WASHINGTON--Americans concerned about ID theft have to worry not only about the vulnerability of their Social Security numbers floating around in the private sector, but also about the numbers' use by the federal government, which leaves them widely exposed in a variety of records, according to a report released by the Government Accountability Office June 21.
Lawmakers have been working on the problem for six years, unsuccessfully crafting a variety of bills to curb the illegal use of the numbers. This time, though, they say they are serious about passing a law.
"I am committed to moving forward with legislation aimed at making it more difficult for thieves and other wrongdoers to obtain a Social Security number and use it to commit identity theft or other crimes," Rep. Michael McNulty, chairman of the House Subcommittee on Social Security, said at a hearing Thursday. "The time for talk should be over with."
McNulty said he is drafting proposed legislation that he will discuss with his counterparts on the House Committee on Energy and Commerce, which last month approved a Social Security protection bill sponsored by Reps. Ed Markey, D-Mass., and Joe Barton, R-Texas.
The Markey/Barton bill would make it a crime for someone to sell or buy Social Security numbers outside of parameters set by the Federal Trade Commission. The Social Security Number Protection Act (H.R. 948) would also restrict the display of numbers online and ban the practice of requiring them on ID cards or membership cards.
A combination of restrictions on the use and display of Social Security numbers, a better informed consuming public and deployment of improved authentication tools by businesses will go a long way toward reducing ID theft, lawmakers said.
"Technology is part of the problem, and fortunately, technology is beginning to offer solutions," Barton said. "Businesses which use Social Security numbers as commercial identifiers can often authenticate customers effectively and in a flash with other identifiers."
McNulty said that he is "in sync" with Markey and Barton, but that he wants his bill to go a little further.
Despite a rash of high-profile identity thefts in recent years, both the government and the private sector's practices for storing Social Security numbers leave the personally identifiable data vulnerable, according to the GAO. Even Social Security numbers that are truncated can be used by identity thieves because there is no standard method for truncation. Some agencies show only the last four digits, and some show the first five digits, leaving the full number available in public sources to be cobbled together.
In the Senate, Chuck Schumer, D-N.Y., plans to propose a bill that would require the Social Security Administration to set truncation standards.
"It's sort of a tragedy of errors," Schumer said in testimony to the House subcommittee. "Nobody's paying attention to the big picture. A little coordination in this area will go a long way."
Schumer's anticipated legislation would also ban the display of complete Social Security numbers on the Internet and grant the Department of Justice the authority to impose fines for violations. Similar legislative initiatives failed in the past, but this time the concerns of opponents, particularly local government officials, have been effectively addressed, Schumer said. Local governments would be allocated funds to help remove records currently online.
"I think the legislation should have smooth sailing," Schumer said. "I think now most of the opposition is gone."
There remain considerable differences between Schumer's proposal and the bill currently pending in the House, however. Under the Markey/Barton bill, the Federal Trade Commission would have the authority to decide which businesses are exempt from the restrictions. It is the degree of restrictions -- and the scope of exemptions -- which lie at the heart of the persistent debate. The Markey/Barton bill would allow the sale of Social Security numbers for law enforcement, public health and safety, credit verification and fraud prevention and authorize the FTC to craft additional exemptions.
Computer professionals and privacy advocates caution that Social Security numbers should not be used by credit agencies, banks or anyone else to verify identities. Instead, these organizations should use strong authentication, Ana Anton, an associate professor at North Carolina State University, told the subcommittee on behalf of the Association for Computing Machinery.
The government and private businesses should be required to secure or encrypt records that contain Social Security numbers, and the numbers' use on ID cards and in public records should be banned, Anton said.
On the other side of the debate, the Consumer Data Industry Association is looking to ward off restrictions on the use of Social Security numbers not only for credit verification and fraud prevention, but also for locating individuals, according to Stuart Pratt, CDIA president and CEO. The association is also pressing to limit the authority granted regulators and to preempt state laws.
The financial services industry is at the forefront of the opposition, arguing that current laws protect the public from improper use. Gilbert Schwartz, a partner with Schwartz & Ballen LLP who testified on behalf of the Financial Services Coordinating Council, went so far as to warn lawmakers that limiting the use of Social Security numbers by financial institutions could have the effect of increasing fraud and ID theft and impede law enforcement's efforts to thwart money laundering and terrorist financing.