Number: 110-6
Date: July 31, 2007 

House Committee on Ways and Means reports favorably the “Social Security Number Privacy and Identity Theft Prevention Act of 2007”

On July 18, 2007, the House Committee on Ways and Means voted 41-0 to approve H.R. 3046, a bill to amend the Social Security Act to prevent Federal, State and local governments from displaying Social Security numbers (SSNs) to the public, showing the numbers on identification tags and cards and, in most cases, selling the numbers. For purposes of this bill, the definition of an SSN includes any derivative of the SSN.

Federal, State, and local governments would be prohibited from:

•  Selling SSNs. Limited exceptions to sales would be allowed, as follows:

•  To the extent that such sale is specifically authorized by the Social Security Act and the Privacy Act;

•  To the extent it is necessary or appropriate for law enforcement and national security;

•  To comply with tax law of the United States or of any State;

•  By a State department of motor vehicles for use by:

•  a government agency, or person or entity acting on the government's behalf, in carrying out its functions;

•  an insurer or self-insured entity for claims investigation activities, antifraud activities, rating or underwriting; and,

•  an employer, or its agent or insurer, in obtaining or verifying information related to a commercial driver's license;

•  Solely for the permissible purposes described under the Fair Credit Reporting Act, which allow for the disclosure of consumer reports in response to:

•  a court order or subpoena issued in connection with proceedings before a Federal grand jury;

•  the written instructions of the consumer to whom it relates;

•  a person who intends to use the information in connection with a credit transaction, employment, underwriting of insurance, eligibility for a license or benefit granted by a governmental instrumentality required by law to consider the applicant's financial responsibility, valuation of credit, or a legitimate business need for the information; and,

•  a request from a State or local child support enforcement agency; and,

•  For research conducted by a government entity for the purpose of advancing the public good.

•  Displaying SSNs to the general public, including the transmission of SSNs over the Internet without encryption or other security measures.

(Further exceptions to the sale or display to the general public may be made for other purposes by regulation.)

•  Displaying SSNs on checks issued for payment and accompanying documents. This requirement would be effective one year after enactment.

•  Displaying SSNs on identification cards and tags, or including on such cards or tags a magnetic strip, bar code or other means of communication which conveys the SSN , issued to employees, patients and students at public institutions, or the families of such individuals. This requirement would be effective one year after enactment.

•  Displaying SSNs on Medicare cards, or including on such cards a magnetic strip, bar code or other means of communication which conveys the SSN. This provision would be effective two and one half years after enactment.

•  Employing prisoners in jobs that provide them with access to SSNs. This provision would be effective with employment of prisoners commencing on or after the date of enactment. However, for prisoners so employed on the date of enactment, this provision would be effective 90 days after enactment.

Unless noted otherwise, initial final regulations prescribed by the Commissioner would be issued not later than the last day of the 18 th month following enactment. Provisions would take effect one year after issuance of such regulations . In the case of displays to the general public, the provisions would apply only to displays originally occurring after such 1-year period.

The government and private sectors would be required to truncate SSNs:

•  In accordance with regulations prescribed by the Commissioner not later than the last day of the 18 th month following enactment. This provision would take effect one year after issuance of such regulations.

•  A temporary exception would permit:

•  Governmental agencies to sell or display to the general public the last four digits of SSNs for two years after regulations are promulgated; and,

•  Private entities to sell, purchase or display the last four digits of SSNs for two years after regulations are promulgated. (This truncation standard does not change the permissible uses of the SSN.)

The private sector would be prohibited from:

•  Selling or purchasing SSNs. Limited exceptions to sales and purchases would be allowed, as follows:

•  In the process of applying for any type of Government benefits or programs (e.g., grants, loans, welfare, or other public assistance programs);

•  To administer employee benefit plans;

•  If incidental to the sale, lease, merger, transfer, or exchange of a business;

•  To the extent necessary for law enforcement (including child support enforcement) and national security;

•  To the extent necessary for public health purposes and in emergency situations to protect the health or safety of 1 or more individuals;

•  To comply with tax law of the United States or of any State;

•  Solely for the permissible purposes described under the Fair Credit Reporting Act, which allow for the disclosure of consumer reports in response to:

•  a court order or subpoena issued in connection with proceedings before a Federal grand jury;

•  the written instructions of the consumer to whom it relates;

•  a person who intends to use the information in connection with a credit transaction, employment, underwriting of insurance, eligibility for a license or benefit granted by a governmental instrumentality required by law to consider the applicant's financial responsibility, valuation of credit, or a legitimate business need for the information; and,

•  a request from a State or local child support enforcement agency;

•  To the extent necessary for research (other than market research) conducted by an agency or instrumentality of the United States, a State, or political subdivision, for the purpose of advancing the public good; and,

•  With the individual's voluntary and affirmative, written consent.

•  Displaying SSNs to the general public, including the transmission of SSNs over the Internet without encryption or other security measures.

(Further exceptions to the sale, purchase or display to the general public may be made for other purposes by regulation.)

•  Obtaining another person's SSN to locate or identify the individual with the intent to harass, harm, physically injure or use the individual's identity for an illegal purpose.

•  Displaying SSNs on checks.

•  Making unnecessary disclosures of another individual's SSN to government agencies.

•  Displaying the SSN on cards or tags, or including on such cards or tags a magnetic strip, bar code or other means of communication which conveys the SSN, issued to access goods, services, or benefits.

•  Displaying the SSN on cards or tags, or including on such cards or tags a magnetic strip, bar code or other means of communication which conveys the SSN, issued to employees, their family members, or other individuals.

Initial final regulations prescribed by the Commissioner would be issued not later than the last day of the 18 th month following enactment. Provisions would take effect one year after issuance of such regulations. In the case of displays to the general public, the provisions would apply only to displays originally occurring after such 1-year period.

Additional Provisions:

•  To ensure that the sale or purchase of SSNs for purposes of public or private medical research is permitted only in compliance with the Health and Insurance Portability and Accountability Act (HIPAA) of 1996, the Commissioner shall maintain ongoing consultation with the Office of Civil Rights of the Department of Health and Human Services.

•  Prohibitions on the sale or display to the general public of SSNs by the government or private sectors, or on the purchase of SSNs by the private sector, would not apply with respect to SSNs of deceased individuals.

•  Public and private sectors would be required to safeguard, to the satisfaction of the Commissioner, SSNs they have in their possession from unauthorized access by employees or others.

•  State law governing use of SSNs would not be preempted where State law is stronger.

•  Sale , purchase, or display of SSNs in the public or private sector would be permitted by regulation in other circumstances, when appropriate. In making this determination, regulators would consider whether the authorization would serve a compelling public interest or would pose an unreasonable risk of identity theft or financial harm, and would consider the costs and burdens to the public, businesses, and government. If sale, purchase, or display were to be authorized, the regulation would provide for restrictions to prevent identity theft, fraud, deception, crime, and risk of bodily, emotional, or financial harm.

•  The Commissioner would be required to enter into an arrangement with the National Research Council, which would be required to conduct a study to evaluate the feasibility of banning the use of the SSN as an authenticator. The Council would be required to report its finding and recommendations to the Commissioner and to Congress no later than one year after the date initial final regulations prohibiting the Government from selling or displaying SSNs are issued by the Commissioner (as noted above, such regulations must be issued not later than the last day of the 18 th month following enactment).

Enforcement

•  New criminal penalties (up to 5 years imprisonment and fine up to $250,000 under Title 18 USC) and civil penalties (up to $5,000 per incident) would be created for violations of the law relating to:

•  The display, sale, purchase, or misuse of the SSN;

•  Possessing an SSN card known to have been altered, counterfeited, forged, stolen or obtained from SSA by use of false information; and,

•  Offering to acquire an additional SSN for a fee, and for selling or transferring one's own SSN.

Effective for violations occurring after enactment, with certain exceptions.

•  New criminal penalties (as much as 20 years in prison and fine up to $250,000 under Title 18 USC) and civil penalties (up to $5,000 per incident) would be created for Social Security Administration employees who fraudulently sell or transfer SSNs or Social Security cards. Effective for violations occurring after enactment.

•  Prison sentences would be enhanced for SSN misuse associated with repeat offenders (up to 10 years), drug trafficking or crimes of violence against persons (up to 20 years), or terrorism (up to 25 years). Effective for violations occurring after enactment.

•  The bill permits enforcement by the Social Security Administration (which would have civil monetary penalty authority); the Department of Justice (which enforces criminal violations of Federal law); and State attorneys general (who would be granted civil enforcement authority over private-sector users and State and local government). In addition, individual victims affected by violations of this bill by Federal agencies would be provided with limited legal recourse to stop an agency's violation and recover any actual damages they may have suffered.