Social Security Numbers: SSNs Are Widely Used by Government and Could Be Better Protected (29-APR-02, GAO-02-691T). The Social Security numbers (SSN), originally created in 1936 to track workers' earnings and eligibility for Social Security benefits is now used for many other purposes by both government and private sectors. The growth in electronic record keeping and the availability of information over the Internet, combined with the rise in identity theft, have heightened public concern about how their SSNs are being used. Federal agencies use SSNs to manage records, verify the eligibility of benefit applicants, collect outstanding debts, and do research and program evaluation. GAO found that federal laws designed to protect SSNs are not being followed consistently, Moreover, courts at all levels of government and offices at the state and county level maintain records that contain SSNs for the purpose of making these records available to the public. Recognizing that these SSNs may be misused, some government entities have taken steps to protect the SSNs from public display. At the same time, however, some government entities are considering making more public records available on the Intranet. Ease of access to electronically available files could encourage more information gathering from public records on a broader scale than possible previously. -------------------------Indexing Terms------------------------- REPORTNUM: GAO-02-691T ACCNO: A03196 TITLE: Social Security Numbers: SSNs Are Widely Used by Government and Could Be Better Protected DATE: 04/29/2002 SUBJECT: Intergovernmental relations Internet Public records Right of privacy Social security number Social Security Program ****************************************************************** ** This file contains an ASCII representation of the text of a ** ** GAO Product. ** ** ** ** No attempt has been made to display graphic images, although ** ** figure captions are reproduced. Tables are included, but ** ** may not resemble those in the printed version. ** ** ** ** Please see the PDF (Portable Document Format) file, when ** ** available, for a complete electronic file of the printed ** ** document's contents. ** ** ** ****************************************************************** GAO-02-691T Testimony Before the Subcommittee on Social Security, Committee on Ways and Means, House of Representatives United States General Accounting Office GAO For Release on Delivery Expected at 2: 00 p. m. Monday, April 29, 2002 SOCIAL SECURITY NUMBERS SSNs Are Widely Used by Government and Could Be Better Protected Statement of Barbara D. Bovbjerg, Director Education, Workforce, and Income Security Issues GAO- 02- 691T Page 1 GAO- 02- 691T Chairman Shaw and Members of the Subcommittee: Thank you for inviting me here today to discuss government use of Social Security Numbers (SSNs). Although the SSN was originally created in 1936 as a means to track workers? earnings and eligibility for Social Security benefits, today the number is used for myriad non- Social Security purposes in both the private and public sectors. Consequently, the public is concerned with how their personal SSNs are being used and protected. Further, the growth in electronic record keeping and the explosion of the availability of information over the Internet, combined with the rise in reports of identity theft, have heightened this concern. We have previously reported that SSNs play an important role in public and private sectors? ability to deliver services or conduct business. 1 Today, I will focus on how federal, state, and local governments use SSNs. Specifically, I will discuss (1) the extent and nature of government agencies? use of SSNs as they administer programs to provide benefits and services and the actions government agencies take to safeguard these SSNs from improper disclosure and (2) the extent and nature of governments? use of SSNs when they are contained in public records and the options available to better safeguard SSNs that are traditionally found in these public records. 2 My testimony is based on our ongoing work conducted at your request and that of the Subcommittee on Technology, Terrorism and Government Information, Senate Committee on the Judiciary. To address these issues, we mailed surveys to programs in 18 federal agencies and those departments that typically use SSNs in all 50 states, the District of Columbia, and the 90 most populous counties. 3 We also conducted site visits and in- depth interviews at six selected federal 1 U. S. General Accounting Office, Social Security: Government and Commercial Use of the Social Security Number is Widespread, GAO/ HEHS- 99- 28 (Washington, D. C.: Feb. 16, 1999). 2 We found no commonly accepted definition of public records. For the purposes of this statement, when we use the term public record, we are referring to a record or document that is routinely made available to the public for inspection either by a federal, state, or local government agency or a court, such as those readily available at a public reading room, clerk?s office, or on the Internet. 3 We did not survey state Departments of Motor Vehicles or state agencies that administer state tax programs, because we have reported on these activities separately. See U. S. General Accounting Office, Child Support Enforcement: Most States Collect Drivers? SSNs and Use Them to Enforce Child Support, GAO- 02- 239 (Washington, D. C.: Feb. 15, 2002) and Taxpayer Confidentiality: Federal, State, and Local Agencies Receiving Taxpayer Information, GAO- GGD- 99- 164 (Washington, D. C.: Aug. 30, 1999). Page 2 GAO- 02- 691T programs, three states, and three counties. We met with officials responsible for programs, agencies, or departments (hereinafter referred to generically as agencies) and courts that make frequent use of SSNs. We conducted our work between February 2001 and March 2002 in accordance with generally accepted government auditing standards. In summary, in delivering services and benefits to the public, federal, state, and county government agencies use SSNs to manage records, verify the eligibility of benefit applicants, collect outstanding debts and conduct research and program evaluation. Using SSNs for these purposes can save the government and taxpayers hundreds of millions of dollars each year. As they make use of SSNs for these purposes, government agencies are taking some steps to safeguard the numbers. However, agencies are not consistently following federal laws regarding the collection of personal information, implementing safeguards to protect SSNs from improper disclosure, or limiting the display of SSN on documents not intended for the public. Moreover, courts at all three levels of government and certain offices at the state and county level maintain records that contain SSNs for the purpose of making them available to the public. Recognizing that these SSNs may be misused by others, some government entities have taken steps to protect the SSNs from public display. For example, some have modified forms so that they can collect SSNs but keep them in a file separate from the public portion of the record. Nonetheless, although public records have traditionally been housed in government offices and court buildings, to improve customer service some government entities are considering placing more public records on the Internet. The ease of access the Internet affords could encourage individuals to engage in information gathering from public records on a broader scale than possible previously. In conclusion, we will be reporting in more detail on these issues at the end of this month and look forward to exploring additional options to better protect SSNs with you as we complete our work. The use of SSNs by government and the private sector has grown over time, in part because of federal requirements. In addition, the growth in computerized records has further increased reliance on SSNs. This growth in use and availability of the SSN is important because SSNs are often one of the ?identifiers? of choice among identity thieves. Although no single federal law regulates the use and disclosure of SSNs by governments, when federal government agencies use them, several federal laws limit the Background Page 3 GAO- 02- 691T use and disclosure of the number. 4 Also, state laws may impose restrictions on SSN use and disclosure, and they vary from state to state. Moreover, some records that contain SSNs are considered part of the public record and, as such, are routinely made available to the public for review. Since the creation of the SSN, the number of federal agencies and others that rely on it has grown beyond the original intended purpose. In 1936, the Social Security Administration (SSA) created a numbering system designed to provide a unique identifier, the SSN, to each individual. The agency uses SSNs to track workers? earnings and eligibility for Social Security benefits, and as of December 1998, SSA had issued 391 million SSNs. Since the creation of the SSN, other entities in both the public and private sectors have begun using SSNs, in part because of federal requirements. The number of federal agencies and others relying on the SSN as a primary identifier escalated dramatically, in part, because a number of federal laws were passed that authorized or required its use for specific activities. (See appendix I for examples of federal laws that authorize or mandate the collection and use of SSNs.) In addition, private businesses, such as financial institutions and health care service providers, also rely on individuals SSNs. In some cases, they require the SSN to comply with federal laws but, at other times, they routinely choose to use the SSNs to conduct business. In addition, the advent of computerized records further increased reliance on SSNs. Government entities are beginning to make their records electronically available over the Internet. Moreover, the Government Paperwork Elimination Act of 1998 requires that, where practicable, federal agencies provide by 2003 for the option of the electronic maintenance, submission, or disclosure of information. State government agencies have also initiated Web sites to address electronic government initiatives. Moreover, continuing advances in computer technology and the ready availability of computerized data have spurred the growth of new business activities that involve the compilation of vast amounts of personal information about members of the public, including SSNs, that businesses sell. 4 In this review, we do not include criminal provisions that might apply to the improper use of SSNs. SSN Use Has Grown, in Part Because of Federal Requirements Page 4 GAO- 02- 691T The overall growth in the use of SSNs is important to individual SSN holders because these numbers, along with names and birth certificates, are among the three personal identifiers most often sought by identity thieves. 5 Identity theft is a crime that can affect all Americans. It occurs when an individual steals another individual?s personal identifying information and uses it fraudulently. For example, SSNs and other personal information are used to fraudulently obtain credit cards, open utility accounts, access existing financial accounts, commit bank fraud, file false tax returns, and falsely obtain employment and government benefits. SSNs play an important role in identity theft because they are used as breeder information to create additional false identification documents, such as drivers licenses. Recent statistics collected by federal and consumer reporting agencies indicate that the incidence of identity theft appears to be growing. 6 The Federal Trade Commission (FTC), the agency responsible for tracking identity theft, reports that complaint calls from possible victims of identity theft grew from about 445 calls per week in November 1999, when it began collecting this information, to about 3,000 calls per week by December 2001. However, FTC noted that this increase in calls might also, in part, reflect enhanced consumer awareness. In addition, SSA?s Office of the Inspector General, which operates a fraud hotline, reports that allegations of SSN misuse increased from about 11,000 in fiscal year 1998 to more than 65,200 in fiscal year 2001. However, some of the reported increase may be a result of a growth in the number of staff SSA assigned to field calls to the Fraud Hotline during this period. SSA staff increased from 11 to over 50 during this period, which allowed personnel to answer more calls. Also, officials from two of the three national consumer reporting agencies report an increase in the number of 7 year fraud alerts placed on consumer credit files, which they consider to be reliable indicators of the incidence of identity theft. 7 Finally, it is difficult to determine how many individuals are prosecuted for identity theft because law enforcement 5 United States Sentencing Commission, Identity Theft Final Alert (Washington, D. C.: Dec. 15, 1999). 6 U. S. General Accounting Office, Identity Theft: Prevalence and Cost Appear to be Growing, GAO- 02- 363 (Washington, D. C.: Mar. 1, 2002). 7 A fraud alert is a warning that someone may be using the consumer?s personal information to fraudulently obtain credit. When a fraud alert is placed on a consumer?s credit card file, it advises credit grantors to conduct additional identity verification before granting credit. The third consumer reporting office offers fraud alerts that can vary from 2 to 7 years at the discretion of the individual. Identity Thieves Often Use SSNs Page 5 GAO- 02- 691T entities report that identity theft is almost always a component of other crimes, such as bank fraud or credit card fraud, and may be prosecuted under the statutes covering those crimes. Most often, identity thieves use SSNs belonging to real people rather than making one up; however, on the basis of a review of identify theft reports, victims usually (75 percent of the time) did not know where or how the thieves got their personal information. 8 In the 25 percent of the time when the source was known, the personal information, including SSNs, usually was obtained illegally. In these cases, identity thieves most often gained access to this personal information by taking advantage of an existing relationship with the victim. The next most common means of gaining access were by stealing information from purses, wallets, or the mail. In addition, individuals can also obtain SSNs from their workplace and use them themselves or sell them to others. Finally, SSNs and other identifying information can be obtained legally through Internet sites maintained by both the public and private sectors and from records routinely made available to the public by government entities and courts. Because the sources of identity theft cannot be more accurately pinpointed, it is not possible at this time to determine the extent to which the government?s use of SSNs contributes to this problem as compared to use of SSNs by the private sector. No single federal law regulates the overall use or restricts the disclosure of SSNs by governments; however, a number of laws limit SSN use in specific circumstances. Generally, the federal government?s overall use and disclosure of SSNs are restricted under the Freedom of Information Act and the Privacy Act. The Freedom of Information Act presumes federal government records are available upon formal request, but exempts certain personal information, such as SSNs. The purpose of the Privacy Act, broadly speaking, is to balance the government?s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy by federal agencies. Also, the Social Security Act Amendments of 1990 provide some limits on disclosure, and these limits apply to state and local governments as well. In addition, a number of federal statutes impose certain restrictions on 8 This information is based on a review of 39 cases involving SSN theft drawn from the Federal Trade Commission?s fiscal year 1998 datafiles. In Some Instances, SSNs Are to Be Protected from Public Disclosure Page 6 GAO- 02- 691T SSN use and disclosure for specific programs or activities. 9 At the state and county level, each state may have its own statutes addressing the public?s access to government records and privacy matters; therefore, states may vary in terms of the restrictions they impose on SSN use and disclosure. In addition, a number of laws provide protection for sensitive information, such as SSNs, when maintained in computer systems and other government records. Most recently, the Government Information Security Reform provisions of the Fiscal Year 2001 Defense Authorization Act require that federal agencies take specific measures to safeguard computer systems that may contain SSNs. 10 For example, federal agencies must develop an agency- wide information security management program. These laws do not apply to state and local governments; however, in some cases state and local governments have developed their own statutes or put requirements in place to similarly safeguard sensitive information, including SSNs, kept in their computer systems. In addition to the SSNs used by program agencies to provide benefits or services, some records that contain SSNs are considered part of the public record and, as such, are routinely made available to the public for review. This is particularly true at the state and county level. Generally, state law governs whether and under what circumstances these records are made available to the public, and they vary from state to state. They may be made available for a number of reasons. These include the presumption that citizens need government information to assist in oversight and ensure that government is accountable to the people. Certain records maintained by federal, state, and county courts are also routinely made available to the public. In principle, these records are open to aid in preserving the integrity of the judicial process and to enhance the public trust and confidence in the judicial process. At the federal level, access to 9 For example, the Internal Revenue Code, which requires the use of SSNs for certain purposes, declares tax return information, including SSNs, to be confidential, limits access to specific organizations, and prescribes both civil and criminal penalties for unauthorized disclosure. For more information, see GAO- GGD- 99- 164. Also, the Personal Responsibility and Work Opportunity Act of 1996 explicitly restricts the use of SSNs to purposes set out in the Act, such as locating absentee parents to collect child support payments. 10 These provisions supplement information security requirements established in the federal Computer Security Act of 1987, the Paperwork Reduction Act of 1995, the ClingerCohen Act of 1996, and Office of Management and Budget guidance. SSNs Are Found in Some Public Records Page 7 GAO- 02- 691T court documents generally has its grounding in common law and constitutional principles. In some cases, public access is also required by statute, as is the case for papers filed in a bankruptcy proceeding. As with federal courts, requirements regarding access to state and local court records may have a state common law or constitutional basis or may be based on state laws. When federal, state, and county government agencies administer programs that deliver services and benefits to the public, they rely extensively on the SSNs of those receiving the benefits and services. SSNs provide a quick and efficient means of managing records and are used to conduct research and program evaluation. In addition, they are particularly useful when agencies share information with others to verify the eligibility of benefit applicants or to collect outstanding debts. Using SSNs for these purposes can save the government and taxpayers hundreds of millions of dollars each year. As they make this wide use of SSNs, government agencies are taking some steps to safeguard the numbers; however, certain key measures that could help protect SSNs are not uniformly in place at any level of government. First, when requesting SSNs, government agencies are not consistently providing individuals with key information mandated by federal law, such as whether individuals are required to provide their SSNs. Second, although agencies that use SSNs to provide benefits and services are taking steps to safeguard them from improper disclosure, our survey identified potential weaknesses in the security of information systems at all levels of government. Similarly, sometimes government agencies display SSNs on documents not intended for the public, and we found numerous examples of actions taken to limit the presence of SSNs on documents. However, these changes are not systematic and many government agencies continue to display SSNs on a variety of documents. Most of the agencies we surveyed at all levels of government reported using SSNs extensively to administer their programs. 11 As shown in table 1, more agencies reported using SSNs for internal administrative purposes, such as using SSNs to identify, retrieve, and update their records, than for any other purpose. SSNs are so widely used for this purpose, in part, because each number is unique to an individual and does not change, 11 Of the respondents to our survey, 14 state program departments and 13 county program departments reported that they do not obtain, receive, or use the SSN of program participants, service recipients, or individual members of the public. We did not verify this information. SSNs Are Widely Used by Program Agencies at All Levels of Government, but Could Be Better Protected by Them All Levels of Government Use SSNs Extensively for a Wide Range of Purposes Page 8 GAO- 02- 691T unlike some other personal identifying information, such as names and addresses. Table 1: Percentage of Program Agencies Using SSNs for Each Reason Listed Purpose of SSN Use Federal (N= 55) a State (N= 244) County (N= 197) Percent Percent Percent Internal administrative purposes 82 90 89 Sharing Verify applicants? eligibility; monitor accuracy of information individuals provide 73 83 82 Collect debts individuals owe agency/ government 40 34 25 Research and Evaluation Conduct internal research or program evaluation 53 44 26 Provide data to outside researchers 4 18 7 a Total number of possible respondents Source: GAO surveys of federal, state, and county departments and agencies. Table includes departments and agencies that administer programs and excludes courts, county clerks and recorders, and state licensing agencies. It excludes state departments of motor vehicles and tax administration. Many agencies also use SSNs to share information with other entities to bolster the integrity of the programs they administer. For example, the majority of agencies at all three levels of government reported sharing information containing SSNs for the purpose of verifying an applicant?s eligibility for services or benefits. Agencies use applicants? SSNs to match the information they provide with information in other data bases, such as other federal benefit paying agencies, state unemployment agencies, the Internal Revenue Service, or employers. As unique identifiers, SSNs help ensure that the agency is matching information on the correct person. Also, some agencies at each level of government reported sharing data containing SSNs to collect debts owed them. Using SSNs for these purposes can save the government and taxpayers hundreds of millions of dollars, such as when SSA matched its data on Supplemental Security Income recipients with state and local correctional facilities to identify prisoners who were no longer eligible for benefits. 12 Doing so helped identify more than $150 million in Supplemental Security Income overpayments and prevented improper payments of more than $170 million over an 8- month period. Finally, SSNs along with other program 12 SSI provides cash assistance to needy individuals who are aged, blind, or disabled. Page 9 GAO- 02- 691T data, are sometimes used for statistical programs, research, and evaluation, in part because they provide government agencies and others with an effective mechanism for linking data on program participation with data from other sources. 13 When government agencies that administer programs share records containing individuals? SSNs with other entities, they are most likely to share them with other government agencies. 14 After that, the largest percentage of federal and state program agencies report sharing SSNs with contractors (54 and 39 percent respectively), and a relatively large percentage of county program agencies report sharing with contractors as well (28 percent). Agencies across all levels of government use contractors to help them fulfill their program responsibilities, such as determining eligibility for services and conducting data processing activities. In addition to sharing SSNs with contractors, government agencies also share SSNs with private businesses, such as credit bureaus and insurance companies, as well as debt collection agencies, researchers, and, to a lesser extent, with private investigators. In addition, all government personnel departments we surveyed reported using their employees? SSNs to fulfill at least some of their responsibilities as employers. Aside from requiring that employers report on their employees? wages to SSA, federal law also requires that states maintain employers? reports of newly hired employees identified by SSN. The national database is used by state child support agencies to locate parents who are delinquent in child support payments. In addition, employers responding to our survey said they use SSNs to help them maintain internal records and provide employee benefits. To provide these benefits, employers often share data on employees with other entities, such as health care providers or pension plan administrators. 13 In some cases, records containing SSNs are sometimes matched across multiple agency or program databases. The statistical and research communities refer to the process of matching records containing SSNs for statistical or research purposes as ?record linkage.? See U. S. General Accounting Office, Record Linkage and Privacy: Issues in Creating New Federal Research and Statistical Information, GAO- 01- 126SP (Washington, D. C.: Apr. 2001). 14 On the federal level, data sharing often involves computerized record matching. The Computer Matching and Privacy Protection Act of 1988, which amended the Privacy Act, specifies procedural safeguards affecting agencies? use of Privacy Act records in performing certain types of computerized matching programs, including due process rights for individuals whose records are being matched. These due process rights were further clarified in the Computer Matching and Privacy Protection Amendments of 1990. Page 10 GAO- 02- 691T When a government agency requests an individual?s SSN, the individual needs certain information to make an informed decision about whether to provide their SSN to the government agency or not. Accordingly, section 7 of the Privacy Act requires that any federal, state, or local government agency, when requesting an SSN from an individual, provide that individual with three key pieces of information. 15 Government entities must tell individuals whether disclosing their SSNs is mandatory or voluntary; cite the statutory or other authority under which the request is being made; and state what uses government will make of the individual?s SSN. This information, which helps the individual make an informed decision, is the first line of defense against improper use. Although nearly all government entities we surveyed collect and use SSNs for a variety of reasons, many of these entities reported they do not provide individuals the information required under section 7 of the Privacy Act when requesting their SSNs. Federal agencies were more likely to report that they provided the required information to individuals when requesting their SSNs than were states or local government agencies. Even so, federal agencies did not consistently provide this required information; 32 percent did not inform individuals of the statutory authority for requesting the SSN and 21 percent of federal agencies reported that they did not inform individuals of how their SSNs would be used. At the state level, about half of the respondents reported providing individuals with the required information, and at the county level, about 40 percent of the respondents reported doing so. 15 Section 7 of the Privacy Act is not codified with the rest of the act, but rather is found in the note section to 5 U. S. C. 552a. Many Government Entities Collect SSNs without Providing Required Information Page 11 GAO- 02- 691T When government agencies collect and use SSNs as an essential component of their operations, they need to take steps to mitigate the risk of individuals gaining unauthorized access to SSNs or making improper disclosure or use of SSNs. Over 90 percent of our survey respondents reported using both hard copy and electronic records containing SSNs when conducting their program activities. When using electronic media, many employ personal computers linked to computer networks to store and process the information they collect. This extensive use of SSNs, as well as the various ways in which SSNs are stored and accessed or shared, increase the risks to individuals? privacy and make it both important and challenging for agencies to take steps to safeguard these SSNs. No uniform guidelines specify what actions governments should take to safeguard personal information that includes SSNs. However, to gain a better understanding of whether agencies had measures in place to safeguard SSNs, we selected eight commonly used practices found in information security programs, and we surveyed the federal, state, and county programs and agencies on their use of these eight practices. Responses to our survey indicate that agencies that administer programs at all levels of government are taking some steps to safeguard SSNs; however, potential weaknesses exist at all levels. Many survey respondents reported adopting some of the practices; however, none of the eight practices were uniformly adopted at any level of government. In general, when compared to state and county government agencies, a higher percentage of federal agencies reported using most of the eight practices. However, despite the federal government?s self- reported more frequent use of these practices relative to the state and counties, it is important to note that since 1996 we have consistently identified significant information security weaknesses across the federal government. We are not aware of a comparable comprehensive assessments of information security for either state or county government. (For additional information on the eight practices we selected and how they fit into the federal framework for an information security program, see appendix II.) Further, when SSNs are passed from a government agency to another entity, agencies need to take additional steps to continue protections for sensitive personal information that includes SSNs, such as imposing Many Agencies Using SSNs to Administer Programs Do Not Have Uniform Information Security Controls in Place Page 12 GAO- 02- 691T restrictions on the entities to help ensure that the SSNs are safeguarded. 16 Responses to our survey indicate that, when sharing such sensitive information, most agencies reported requiring those receiving personal data to restrict access to and disclosure of records containing SSNs to authorized persons and to keep records in secured locations. However, fewer agencies reported having provisions in place to oversee or enforce compliance with these requirements. In the course of delivering their services or benefits, many government agencies occasionally display SSNs on documents that may be viewed by others, some of whom may not have a need for this personal information. These documents include payroll checks, vouchers for tax credits for childcare, travel orders, and authorization for training outside of the agency. Also, some personnel departments reported displaying employees? SSNs on their employee badges (27 percent of federal respondents, 5 percent of state, and 9 percent of county). Notably, the Department of Defense (DOD), which has over 2. 9 million military and civilian personnel, displays SSNs on its military and civilian identification cards. On the state level, the Department of Criminal Justice in one state, which has about 40,000 employees, displays SSNs on all employee identification cards. According to department officials, some of their employees have taken actions such as taping over their SSNs so that prison inmates and others cannot view this personal information. SSNs are also displayed on documents that are not employee- related. For example, some benefit programs display the SSN on the benefit checks and eligibility cards, and over one- third of federal respondents reported including the SSN on official letters mailed to participants. Further, some state institutions of higher education display students? SSNs on identification cards. Finally, SSNs are sometimes displayed on business permits that must be posted in public view at an individual?s place of business. In addition to these examples of SSN display, we also identified a number of instances where the Congress or governmental entities have taken or are considering action to reduce the presence of SSNs on documents that may be viewed by others. For example, the DOD commissary stopped 16 In some cases, where federal agencies administer programs that provide federal funds to states and counties, the federal agency has spelled out program- specific requirements for information security that state and county government agencies are expected to follow when they use federal funds to operate these programs. Government Agencies Display SSNs on Documents Not Intended for the Public Page 13 GAO- 02- 691T requiring SSNs on checks written by members because of concerns about improper use of the SSNs and identity theft. 17 Also, a state comptroller?s office changed its procedures so that it now offers vendors the option of not displaying SSNs on their business permits. Finally, some states have passed laws prohibiting the use of SSNs as a student identification number. These efforts to reduce display suggest a growing awareness that SSNs are private information, and the risk to the individual of placing an SSN on a document that others can see may be greater than the benefit to the agency of using the SSN in this manner. However, despite this growing awareness and the actions cited above, many government agencies continue to display SSNs on a variety of documents that can be seen by others. Regarding public records, many of the state and county agencies responding to our survey reported maintaining records that contain SSNs; however federal program agencies maintain public records less frequently. At the state and county levels, certain offices, such as state licensing agencies and county recorders? offices, have traditionally been repositories for public records that may contain SSNs. In addition, courts at all three levels of government maintain public records that may contain SSNs. Officials who maintain these records told us their responsibility is to preserve the integrity of the record rather than protect the privacy of the individual SSN holder. However, we found examples of some government entities that are trying innovative approaches to protect the SSNs in such records from public display. Moreover, the general public has traditionally gained access to public records by visiting the office that maintains the records, an inconvenience that represents a practical limitation on the volume of SSNs any one person can collect. However, the growth of electronic record- keeping places new pressures on agencies to provide their data to the pubic on the Internet. Although few entities report currently making public records containing SSNs available on the Internet, several officials told us they are considering expanding the volume and type of such records available on their Web site. This would create new opportunities for gathering SSNs on a broader scale. Again, some entities 17 As of March 2002, the Navy Commissary still requires SSNs on checks. Officials told us they hope to implement a system similar to the DOD Commissary by the end of 2002. Open Nature of Certain Government Records Results in Wide Access to SSNs but Alternatives Exist Page 14 GAO- 02- 691T are considering alternatives to making SSNs available on such a wide scale, while others are not. As shown in table 2, more than two- thirds of the courts, county recorders, and state licensing agencies that reported maintaining public records reported that these records contained SSNs. 18 In addition, some program agencies also reported maintaining public records that contain SSNs. Table 2: Of Courts, County Recorders, and State Licensing Agencies, and of Program Agencies That Maintain Public Records, Percentage That Maintain Public Records That Contain SSNs Federal State County Frequency Percent Frequency Percent Frequency Percent Courts, recorders, and licensing agencies that maintain public records with SSNs 3/ 3 100 21/ 31 68 73/ 95 77 Program agencies that maintain public records with SSNs 4/ 22 23 54/ 189 29 46/ 140 33 Source: Data from GAO survey of federal, state, and county departments and agencies. It excludes state departments of motor vehicles and tax administration. County clerks or recorders (hereinafter referred to as recorders) and certain state agencies often maintain records that contain SSNs because these offices have traditionally been the repository for key information that, among other things, chronicles various life events and other activities of individuals as they interact with government. 19 SSNs appear in these public records for a number of reasons. They may already be a part of a document that is submitted to a recorder for official preservation. For example, military veterans are encouraged to file their discharge papers, which contain SSNs, with their local recorder?s office to establish a readily available record of their military service. 20 Also, documents that record financial transactions, such as tax liens and property settlements, contain 18 Of the respondents to our survey, 20 county recorders and courts and 5 state courts reported that they do not obtain, receive, or use the SSN of program participants, service recipients, or individual members of the public. We did not verify this information. 19 It differs from state- to- state as to whether certain records, such as marriage licenses and birth certificates, are maintained in county or state offices. Certain documents, however, such as land and title transfers, are almost always maintained at the local, or county, level. 20 Veterans are advised that these are important documents which can be registered/ recorded in most states or localities for a nominal fee making retrieval easy. In October 2001, DOD added a cautionary statement that recording these documents could subject them to public access in some states or localities. Many State and County Public Records Contain SSNs Page 15 GAO- 02- 691T SSNs to help identify the correct individual. In other cases, government officials are required by law to collect SSNs. For example, to aid in locating non- custodial parents who are delinquent in their child support payments, the federal Personal Responsibility and Work Opportunity Reconciliation Act of 1996 requires that states have laws in effect to collect SSNs on applications for marriage, professional, and occupational licenses. Moreover, some state laws allow government entities to collect SSNs on voter registries to help avoid duplicate registrations. Although the law requires public entities to collect the SSN as part of these activities, this does not necessarily mean that the SSNs always must be placed on the document that becomes part of the public record. Courts at all three levels of government also collect and maintain records that are routinely made available to the public. Court records overall are presumed to be public; however, each court may have its own rules or practices governing the release of information. 21 As with recorders, SSNs appear in court documents for a variety of reasons. In many cases, SSNs are already a part of documents that are submitted by attorneys or individuals. These documents could be submitted as part of the evidence for a proceeding or could be included in documents, such as a petition for an action, a judgment or a divorce decree. In other cases, courts include SSNs on documents they and other government officials create, such as criminal summonses, arrest warrants, and judgments, to increase the likelihood that the correct individual is affected (i. e. to avoid arresting the wrong John Smith). In some cases federal law requires that SSNs be placed in certain records that courts maintain, such as records pertaining to child support orders, divorce decrees, and paternity determinations. Again, this assists child support enforcement agencies in efforts to help parents collect money that is owed to them. These documents may also be maintained at county clerk or recorders? offices. When federal, state, or county entities, including courts, maintain public records, they are generally prohibited from altering the formal documents. Officials told us that their primary and mandated interest is in preserving the integrity of the record rather than protecting the privacy of the individual named in the record. Officials told us they believe they have no 21 In some states, for example, adoption records, grand jury records, and juvenile court records are not part of the public record. In addition, some court documents pertinent to the cases may or may not be in the public record, depending on local court practice. Finally, the judge can choose to explicitly seal a record to protect the information it contains from public review. Page 16 GAO- 02- 691T choice but to accept the documents with the SSNs and fulfill the responsibility of their office by making them available to the general public. When creating public documents or records, such as marriage licenses, some government agencies are trying new innovative approaches that protect SSNs from public display. For example, some have developed alternative types of forms to keep SSNs and other personal information separate from the portion of a document that is accessible to the general public. 22 Changing how the information is captured on the form itself can help solve the dilemma of many county recorders who, because they are the official record keepers of the county, are usually not allowed to alter an original document after it is officially filed in their office. For example, a county recorder told us that Virginia recently changed its marriage license application so that the form is now in triplicate, and the copy that is available to the general public does not contain the SSN. However, an official told us even this seemingly simple change in the format of a document can be challenging because, in some cases, the forms used for certain transactions are prescribed by the state. In addition to these efforts at recorders offices, some courts have made efforts to protect SSNs in documents that the general public can access through court clerk offices. For example, one state court offers the option of filing a separate form containing the SSN that is kept separate from the part of the record that is available for public inspection. These solutions, however, are most effective when the recorder?s office, state agencies, and courts prepare the documents themselves. In those many instances where others file the documents, such as individuals, attorneys, or financial institutions, the receiving agency has less control over what is contained in the document and, in many cases, must accept it as submitted. Officials told us that, in these cases, educating the individuals who submit the documents for the record may help to reduce the appearance of SSNs. This would include individuals, financial institutions, title companies, and attorneys, who could begin by considering whether SSNs are required on the documents they submit. It may be possible to limit the display of SSNs on some of these documents or, where SSNs are deemed necessary to help identify the subject of the documents, it may be possible to truncate the SSN to the last four digits. 22 In some cases, however, the law requires that the SSN appear on the document itself, as on death certificates. Alternatives to Displaying SSNs in Public Records Exist Page 17 GAO- 02- 691T While the above options are available for public records created after an office institutes changes, fewer options exist to limit the availability of SSNs in records that have already been officially filed or created. One option is redacting or removing SSNs from documents before they are made available to the general public. In our fieldwork, we found instances where departments redact SSNs from copies of documents that are made available to the general public, but these tended to be situations where the volume of records and number of requests were minimal, such as in a small county. Most other officials told us redaction was not a practical alternative for public records their offices maintain. Although redaction would reduce the likelihood of SSNs being released to the general public, we were told it is time- consuming, labor intensive, difficult, and in some cases would require change in law. In documents filed by others outside of the office, SSNs do not appear in a uniform place and could appear many times throughout a document. In these cases, it is a particularly lengthy and labor- intensive process to find and redact SSNs. Moreover, redaction would be less effective in those offices where members of the general public can inspect and copy large numbers of documents without supervision from office staff. In these situations, officials told us that they could change their procedures for documents that they collect in the future, but it would be extremely difficult and expensive to redact SSNs on documents that have already been collected and filed. Traditionally, the public has been able to gain access to SSNs contained in public records by visiting the recorder?s office, state office, or court house; however, the requirement to visit a physical location and request or search for information on a case- by- case basis offers some measure of protection against the widespread collection and use of others? SSNs from public records. 23 Yet, this limited access to information in public records is not always the case. We found examples where members of the public can obtain easy access to larger volumes of documents containing SSNs. Some offices that maintain public records offer computer terminals on site where individuals can look up electronic files from a site- specific database. In one of the offices we visited, documents containing SSNs that were otherwise accessible to the public were also made available in bulk to certain groups. When asked about sharing information containing SSNs with other entities, a higher percentage of county recorders reported sharing information containing SSNs with marketing companies, 23 Some jurisdictions also permit citizens to request public records through the mail. Traditional Access to Public Records Has Practical Limitations That Would Not Exist if the Records Were Placed on the Internet Page 18 GAO- 02- 691T collection agencies, credit bureaus, private investigators, and outside researchers. Finally, few agencies reported that they place records containing SSNs on their Internet sites; however, this practice may be growing. Of those agencies that reported having public records containing SSNs, only 3 percent of the state respondents and 9 percent of the county respondents reported that the public can access these documents on their Web site. In some cases, such as the federal courts, documents containing SSNs are available on the Internet only to paid subscribers. However, increasing numbers of departments are moving toward placing more information on the Internet. We spoke with several officials that described their goals for having records available electronically within the next few years. Providing this easy access of records potentially could increase the opportunity to obtain records that contain SSNs that otherwise would not have been obtained by visiting the government agency. While planning to place more information on the Internet, some courts and government agencies are examining their policies to decide whether SSNs should be made available on documents on their Web sites. In our fieldwork, we heard many discussions of this issue, which is particularly problematic for courts and recorders, who have a responsibility to make large volumes of documents accessible to the general public. On the one hand, officials told us placing their records on the Internet would simply facilitate the general public?s ability to access the information. On the other hand, officials expressed concern that placing documents on the Internet would remove the natural deterrent of having to travel to the courthouse or recorder?s office to obtain personal information on individuals. Again, we found examples where government entities are searching for ways to strike a balance. For example, the Judicial Conference of the United States recently released a statement on electronic case file availability and Internet use in federal courts. They recommended that documents in civil cases and bankruptcy cases should be made available electronically, but SSNs contained in the documents should be truncated to the last four digits. Also, we spoke to one county recorder?s office that had recently put many of its documents on their Web site, but had decided not to include categories of documents that were known to contain SSNs. In addition, some states are taking action to limit the display of SSNs on the Internet. Given the likely growth of public information on the Internet, the time is right for some kind of forethought about the inherent risk Page 19 GAO- 02- 691T posed by making SSNs and other personal information available through this venue. SSNs are widely used in all levels of government and play a central role in how government entities conduct their business. As unique identifiers, SSNs are used to help make record- keeping more efficient and are most useful when government entities share information about individuals with others outside their organization. The various benefits from sharing data help ensure that government agencies fulfill their mission and meet their obligation to the taxpayer by, for example, making sure that the programs serve only those eligible for services. However, the gaps in safeguarding SSNs that we have identified create the potential for SSN misuse. Although the extent to which the government?s broad use of SSNs contributes to identity theft is not clear, measures to encourage governments to better secure and reduce the display of SSNs could at least help minimize the risk of SSN misuse. It is important to focus on ways to accomplish this. We will be reporting in more detail on these issues at the end of this month and look forward to exploring additional options to better protect SSNs with you as we complete our work. For further information regarding this testimony, please contact Barbara D. Bovbjerg, Director, or Kay E. Brown, Assistant Director, Education, Workforce, and Income Security at (202) 512- 7215. Individuals making key contributions to this testimony include Lindsay Bach, Jeff Bernstein, Richard Burkard, Jacqueline Harpp, Daniel Hoy, Raun Lazier, Vernette Shaw, Jacquelyn Stewart, and Anne Welch. Concluding Observations Contacts and Acknowledgments Page 20 GAO- 02- 691T Federal statute General purpose for collecting or using SSN Government entity and authorized or required use Tax Reform Act of 1976 42 U. S. C. 405( c)( 2)( c)( i) General public assistance programs, tax administration, driver?s license, motor vehicle registration Authorizes states to collect and use SSNs in administering any tax, general public assistance, driver?s license, or motor vehicle registration law Food Stamp Act of 1977 7 U. S. C. 2025( e)( 1) Food Stamp Program Mandates the secretary of agriculture and state agencies to require SSNs for program participation Deficit Reduction Act of 1984 42 U. S. C. 1320b- 7( 1) Eligibility benefits under the Medicaid program Requires that, as a condition of eligibility for Medicaid benefits, applicants for and recipients of these benefits furnish their SSNs to the state administering program Housing and Community Development Act of 1987 42 U. S. C. 3543( a) Eligibility for HUD programs Authorizes the secretary of the Department of Housing and Urban Development to require applicants and participants in HUD programs to submit their SSNs as a condition of eligibility Family Support Act of 1988 42 U. S. C. 405( c)( 2)( C)( ii) Issuance of birth certificates Requires states to obtain parents? SSNs before issuing a birth certificate unless there is good cause for not requiring the number Technical and Miscellaneous Revenue Act of 1988 42 U. S. C. 405( c)( 2)( D)( i) Blood donation Authorizes states and political subdivisions to require that blood donors provide their SSNs Food, Agriculture, Conservation, and Trade Act of 1990 42 U. S. C. 405( c)( 2)( C) Retail and wholesale businesses participation in food stamp program Authorizes the secretary of agriculture to require the SSNs of officers or owners of retail and wholesale food concerns that accept and redeem food stamps Omnibus Budget Reconciliation Act of 1990 38 U. S. C. 510( c) Eligibility for Veterans Affairs compensation or pension benefits programs Requires individuals to provide their SSNs to be eligible for Department of Veterans Affairs? compensation or pension benefits programs Social Security Independence and Program Improvements Act of 1994 42 U. S. C. 405( c)( 2)( E) Eligibility of potential jurors Authorizes states and political subdivisions of states to use SSNs to determine eligibility of potential jurors Personal Responsibility and Work Opportunity Reconciliation Act of 1996 42 U. S. C. 666( a)( 13) Various license applications; divorce and child support documents; death certificates Mandates that states have laws in effect that require collection of SSNs on applications for driver?s licenses and other licenses; requires placement in the pertinent records of the SSN of the person subject to a divorce decree, child support order, paternity determination; requires SSNs on death certificates; creates national database for child support enforcement purposes Debt Collection Improvement Act of 1996 31 U. S. C. 7701( c) Persons doing business with a federal agency Requires those doing business with a federal agency, i. e., lenders in a federal guaranteed loan program; applicants for federal licenses, permits, right- of- ways, grants, or benefit payments; contractors of an agency and others to furnish SSNs to the agency Higher Education Act Amendments of 1998 20 U. S. C. 1090( a)( 7) Financial assistance Authorizes the secretary of education to include the SSNs of parents of dependent students on certain financial assistance forms Appendix I: Examples of Federal Statutes That Authorize or Mandate the Collection and Use of Social Security Numbers Page 21 GAO- 02- 691T Federal statute General purpose for collecting or using SSN Government entity and authorized or required use Internal Revenue Code (various amendments) 26 U. S. C. 6109 Tax returns Authorizes the commissioner of the Internal Revenue Service to require that taxpayers include their SSNs on tax returns Source: GAO review of applicable federal laws Page 22 GAO- 02- 691T Certain federal laws lay out a framework for federal agencies to follow when establishing information security programs to protect sensitive personal information, such as SSNs. 1 The federal framework is consistent with strategies used by private and public organizations that we previously reported have strong information security programs. 2 This framework includes four principles that are important to an overall information security program. These are to periodically assess risk, implement policies and controls to mitigate risks, promote awareness of risks for information security, and to continually monitor and evaluate information security practices. To gain a better understanding of whether agencies had in place measures to safeguard SSNs that are consistent with the federal framework, we selected eight commonly used practices found in information security programs- two for each principle. Use of these eight practices could give an indication that an agency has an information security program that follows the federal framework. 3 We surveyed the federal, state, and county programs and agencies on their use of these eight practices: Periodically assess risk Conduct risk assessments for computer systems that contain SSNs Develop written security plan for computer systems that contain SSNs 1 See federal Government Information Security Reform provisions of the fiscal year 2001 Defense Authorization Act, the federal Computer Security Act of 1987, the Paperwork Reduction Act of 1995, the Clinger- Cohen Act of 1996, and Office of Management and Budget guidance. 2 U. S. General Accounting Office, Executive Guide: Information Security Management, Learning From Leading Organizations, GAO/ AIMD- 98- 68 (Washington, D. C.: May 1998) reported on strategies used by private and public organizations- a financial services corporation, a regional utility, a state university, a retailer, a state agency, a nonbank financial institution, a computer vendor, and an equipment manufacturer- that were recognized as having strong information security programs. The information security strategies discussed in the report were only a part of the organizations? broader information management strategies. 3 States may also require any number of the eight practices, but the requirements would vary from state to state. Appendix II: Our Eight Practices and How They Fit Into the Federal Framework for an Information Security Program Page 23 GAO- 02- 691T Implement policies and controls to mitigate risks Develop written policies for handling records with SSNs Control access to computerized records that contain SSNs, such as assigning different levels of access and using methods to identify employees (e. g., use ID cards, PINS, or passwords) Promote awareness of risks for information security Provide employees training or written materials on responsibilities for safeguarding records Take disciplinary actions against employees for noncompliance with policies, such as placing employees on probation, terminating employment, or referring to law enforcement Continually monitor and evaluate information security practices Monitor employees? access to computerized records with SSNs, such as tracking browsing and unusual transactions Have computer systems independently audited (130153) *** End of document. ***