and agencies we contacted. For more details about our scope and methodology, see appendix II. We conducted our work between January and December 1998 in accordance with generally accepted government auditing standards. Page 1 GAO/HEHS-99-28 Social Security Number Use B-278798 No single federal law regulates the overall use of SSNs. The Social Security Results in Brief Act, which created the Social Security programs for which the SSN was developed, did not require the Social Security Administration (SSA) to devise SSNs. However, once SSA created and began using SSNs to help administer its programs, the Congress recognized the universal nature of the SSN and subsequently enacted laws requiring SSN uses for some purposes not related to Social Security. Federal laws now require that SSNs be used in the administration of some programs, including the federal personal income tax program; the Supplemental Security Income (SSI), Medicaid, Food Stamp, and Child Support Enforcement programs; and state commercial driver licensing programs. Some of these laws impose restrictions on SSN use relating to the programs or activities involved. No federal law, however, imposes broad restrictions on businesses’ and state and local governments’ use of SSNs when that use is unrelated to a specific federal requirement. Businesses and governments are not limited to using SSNs only for purposes required by federal law. Officials of all the organizations we reviewed—businesses that sell personal information, those that offer financial and health care services, and state personal income tax and driver licensing agencies—routinely choose to use SSNs as a management tool to conduct their business or program activities. These uses can affect large numbers of people. Credit bureau and state personal income tax officials, for example, said they use the SSN as a primary record identifier for internal activities, such as maintaining individual consumer credit histories and identifying income tax filers, whereas officials of the other organizations said they generally assign their own identifiers for internal activities. Officials of all the organizations we contacted said they use SSNs to match records with those of other organizations to carry out the data exchanges necessary to conduct their business. Data exchanges are conducted for such purposes as obtaining information to assess credit risk, locate assets, and ensure compliance with program rules and regulations. Both private business and government officials said their organizations could be adversely affected if the federal government passed laws that limited their use of SSNs. Credit bureau officials and state tax administrators said federal restrictions could impede their ability to conduct routine internal activities, such as maintaining consumer histories and identifying tax filers, activities for which members of their industries use the SSN as the primary record identifier. Many of the officials we interviewed believed federally imposed restrictions could adversely affect Page 2 GAO/HEHS-99-28 Social Security Number Use B-278798 their organizations’ ability to conduct data exchanges with others. For example, health care officials said such restrictions could limit health care providers’ ability to track patient care among multiple providers. American Association of Motor Vehicle Administrators (AAMVA) officials said such restrictions could make it difficult for states to detect noncommercial drivers who were trying to conceal driving infractions under other state licenses. In general, credit bureau and other officials said that if credit reports could not be requested using SSNs, organizations would have less assurance of receiving information on the individuals in question. However, given the public’s concern about the disclosure of SSNs, some officials said their organizations have taken steps to limit disclosure. Officials of businesses that sell personal information said that as of December 31, 1998, some members of their industry are voluntarily restricting the disclosure of SSNs when they sell information, and Ohio and Georgia driver licensing officials said their states have discontinued practices that routinely disclose SSNs. In 1935, title II of the Social Security Act created the Social Security Background retirement program to pay benefits to retired workers. Subsequent federal laws added benefits for workers’ dependents and survivors and, later, for disabled workers. Workers now earn entitlement to benefits on the basis of the number of Social Security credits they have earned while working in jobs covered by Social Security. Because the act required SSA to maintain records of wage amounts employers report having paid to individuals, in 1936, SSA created SSNs as a means of maintaining individual earnings records and issued cards to workers as records of their SSNs. The act now requires individuals to provide SSA their number when they apply for Social Security benefits. SSA uses the SSN to identify applicants’ personal earnings records, which contain information the agency uses to compute benefits payable to beneficiaries. Over the years, the SSN has come to be viewed by many as a national identifier because almost every American has an SSN, and each is unique.1 SSA estimates that about 277 million individuals currently have SSNs. Furthermore, the boom in computer technology over the past several decades has prompted private businesses and government agencies to rely 1 Some individuals do not have an SSN either because they do not want one or because they are ineligible to receive one. Prior to 1996, SSA issued an SSN to any lawful alien requesting a number. Since then, the only noncitizens to whom SSA has issued SSNs have been those with one of two valid nonwork reasons for needing a number. That is, the federal government requires applicants for benefits or services under certain federal programs to have an SSN, and states require applicants for driver’s licenses to have SSNs. Page 3 GAO/HEHS-99-28 Social Security Number Use B-278798 on SSNs as a way to accumulate and identify information in their databases. Simply stated, the uniqueness and broad applicability of the SSN have made it the identifier of choice for government agencies and private businesses, both for compliance with federal requirements and for the agencies’ and businesses’ own purposes.2 No federal law regulates overall use of SSNs. However, a number of federal Federal Laws and laws and regulations enacted since the 1960s require certain programs and Regulations Require federally funded activities to use the SSN for administrative purposes. and Restrict Certain These laws and regulations generally limit the use of the SSN to the required purpose by explicitly prohibiting other uses or disclosures. SSN Uses Federal law neither requires nor prohibits many of the public and private sectors’ other uses of SSNs. Federal Laws and A number of federal laws and regulations require the use of the SSN as an Regulations Require SSN individual’s identifier to facilitate automated exchanges that help Use in Some Public administrators enforce compliance with federal laws, determine eligibility for benefits, or both. The Internal Revenue Code and regulations, which Programs govern the administration of the federal personal income tax program, require that individuals’ SSNs serve as taxpayer identification numbers.3 This means that employers and others making payments to individuals must include the individuals’ SSNs in reporting to IRS many of these payments. Reportable payments include interest payments to customers, wages paid to employees, dividends provided to stockholders, and retirement benefits paid to individuals. Other reportable transactions include purchases involving more than $10,000 in cash, such as the purchase of an automobile or a boat, or mortgage interest payments totaling more than $600. In addition, the Code and regulations require individuals filing personal income tax returns to include their SSNs as their taxpayer identification number, the SSNs of people whom they claim as dependents, and the SSNs of spouses to whom they paid alimony. Using the SSNs, IRS matches the information supplied by entities reporting payments or other transactions with returns filed by taxpayers to monitor individuals’ compliance with federal income tax laws. 2 In cases in which individuals do not have SSNs or choose not to provide them, organizations may use alternative identifiers. 3 The Internal Revenue Service (IRS) assigns permanent taxpayer identification numbers to individuals who need identifiers for tax purposes but are not eligible to obtain SSNs. Page 4 GAO/HEHS-99-28 Social Security Number Use B-278798 A number of federal laws require program administrators to use SSNs in determining applicants’ eligibility for federally funded benefits. The Social Security Act requires individuals to provide their SSNs in order to receive benefits under the SSI, Food Stamp, Temporary Assistance for Needy Families (TANF), and Medicaid programs.4 These programs provide benefits to people with limited income and resources as well as medical care for the needy. Applicants give program administrators information on their income and resources, and program administrators use applicants’ SSNs to match records with those of other organizations to verify the information. For example, SSA uses SSNs to determine whether applicants for SSI benefits have accurately reported their income by matching records with the Department of Veterans Affairs, the Office of Personnel Management, and the Railroad Retirement Board to identify any retirement or disability payments to these applicants. In addition to using SSNs to match records with other federal benefit-paying agencies, administrators of these programs said they also match records with state unemployment agencies, IRS, and employers to verify earned and unearned income, such as unemployment benefits, wages, retirement benefits, and interest paid to applicants. In fact, we have recommended in numerous reports that administrators of programs paying federally funded benefits match data in their payment files with SSA records to identify deceased beneficiaries, and that SSA match its records with other state and federal program records to reduce SSI payments to individuals whom the agency finds residing in nursing homes and prisons as well as those receiving benefits under other programs.5 Using SSNs to identify such recipients enhances program payment controls and reduces fraud and abuse. Another federal law that requires the use of SSNs to identify individuals is the Commercial Motor Vehicle Safety Act of 1986. This law established the Commercial Driver’s License Information System (CDLIS), a nationwide database. States are required to use individuals’ SSNs to search this database for other state-issued licenses commercial drivers may hold. This checking is necessary because commercial drivers are limited to owning 4 As of July 1, 1997, the Personal Responsibility and Work Opportunity Act replaced Aid to Families With Dependent Children with TANF. 5 See Social Security: Better Payment Controls for Benefit Reduction Provisions Could Save Millions (GAO/HEHS-98-76, Apr. 30, 1998), Supplemental Security Income: Opportunities Exist for Improving Payment Accuracy (GAO/HEHS-98-75, Mar. 27, 1998), Supplemental Security Income: Timely Data Could Prevent Millions in Overpayments to Nursing Home Residents (GAO/HEHS-97-62, June 3, 1997), Supplemental Security Income: SSA Efforts Fall Short in Correcting Erroneous Payments to Prisoners (GAO/HEHS-96-152, Aug. 30, 1996), Supplemental Security Income: Administrative and Program Savings Possible by Directly Accessing State Data (GAO/HEHS-96-163, Aug. 29, 1996), and Social Security: Most Social Security Death Information Accurate but Improvements Possible (GAO/HEHS-92-11, Aug. 29, 1994). Page 5 GAO/HEHS-99-28 Social Security Number Use B-278798 one state-issued driver’s license. If a state grants a license, the state is required to record the license information, including the driver’s SSN, in the CDLIS. States may also use SSNs to search another database, the National Driver’s Registry, to determine whether an applicant’s license has been cancelled, suspended, or revoked by another state. In these situations, the states use SSNs to limit the possibility of inappropriately licensing applicants. Federal law also requires the use of SSNs in state child support programs to help states locate noncustodial parents, establish and enforce support orders, and recoup state welfare payments from parents.6 The Personal Responsibility and Work Opportunity Act of 1996 expanded the Federal Parent Locator Service—an automated database searchable by SSN—to include information helpful for tracking delinquent parents across state lines. The law requires states to maintain records that include (1) SSNs for individuals who owe or are owed support for cases in which the state has ordered child support payments to be made, the state is providing support, or both, and (2) employers’ reports of new hires identified by SSN. States must transmit this information to the Federal Parent Locator Service. The law also requires states to record SSNs on many other state documents, such as professional, occupational, and marriage licenses; divorce decrees; paternity determinations; and death certificates, and to make SSNs associated with these documents available for state child support agencies to use in locating and obtaining child support payments from noncustodial parents. Some Federal Laws Federal laws that require the use of an SSN generally limit its use to the Restrict SSN Use statutory purposes described in each of the laws. For example, the Internal Revenue Code, which requires the use of SSNs for certain purposes, declares tax return information, including SSNs, to be confidential and prescribes both civil and criminal penalties for unauthorized disclosure. Similarly, the Social Security Act, which requires the use of SSNs for a number of different purposes, declares that SSNs obtained or maintained by authorized individuals on or after October 1, 1990, are confidential and prohibits their disclosure. The Personal Responsibility and Work Opportunity Act of 1996 explicitly restricts the use of SSNs to purposes set out in the act, such as locating absentee parents to enforce child support payments. 6 States’ receipt of federal funding for TANF is contingent upon their compliance with federal child support enforcement initiatives. Page 6 GAO/HEHS-99-28 Social Security Number Use B-278798 In addition to the restrictions contained in laws that require the use of SSNs, the Privacy Act of 1974 also restricts federal agencies in collecting and disclosing personal information, which includes SSNs. The act requires federal agencies that collect information from individuals to inform the individuals of the agencies’ authority for requesting the information, whether providing the information is optional or mandatory, and how the agencies plan to use the information. The act, which also prohibits federal agencies from disclosing information without the individuals’ consent, does not apply to other levels of government and private businesses. Except as discussed above, federal law does not regulate the use of SSNs. Thus, legitimate businesses and nonfederal agencies have devised uses of SSNs not covered by federal law, as discussed in the following section. The advent of computerized record keeping has led private businesses and Businesses and government agencies to routinely use SSNs for activities other than those Governments Use required by federal laws and regulations. Businesses and government SSNs Extensively agencies may ask for SSNs when individuals apply for benefits or services, such as worker’s compensation, driver’s licenses, credit, checking accounts, insurance, apartment rentals, and public utilities. Law enforcement agencies may also use SSNs for investigative purposes. Because there are so many users of the SSN, we focused on describing SSN use by organizations that routinely use these numbers for activities that affect a large number of people: organizations that sell personal information, provide financial services, and offer health care services and state government agencies that are responsible for collecting personal income tax and licensing drivers. In general, organizations may record SSNs in their databases for two purposes: to locate records for routine internal activities, such as maintaining and updating account information, and, more frequently, to facilitate information exchanges with other organizations. Businesses That Sell Continuing advances in computer technology and the ready availability of Personal Information computerized data have spurred the growth of a new business activity: amassing vast amounts of personal information, including SSNs, about members of the public for resale. Businesses involved in this activity act as information brokers.7 One information broker official told us his organization has more than 12,000 discrete databases. The increasing 7 Information brokers are also referred to as “individual reference services” or “look-up services.” Page 7 GAO/HEHS-99-28 Social Security Number Use B-278798 proliferation of information brokers has aroused concerns about individuals’ personal identifying information, including SSNs, being made easily available to others. Federal law does not prohibit such disclosure of SSNs. Brokers buy information from public and private sources in various markets throughout the nation. The information may include public records of bankruptcy, tax liens, civil judgments, criminal histories, deaths, real estate ownership, driving histories, voter registration, and professional licenses. This information may also include privately owned information such as telephone directories and copyrighted publications, which are often made public, and certain information from consumer credit reports. Generally, each record provides details about the specific event for which it was created as well as some personal identifying data—for example, an individual’s name; date of birth; current and prior addresses; telephone number; and, sometimes, SSN. An information broker official told us that not every record his organization buys includes an SSN and that public records are more likely to contain SSNs than those from nonpublic sources. Brokers may provide their services (that is, information products) to a variety of customers either over private networks or over the Internet. Brokers that provide information over private networks generally limit their services to businesses that establish accounts with them. Brokers providing services over the Internet generally offer their services to the public at large. Law firms, businesses, law enforcement agencies, research organizations, and individuals are among those who use brokers’ services. For example, lawyers, debt collectors, and private investigators may request information on an individual’s bank accounts and real estate holdings for use in civil or divorce proceedings; automobile insurers may want information on whether insurance applicants have been involved in accidents or have been issued traffic citations; employers may want background checks on new hires; pension plan administrators may want information to locate pension beneficiaries; and individuals may ask for information to help locate birth parents. When requesting information, customers may ask for nationwide database searches or searches of only specific geographical areas. Information brokers’ databases can be searched by identifiers that may include SSNs; brokers may also include SSNs along with information they provide customers. When possible, information brokers retrieve data by Page 8 GAO/HEHS-99-28 Social Security Number Use B-278798 SSNbecause it is more likely to produce records unique to the individual than other identifiers are. Financial Services Three national credit bureaus serve as clearinghouses, receiving charge Businesses and payment transaction information from businesses that grant consumer credit and providing businesses consumer credit reports. Officials representing a bank and a credit card company—businesses that provide credit—told us that because it serves their interests for credit bureaus to have the most to up-to-date consumer payment histories, businesses in their industries voluntarily report customers’ charge and payment transactions, accompanied by SSNs, to credit bureaus. SSNs are one of the principal identifiers credit bureaus use to update individuals’ credit records with the monthly reports of credit and payment activity creditors send them. In addition, credit bureaus use SSNs provided by customers to retrieve credit reports on individuals. Credit bureau officials told us that customers are not required to provide SSNs when requesting reports, but requests without SSNs need to include enough information to sufficiently identify the individual. An official for a credit bureau trade association estimated that each national credit bureau has more than 180 million credit records.8 A publication by this official’s trade association estimated that, combined, all three bureaus sell 600 million credit reports annually. Businesses such as insurance companies, collection agencies, and credit granters use SSNs to request information about customers from credit bureaus. To determine a customer’s likelihood of repaying a loan, businesses—banks and credit card companies in particular—want information on customers’ histories of repaying debts and whether customers have filed for bankruptcy or have monetary judgments against them, such as tax liens. Officials representing credit granters said most banks and credit card companies ask applicants to provide their SSNs, and these credit granters may choose to deny services to individuals who refuse. These officials said their organizations generally do not use SSNs as internal identifiers but instead assign an account number as a customer’s primary identifier. Health Care Services Health care services are generally delivered through a coordinated system Organizations that includes health care providers and insurers. Officials representing hospitals, a health maintenance organization (HMO), and a health insurance 8 Many individuals may be included in more than one national credit bureau’s database. Page 9 GAO/HEHS-99-28 Social Security Number Use B-278798 trade association told us that their organizations always ask for an SSN, but they do not deny services if a patient refuses to provide the number. A hospital and an HMO official said that their organizations assign patients other identifying numbers, which they use internally as primary identifiers for patient medical records, and that they use SSNs as a backup to identify records when a patient either forgets or does not know the patient number he or she was assigned. The HMO official said SSNs are also used to integrate patients’ records when providers merge, a trend that is growing. In data exchanges, hospital and HMO officials said they use SSNs to track patients’ medical care across multiple providers, which helps establish the patients’ medical history and avoid duplicate tests. A trade association official told us that some health insurers use the SSN or a variation of the number as a primary identifier, which becomes the customer’s insurance number. We were told that the BlueCross BlueShield health insurance plans and the Medicare program frequently use this method. In addition, the trade association official said insurers and providers frequently match records among themselves, using SSNs to determine whether individuals have other insurance to coordinate payment of insurance benefits. Officials in the health care industry expect their use of SSNs to increase. For example, the hospital official said that to ensure it has a valid address to bill patients, her hospital plans to use SSNs during the admission process to obtain on-line verification of patients’ addresses from credit bureaus. State Agencies The states use SSNs to support state government operations and offer services to residents. The Social Security Act authorizes states to use SSNs to administer any tax, general public assistance, driver’s license, or motor vehicle registration law in order to identify individuals affected by such laws. Officials of the Maryland and Virginia personal income tax and Ohio and Georgia driver licensing programs told us that they use SSNs in both administering these programs and enforcing compliance with regulations governing the programs. State income tax administrators routinely use the SSN as a primary identifier in their programs. An official from an organization representing state tax administrators said that all states levying personal income taxes use SSNs to administer their programs. Tax officials said that states use SSNs to make state tax systems compatible with the federal system and to Page 10 GAO/HEHS-99-28 Social Security Number Use B-278798 reduce taxpayer reporting burden. Maryland and Virginia tax administrators told us their state tax returns require individuals to provide their SSNs, and individuals who omit SSNs risk being considered nonfilers if tax administrators cannot otherwise identify the submitter of the return. Tax administrators also use SSNs internally for auditing purposes. For example, tax administration officials said they use SSNs to cross-reference owners’ or officers’ business income tax returns with their personal income tax returns so that an audit of one triggers an audit of the other. Also, in the course of monitoring compliance with state income tax laws, states use SSNs to exchange data with other organizations. For example, in order to monitor taxpayer income reporting, states rely on SSNs for data matches with IRS and state tax agencies to identify residents who received income from out-of-state employers and businesses and to verify credits for income taxes that filers report paying to other states. Also, when tax administrators assess liens against taxpayers, states may use SSNs to request information from information brokers and credit bureaus to identify taxpayer assets, such as bank accounts and real estate. In addition, federal and state agencies, such as IRS and state child support agencies, use SSNs when asking state tax administrators to offset state refunds otherwise due to taxpayers. State driver licensing agencies are more likely to use SSNs to exchange data with other organizations than to support internal activities. A few states print SSNs on licenses and use the SSNs either as license numbers or along with the state-assigned license numbers. Most state driver licensing agencies that request SSNs, however, include SSNs in driver records as a secondary identifier and devise their own license numbers. Information from the AAMVA and other sources suggests that many states request, but may not require, applicants for noncommercial driver’s licenses to provide their SSNs. AAMVA officials estimate that there are about 175 million noncommercial drivers nationwide. To monitor driver compliance with state laws, state officials said they use SSNs during the licensing process to search national databases maintained by AAMVA to identify driver’s licenses the applicant may hold in other states and determine whether the applicant has had a license suspended or revoked in another state. These officials also told us that organizations such as the courts and law enforcement agencies may choose to request driver records by SSN when they do not know the driver’s license number. Page 11 GAO/HEHS-99-28 Social Security Number Use B-278798 AAMVA officials expect states’ use of SSNs to increase as the result of a recent federal law. Effective October 1, 2000, the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 prohibits federal agencies from accepting state-issued driver’s licenses as proof of identification, unless licenses satisfy federal requirements set out in the act. Specifically, states must either verify a driver’s SSN with SSA and record the number in their database or display the number, visually or electronically, on the license. States’ practices for disclosing SSNs contained in driver records vary. In states in which driver records are public information, states may disclose SSNs to individuals and organizations such as credit card companies, direct marketers, and credit bureaus.9 For example, Massachusetts driver licensing officials told us that their driver records are public and that the state includes individuals’ license numbers (usually the SSN) when providing information to organizations or people requesting driver records. Officials of the programs and activities we reviewed believed their entities Business and State would be negatively affected if federal laws were enacted restricting use of Officials Believe SSNs. Businesses that sell personal information and state driver licensing Federal Laws officials, however, told us that their organizations have already voluntarily responded to concerns about their practices for disclosing SSNs. State tax Restricting Uses of administrators and credit bureau officials said that federal restrictions SSNs Would Have a could hamper their ability to conduct routine internal activities. For example, representatives of these organizations said such restrictions Negative Impact could impede credit bureaus’ ability to accurately post consumer payment and credit transactions and state tax agencies’ ability to identify tax filers. Moreover, many of the officials we interviewed believed that federal restriction of their use of SSNs would hamper their ability to conduct data exchanges with other organizations. Without SSNs, state tax administrators said, it would be difficult to associate tax return information received from other tax agencies with tax information reported by residents. In addition, a health care provider said federal restrictions on SSN use could impede providers’ ability to track patients’ medical histories over time and among multiple providers. Also, AAMVA officials said federal restrictions could hinder states’ ability to screen for applicants who try to conceal traffic violations they have acquired under other state licenses. Many of the officials we interviewed said federal restrictions on their use of SSNs could 9 Since Sept. 1997, states have been required by the federal Driver Privacy Protection Act to honor individuals’ requests that their records not be made available for mass distribution. Page 12 GAO/HEHS-99-28 Social Security Number Use B-278798 make it difficult for their organizations to be assured of receiving credit reports for the specific individuals they requested. Officials of bank and credit card companies said they rely heavily on credit reports to make decisions about providing customers service on credit. Officials of businesses that sell personal information and driver licensing agencies also believed that federal restrictions on SSN use could make it difficult for others to obtain specific records from them. For example, driver licensing officials said that if “outsiders,” such as government and law enforcement agencies, do not know the driver’s license number and cannot request driver records by SSNs, these agencies can only use the driver’s name and are more likely, therefore, to receive the records of other people with the same name. Because of privacy concerns raised by disclosure of personal information, businesses and states have become more sensitive to this issue and are voluntarily restricting the disclosure of some personal information, including SSNs. In December 1997, 14 businesses that sell personal information—the self-identified industry leaders—responded to these concerns by, among other things, voluntarily executing a written agreement stating their intent to restrict disclosure of SSNs associated with data they obtain from nonpublic sources.10 These 14 businesses essentially agreed to make SSNs from such sources available to only a limited range of customers identified as having appropriate uses for the information, such as law enforcement. The 14 organizations also agreed to annual compliance reviews by independent contractors. When an organization fails to comply with the agreement, the Federal Trade Commission can cite the organization for unfair and deceptive business practices. Because the agreement was not scheduled to be fully implemented until December 31, 1998, its effectiveness could not be determined during our review. In addition, some states are discontinuing practices that result in routine disclosure of SSNs. For example, since July 1, 1997, Georgia no longer automatically prints SSNs on licenses but rather assigns its own numbers for driver licenses and uses SSNs as license numbers only if requested by the license holder to do so. Ohio, which before July 29, 1998, routinely printed SSNs along with state-assigned numbers on driver’s licenses, now allows drivers the option of not having SSNs printed on their licenses. Also, 10 An official of the information industry said businesses that signed the agreement handle about 90 percent of the industry’s business. Page 13 GAO/HEHS-99-28 Social Security Number Use B-278798 AAMVA officials believe most states in which driver records are public now exclude SSNs when responding to requests for driver records. SSA provided technical comments on a draft copy of this report, which we Agency Comments have incorporated as appropriate. We are providing copies of this report to the Commissioner of Social Security, officials of organizations and agencies we interviewed concerning their use of SSNs, and other interested congressional parties. Copies will also be made available to others upon request. Please contact me on (202) 512-7215 if you have any questions about this report. Other major contributors to this report are listed in appendix III. Sincerely yours, Cynthia M. Fagnoni Director, Income Security Issues Page 14 GAO/HEHS-99-28 Social Security Number Use Page 15 GAO/HEHS-99-28 Social Security Number Use Contents Letter 1 Appendix I 18 Organizations and Agencies We Contacted Concerning Their Use of Social Security Numbers Appendix II 19 Scope and Methodology Appendix III 21 GAO Contacts and Staff Acknowledgments Abbreviations AAMVA American Association of Motor Vehicle Administrators CDLIS Commercial Driver’s License Information System HMO health maintenance organization IRS Internal Revenue Service SSA Social Security Administration SSI Supplemental Security Income SSN Social Security number TANF Temporary Assistance for Needy Families Page 16 GAO/HEHS-99-28 Social Security Number Use Page 17 GAO/HEHS-99-28 Social Security Number Use Appendix I Organizations and Agencies We Contacted Concerning Their Use of Social Security Numbers American Association of Motor Vehicle Administrators, Arlington, VA American Bankers Association, Washington, DC Associated Credit Bureaus, Inc.; Washington, DC BlueCross BlueShield Association, Washington, DC Commonwealth of Virginia, Department of Taxation; Richmond, VA Credit Plus Solution Group, Harrisburg, PA Experian, Silver Spring, MD Federation of Tax Administrators, Washington, DC Georgia Department of Public Safety, Division of Driver Services; Atlanta, GA Independent Bankers Association of America, Washington, DC Information Industry Association, Washington, DC Kaiser Permanente, Rockville, MD Lexis-Nexis, Miamisburg, OH Maryland Hospital Association, Lutherville, MD MasterCard, Washington, DC Mutual Fund Education Alliance, Kansas City, MO Ohio Bureau of Motor Vehicles, Columbus, OH State of Maryland, Comptroller of the Treasury, Revenue Administration Division; Annapolis, MD Wachovia Corporation, Special Services; Atlanta, GA Washington Hospital Center, Washington, DC Page 18 GAO/HEHS-99-28 Social Security Number Use Appendix II Scope and Methodology We identified federal requirements and restrictions governing Social Security numbers (SSN) by using a list prepared by the Social Security Administration (SSA) that identified federal laws addressing SSNs. We developed information on programs’ required uses of SSNs by interviewing officials at the following: SSA’s Retirement, Survivors, and Disability Insurance and Supplemental Security Income programs; the Internal Revenue Service’s federal personal income tax program; the Department of Health and Human Services’ Medicare, Medicaid, Temporary Assistance for Needy Families, and Child Support Enforcement programs; and the Department of Agriculture’s Food Stamp program. On the basis of literature searches and interviews with Federal Trade Commission, SSA, and other cognizant officials, we identified numerous types of businesses and government activities and programs that use SSNs extensively. We then selected two areas of commercial activity (the financial services and health care services industries) and two state government activities (personal income tax and driver licensing programs) for a detailed examination of their SSN use. In addition, we included in our review the industry that gathers and sells personal information. Although organizations in this industry do not obtain SSNs directly from the people they provide information about, these organizations do provide customers personal information about individuals that may include their SSNs. Because there are no readily available data on how extensively businesses and states use SSNs, we selected entities that are commonly known to use SSNs routinely and that affect a large number of the general public by this use. We developed information on SSN use for these entities through interviews with officials representing the selected businesses, trade organizations, and state programs. We obtained officials’ statements about the prevalence of the use of SSNs among other similar businesses and state agencies as well as officials’ opinions about the potential impact on their operations if they were restricted in how they could use SSNs. We performed our work at SSA headquarters in Baltimore, Maryland; Washington, D.C.; and some of their suburbs and at selected other locations including Annapolis, Maryland; Atlanta, Georgia; Harrisburg, Pennsylvania; and Richmond, Virginia. We conducted telephone interviews with officials in Columbus, Ohio; Boston, Massachusetts; and Kansas City, Missouri. We selected both large and small organizations to determine if size altered the organization’s use of SSNs or its views about the effect of limiting the use of SSNs. Page 19 GAO/HEHS-99-28 Social Security Number Use Appendix II Scope and Methodology Information in this report was obtained primarily through interviews and is not generalizable to the universe of government and business communities of the officials we interviewed. We did not verify the accuracy of the information provided. This report does not address SSN use for illegal activities, such as credit card or program fraud, which are punishable under criminal statutes, because such an investigation was beyond the scope of the work we were asked to do. (In May 1998, we reported to the Congress on identity fraud, which can involve misuse of SSNs.)11 11 Identity Fraud: Information on Prevalence, Cost, and Internet Impact Is Limited (GAO/GGD-98-100BR, May 1, 1998). Page 20 GAO/HEHS-99-28 Social Security Number Use Appendix III GAO Contacts and Staff Acknowledgments Barbara Bovbjerg, Associate Director, (202) 512-5491 GAO Contacts Roland H. Miller, Assistant Director, (202) 512-7246 Jacquelyn Stewart, Evaluator-in-Charge, (202) 512-7232 The following people also made important contributions to this report: Staff Dennis Gehley and William Staab, Senior Evaluators, conducted work in Acknowledgments the health care and financial communities, and Roger Thomas, Senior Attorney, provided legal counsel. (207023) Page 21 GAO/HEHS-99-28 Social Security Number Use Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with "info" in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov PRINTED ON RECYCLED PAPER United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested
Social Security: Government and Commercial Use of the Social Security Number Is Widespread
Published by the Government Accountability Office on 1999-02-16.
Below is a raw (and likely hideous) rendition of the original report. (PDF)