SCAN THIS NEWS
5.14.2000
New report from the GAO on SSN use. See also:
"Social Security: Government and Commercial Use of the Social Security
Number Is Widespread" (GAO/HEHS-99-28, Feb. 16, 1999).
http://www.networkusa.org/fingerprint/page2/fp-gao-report-analysis.html
---
For Release on Delivery
Tuesday, May 9, 2000
GAO/T-HEHS-00-111
SOCIAL SECURITY
Use of the Social Security Number Is Widespread
http://www.gao.gov/new.items/he00111t.pdf
Statement of Barbara D. Bovbjerg, Associate Director
Education, Workforce, and Income Security Issues
Health, Education, and Human Services Division Testimony
Before the Subcommittee on Social Security, Committee on Ways
and Means, House of Representatives
United States General Accounting Office
Mr. Chairman and Members of the Subcommittee:
Thank you for inviting me here today to discuss usage of the Social
Security number (SSN) for purposes not related to Social Security. The
SSN was created in 1936 as a means of tracking workers� earnings and
eligibility for Social Security benefits. Today over 277 million individuals
have a unique SSN. For this reason it is used for myriad purposes not
related to Social Security. Both private businesses and government
agencies frequently ask individuals for their SSNs because in certain
instances they are required to or because SSNs provide a convenient
means to track and exchange information.
Perceived widespread sharing of personal information and occurrences of
identity theft have raised public concern. To provide information about
how the SSN is currently used, in my remarks today I will describe (1)
federal laws and regulations directing the number�s use, (2) the nonfederal
purposes for which the number is used, and (3) what businesses and state
governments believe the effect would be if federal laws limiting the use of
SSNs were passed. My testimony is based on findings from a study [1] we
conducted for this Subcommittee during 1998 and recent work conducted
to update our information.
In summary, the federal government, states and local governments, and
private businesses all widely use SSNs. In the case of the federal
government, a number of laws and regulations require the use of SSNs for
various programs, but they generally also impose limitations on how these
SSNs may be used. However, no federal law imposes broad restrictions on
businesses� and state and local governments� use of SSNs when that use is
unrelated to a specific federal requirement. Currently, governments and
businesses frequently use SSNs to identify and organize individuals�
records. Some may also use SSNs to exchange information with other
organizations to verify information on file, to coordinate benefits or
services, or to ensure compliance with certain federal laws. For example,
by sharing information about applicants for the Supplemental Security
Income (SSI) program, the Social Security Administration (SSA) can
identify individuals whose benefits should be reduced, such as those in
prison. In addition, some information brokers use SSNs to retrieve the
large amount of personal information on individuals that they collect and
sell. Public concern over the availability of personal information has
encouraged some to consider ways to limit using SSNs to disclose such
FN1: Social Security: Government and Commercial Use of the Social Security
Number Is Widespread (GAO/HEHS-99-28, Feb. 16, 1999).
Page 1
information. However, officials from both private businesses and state
governments have stated that if the federal government passed laws that
limited their use of SSNs, their ability to reliably identify individuals�
records would be limited, as would their subsequent ability to administer
programs and conduct data exchanges with others. Nonetheless, some
state agencies and businesses have voluntarily taken steps to limit their
disclosure of SSNs.
"Federal Laws and Regulations Require and Restrict Certain SSN Uses"
Although SSA originally intended SSNs as a means to identify workers�
earnings and eligibility for Social Security benefits, a number of federal
laws and regulations now require the use of the SSN to track participation
in a variety of federal programs. Use of SSNs facilitates automated
exchanges that help administrators enforce compliance with federal laws,
determine eligibility for benefits, or both. The Internal Revenue Code and
regulations that govern the administration of the federal personal income
tax program require that individuals� SSNs serve as taxpayer identification
numbers. Employers and others making payments to individuals must
include the individual�s SSN in reporting to the Internal Revenue Service
(IRS) many of these payments. In addition, the Code and regulations
require that individuals filing personal income tax returns include their
SSN and those of any dependents or former spouses to whom they pay
alimony. Similarly, the Social Security Act requires individuals to provide
their SSNs in order to receive benefits under the SSI, food stamp,
Temporary Assistance for Needy Families (TANF), and Medicaid
programs�programs that provide benefits to people with limited income.
Applicants give program administrators information about their income
and resources, and program administrators use applicants� SSNs to match
records with those of other organizations to verify the information. For
example, we have recommended in previous reports that SSA match its
records with other state and federal program records to reduce SSI
payments to individuals whom agencies find residing in nursing homes
and prisons. Similarly, the Commercial Motor Vehicle Safety Act of 1986
requires states to use individuals� SSNs to determine if an individual holds
a commercial license issued by another state. Also, federal law requires
that states use SSNs to maintain records of individuals who owe
state-ordered
child support or are owed child support and to collect from
employers reports of new hires identified by SSN. States then transmit this
information to the Federal Parent Locator Service, an automated database
searchable by SSNs. The use of SSNs in these instances ensures
compliance with federal tax laws, enhances program payment controls,
reduces the possibility of inappropriately licensing applicants, and
facilitates enforcement of child support payments.
Page 2
Federal laws that require the use of an SSN generally limit its use to the
statutory purposes described in each of the laws. For example, the
Internal Revenue Code, which requires the use of SSNs for tax purposes,
also declares tax return information, including SSNs, to be confidential
and prescribes both civil and criminal penalties for unauthorized
disclosure. Similarly, the Social Security Act, which requires the use of
SSNs for disbursement of benefits, declares that SSNs obtained or
maintained by authorized individuals on or after October 1, 1990, are
confidential and prohibits their disclosure. Finally, the Personal
Responsibility and Work Opportunity Act, which expanded the Federal
Parent Locator Service, explicitly restricts the use of SSNs to purposes set
out in the act, such as locating absentee parents to enforce child support
payments.
In addition to the restrictions contained in laws that require the use of
SSNs, the Privacy Act of 1974 also restricts federal agencies in collecting
and disclosing personal information, which includes SSNs. The act
requires federal agencies that collect information from individuals to
inform the individuals of the agencies� authority for requesting the
information, whether providing the information is optional or mandatory,
and how the agencies plan to use the information. The act, which also
prohibits federal agencies from disclosing information without individuals�
consent, does not apply to other levels of government or to private
businesses.
Except as discussed above, federal law does not regulate the use of SSNs.
Thus, nonfederal agencies and legitimate businesses have uses of SSNs not
covered by federal law, which I will now discuss.
"Governments and Businesses Use SSNs Extensively."
Because there are so many users of the SSN, I will focus on organizations
that routinely use SSNs for activities that affect a large number of people.
These include state government agencies as well as private businesses that
sell health services, financial services, and personal information. In
general, organizations may record SSNs in their databases for two
purposes: to locate records for routine internal activities, such as
maintaining and updating account information and, more frequently, to
facilitate information exchanges with other organizations. Governments,
health care organizations, and financial services businesses use SSNs, at
least in part, to perform services for the person who owns the number.
Information brokers, however, collect information that may include SSNs
for the sole purpose of selling it.
Page 3
State Agencies:
States use SSNs to support state government operations and offer services
to residents. The Social Security Act allows states to use SSNs to identify
individuals who pay taxes, receive general public assistance, own a
vehicle, or drive. My comments today will focus on two examples of how
states use SSNs to administer programs: states� personal income tax
programs and licensing of drivers.
All states that have personal income tax use SSNs to administer their
programs, according to an official at an organization representing state tax
administrators. States use SSNs as primary identifiers in their programs
and for auditing purposes. Tax administrators from Maryland and Virginia
told us that their states require individuals to provide their SSNs on state
tax returns and that those who do not risk being considered nonfilers if
tax administrators cannot otherwise identify them. In order to monitor
taxpayer income reporting, states rely on SSNs to match data with IRS and
state tax agencies. In addition, tax administrators said they use SSNs to
cross-reference owners� or officers� business income tax returns with their
personal income tax returns so that an audit of one triggers an audit of the
other. They also use SSNs to identify residents who received income or tax
credits in other states. Finally, when they assess liens against a taxpayer,
tax administrators may also use SSNs to gather information from credit
bureaus and information brokers about a taxpayer�s assets.
State driver licensing agencies are more likely to use SSNs to exchange
data with other organizations than to support internal activities.
Information from the American Association of Motor Vehicle
Administration (AAMVA) and other sources suggests that many states
request, but may not require, applicants for noncommercial driver licenses
to provide their SSNs. Most state driver licensing agencies that request
SSNs include SSNs in driver records as a secondary identifier and devise
their own license numbers. To monitor drivers� compliance with state
laws, state officials said they use SSNs during the licensing process to
search national databases maintained by AAMVA. This allows states to
identify driver licenses an applicant may hold in other states and to
determine whether the applicant has had a license suspended or revoked
in another state. Licensing officials told us that courts and law
enforcement agencies may request driver records by SSN when they do
not know the driver�s license number. In the past, some states have sold
personal information collected from drivers and automobile owners,
including SSNs, to individuals and businesses. However, the federal
Drivers� Privacy Protection Act now prohibits states from disclosing this
Page 4
personal information for purposes such as surveys, marketing, and
solicitation without the express consent of the individual.[2]
Having discussed how state governments use SSNs, I would like now to
focus on how private businesses use these numbers. Specifically, I will
discuss use of SSNs by health care service organizations, financial services
businesses, and businesses that sell information.
Health Care Services Organizations:
Officials representing hospitals, a health maintenance organization (HMO),
and a health insurance trade association told us that their organizations
always ask for an SSN, but they do not deny services if a patient refuses to
provide the number.
Officials from a hospital and an HMO told us that although they ask
patients for their SSNs, they assign patients other identifying numbers,
which they use internally as the primary identifiers for patient medical
records. If a patient either forgets or does not know the patient number he
or she was assigned then the hospital or HMO uses SSNs as a backup to
identify records. These officials also told us that hospitals and HMOs use
SSNs to track patients� medical care across multiple providers because
doing so helps establish a patient�s medical history and avoid duplicate
tests. Similarly, health care providers use SSNs to integrate patients�
records when providers merge, a trend that is growing.
We also spoke with a representative from a health insurance trade
association to understand how insurers use SSNs. He told us that some
health insurers use the SSN or a variation of the number as the customer�s
insurance number. We were told that the BlueCross BlueShield health
insurance plans and the Medicare program frequently use this method.
This representative also said that insurers and providers frequently match
records among themselves, using SSNs to determine whether individuals
have other insurance. This allows insurers to coordinate payment of
insurance benefits.
Officials in the health care industry expect their use of SSNs to increase.
Because health care services are generally delivered through a
coordinated system that includes health care providers and insurers, it is
important for health care providers to be able to accurately identify
information about patients. However, health care providers may also use
FN2: Until a 1999 amendment to the act, states were permitted to disclose
this information if they provided drivers with the opportunity to prohibit
disclosure and the driver opted not to do so.
Page 5
SSNs to gather information that is not directly relevant to a patient�s
health
care. For example, one hospital official said that her hospital plans to use
SSNs during the admission process to obtain on-line verification of
patients� addresses.
Financial Services Businesses:
Three national credit bureaus serve as clearinghouses for consumer credit
reports and receive information about consumers� credit card transactions
and payments from businesses that grant consumer credit. Officials from a
bank and a credit card company told us that banks and credit card
companies voluntarily report customers� payments and credit card
transactions, accompanied by SSNs, to credit bureaus. They do so because
ensuring that credit bureaus have up-to-date consumer payment histories
serves the interest of companies, like themselves, that provide credit. An
official for a credit bureau trade association estimated that each national
credit bureau has more than 180 million credit records. SSNs are one of
the principal identifiers credit bureaus use to update individuals� credit
records with the monthly reports of credit and payment activity creditors
send them. In addition, credit bureaus use SSNs that are provided by
customers to retrieve credit reports on individuals. Credit bureau officials
told us that customers are not required to provide SSNs when requesting
reports, but requests without SSNs need to include enough information to
identify the individual.
Businesses such as insurance companies, collection agencies, and credit
grantors use SSNs to request information about customers from credit
bureaus. Banks and credit card companies in particular want information
on customers� histories of repaying debts and whether customers have
filed for bankruptcy or have monetary judgments against them, such as tax
liens. Officials representing credit grantors said most banks and credit
card companies ask applicants to provide their SSNs, and these credit
grantors may choose to deny services to individuals who refuse. These
officials said that their organizations generally do not use SSNs as
internal
identifiers but instead assign an account number as a customer�s primary
identifier.
Businesses That Sell Personal Information:
Continuing advances in computer technology and the ready availability of
computerized data have spurred the growth of information brokers who
amass and sell vast amounts of personal information, including SSNs,
about members of the public. One official from a firm that sells
information told us that his organization has more than 12,000 discrete
databases with information about individuals. Federal law does not
prohibit these businesses from disclosing SSNs.
Page 6
Brokers buy and sell information from and to a variety of public and
nonpublic sources. Examples of the information they buy include public
records of bankruptcy, tax liens, civil judgments, real estate ownership,
driving histories, voter registration, and professional licenses. The
information broker�s purchase may include SSNs. Some brokers sell
information only to businesses that establish accounts with them; others
sell it to anyone. Law firms, law enforcement agencies, research
organizations, and individuals are among those who use brokers� services.
For example, lawyers, debt collectors, and private investigators may
request information about an individual�s bank accounts and real estate
holdings for use in divorce or other civil proceedings; automobile insurers
may want information about whether insurance applicants have been
involved in accidents or have been issued traffic citations; employers may
want background checks on new hires; pension plan administrators may
want information to locate pension beneficiaries; and individuals may ask
for information to help locate their birth parents.
To meet the needs of the parties to whom they sell information,
information brokers have databases that can be searched by identifiers
that may include SSNs; brokers may also include SSNs along with the
other information they provide to customers. When possible, information
brokers retrieve data by SSN because it is more likely than other
identifiers to produce records for a specific individual.
"Business and State Officials Believe Federal Laws Restricting Uses of SSNs
Would Have a
Negative Effect on Their Activities and Programs."
Officials from the businesses and agencies we contacted told us that
federal restrictions on using SSNs could hamper their ability to conduct
routine internal activities and their ability to exchange data. For each of
these entities, correctly matching a specific individual to a corresponding
record of information is an important concern. Consequently, these
officials told us, federal limits on the use of SSNs could adversely affect
their activities and programs. They told us that limits on the use of SSNs,
for example, would lessen the certainty with which credit information
could be matched to specific individuals and hinder health care service
providers� ability to track patients� medical histories over time and among
multiple providers. They also told us that such action could impede state
tax agencies� ability to identify those who file taxes, make it difficult to
associate tax return information received from other tax agencies with tax
information reported by residents, and make it more difficult for states to
link driver license applicants to traffic violations they may have acquired
under other state licenses. Finally, officials from state agencies that
license drivers told us that if they could not use SSNs to query their
databases, it would increase the likelihood that government and law
enforcement agencies would receive the records of multiple people with
Page 7
the same name when they requested information about a particular
individual.
Because of privacy concerns raised by the disclosure of personal
information, some businesses and states have voluntarily restricted their
disclosure of such information, including SSNs. In December 1997, 14 of
the self-identified industry leaders of those businesses that sell personal
information voluntarily agreed to make the SSNs they obtain from
nonpublic sources available only to a limited range of customers. They
identified such customers as those having appropriate uses for this
information, such as law enforcement. Although these brokers agreed to
limit their disclosure of SSNs obtained from nonpublic sources, it should
be noted that most of the SSNs they acquire come from public sources,
according to an official from an information brokerage company. As part
of their agreement regarding disclosure of SSNs, the 14 organizations also
agreed to annual compliance reviews by independent contractors. If an
organization fails to comply with the agreement, the Federal Trade
Commission can cite the organization for unfair and deceptive business
practices. The agreement became effective on December 31, 1998. Recent
reports indicate that the first round of compliance reviews is complete and
all of the companies have generally complied with the agreement.[3]
In addition to the voluntary efforts of businesses, some states are
discontinuing practices that result in routine disclosure of SSNs. For
example, since July 1, 1997, Georgia no longer automatically prints SSNs
on licenses but rather assigns its own numbers for driver licenses and uses
the SSN as a license number only if requested by the license holder to do
so. Ohio, which before July 29, 1998, routinely printed SSNs along with
state-assigned numbers on driver licenses, now allows drivers the option
of not having SSNs printed on their licenses. Also, AAMVA officials believe
most states in which driver records are public now exclude SSNs when
responding to requests for driver records.
Finally, SSA has stated that the expanded use and misuse of SSNs poses an
administrative burden for the agency. According to agency officials,
widespread use of SSNs as identifiers requires SSA to meet more requests
for SSN verification from employers and government agencies. In addition,
the disclosure of SSNs increases those instances in which the agency must
issue individuals new SSNs when theirs are being misused by another
party.
FN3: One company no longer offers products that fall within the scope of the
agreement.
Page 8
Concluding Observations:
In conclusion, the widespread use of the SSN is permissible under existing
laws and regulations, but because it provides a means to build and share
databases of personal information, it creates privacy concerns and enables
the growing problem of identity theft. Although restricting the use of SSNs
may slow or reduce wide dissemination of personal information, such an
action could also restrict commercial and public sector activities.
However, such effects could be only temporary, until a new means of
identifying unique personal records was devised. In our increasingly
electronic world, protecting privacy will continue to be a public policy
challenge.
Mr. Chairman, this concludes my prepared statement. At this time, I will be
happy to answer any questions you or other Members of the
Subcommittee may have.
GAO Contact and Staff Acknowledgments.
For information regarding this testimony, please contact Barbara Bovbjerg
at (202) 512-7215. Individuals who made key contributions to this
testimony include Kay Brown, Jacquelyn Stewart, Roger Thomas, and
Patrick di Battista.
(207097)
Ordering Information-
Orders by Internet:
For information on how to access GAO reports on the Internet, send
an e-mail message with "info" in the body to:
Info@www.gao.gov
or visit GAO�s World Wide Web home page at:
http://www.gao.gov
To Report Fraud, Waste, and Abuse in Federal Programs
Contact one:
Web site: http://www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
1-800-424-5454 (automated answering system)
-- sis (sis@homenow.zzz), May 15, 2000