Avoid Identity Theft: Protect Social Security Numbers
In an effort to curtail identity theft, the Social Security Administration (SSA) is initiating a public information program to encourage the use of alternate identifiers in place of the Social Security Number (SSN.) Many organizations including businesses, government agencies, medical facilities and educational institutions continue to use the SSN as the primary identifier for their record keeping systems. We are seeking your support, as well as the support of the general public, in helping to ensure the integrity of individual SSNs.
Identity theft is one of the fastest growing crimes in American society. The routine and often indiscriminate use of SSNs as identifiers creates opportunities for individuals to inappropriately obtain personal information. Repetitive use and disclosure of SSNs in organizational record keeping systems, multiplies the susceptibility of persons to potential identity theft. Through misuse of SSNs, individuals are subject to the danger of identity theft and its repercussions. Access to an individual’s SSN can enable an identity thief to obtain information that can result in significant financial difficulties for the victim. While this can be disruptive for the individual, it can also lead to civil liability for the organization and its individual employees if someone is harmed by information that has been made available to others.
An organization’s collection and use of SSNs can increase the risk of identity theft and fraud. Each time an individual divulges his or her SSN, the potential for a thief to illegitimately gain access to bank accounts, credit cards, driving records, tax and employment histories and other private information increases. Because many organizations still use SSNs as the primary identifier, exposure to identity theft and fraud remains.
We strongly urge all organizations that use SSNs as the identifier in their record keeping systems to use alternate identifiers. In recent years, a number of nationally known professional businesses and schools have moved from an SSN-based identification system to an alternate employee/student identifier. In fact in our region, which includes Maryland, Pennsylvania, Virginia, West Virginia, Delaware and the District of Columbia, many places have found the cost of this conversion to be reasonable. Some have also stated that the increased peace of mind for all concerned has made any costs worthwhile.
A good example for using an alternate identification number relates to foreign-born students. Foreign students who do not have jobs or valid job offers are no longer eligible for SSNs under SSA regulation changes published in September 2004. Various educational institution record systems had to be changed to handle these students under alternate ID numbers.
Assign another primary identifier
Organizations should avoid using Social Security numbers (SSNs) as identifiers for any type of transaction. The SSN should only remain in a database as a secondary identifier. Organizations should exercise limited use of an individual’s SSN. For example, when it is necessary for a school to verify students’ identities when processing financial aid applications, use of an alternate identifier, other than the SSN, can reduce the risk of unauthorized disclosure of SSNs.
Inform Your Members
When identity data is required by your organization, you should provide the option of using another number as a personal identifier, and address the importance of privacy of individual records. This topic should be discussed on organizational websites that are accessible to all members.
Organizations that require identity information can also place a statement on the data request form regarding the state’s Public Information Act.
There are notably more articles in publications outlining the concerns and possible solutions to identity theft. Take action before something happens to inform your clients about alternate identifier systems.
Organizations that maintain SSNs in their system of records should consider encryption of this data. Encrypting data is a good way to protect sensitive information. It ensures that the data can only be read by the person who is authorized to have access to it.
The federal government has required encryption of sensitive data stored on its laptops since the 2006 theft of computer equipment that contained data on 26.5 million veterans. Many organizations in business sectors such as banking and healthcare employ various types of encryption software and firewalls to safeguard data they maintain.
Use Employee Disclosure Statement
You can take action to decrease the risk of improper SSN disclosure by staff and employees. Require that personnel handling documents containing confidential information sign a disclosure statement.
For example, some educational institutions include references to the Family Educational Rights and Privacy Act (FERPA) and the fact that the handler of such documents may be subject to criminal prosecution and civil penalties, as well as disciplinary action by their employer, if they improperly disclose confidential information.
Establish Staff Responsibility
Some organizations have taken the progressive step of creating a Chief Privacy Officer position for oversight of all issues involving record security, including protection of SSNs maintained in the organization’s files.
Comply with State Regulations
PRACTICES TO AVOID
The issue of improper or unnecessary use of SSNs is still very much on the public’s radar. The Office of the Inspector General (OIG) returned to this issue in a 2011 field hearing concerning use and protection of SSNs and child identity theft, and has audited use and protection of SSNs by hospitals, schools and prisons, not to mention SSA itself.
You can find other recent OIG Audit reports at http://oig.ssa.gov/audits-and-investigations/audit-reports/all . Also, there have been several bills in Congress on the general issue of use of SSNs as identifiers which, if passed, could make the issue very current again http://thomas.loc.gov/ .
There are a number of resources which provide additional information on dealing with identity theft and how to prevent it, including:
To obtain additional information, please visit www.socialsecurity.gov.
If you have questions or would like a presentation on Protecting the Social Security Number or on a variety of other Social Security topics, please contact your local Public Affairs Specialist listed at the Philadelphia Region Public Affairs web page