Protecting Beneficiaries from Identity Theft
Identity theft is a common crime. Careless handling of personal information makes identity theft easier. As a representative payee, you or your organization keeps records that have personal information for Social Security and Supplemental Security Income (SSI) beneficiaries. Examples of personal information include a person’s name, date of birth, Social Security number, Medicare claim number, bank account information, address, health records and Social Security and SSI benefit payment data.
To prevent identity theft or accidental loss or disclosure of confidential information, you should have documented procedures in place that protect personal information. If contractors or volunteers perform services for you or your organization, these procedures also should cover their activities. The Social Security Administration (SSA) expects you to oversee the performance of any representative payee duties that you assign to volunteers or contract out.
Below are the most common practices used to deter identity theft. You should include these practices in your procedures for protecting personal information, if you do not already follow them.
Actions Managers Should Take to Prevent Identity Theft
- Screen your organization’s employees, volunteers and contractors before allowing them to access confidential paper or electronic records;
- Explain to employees, volunteers and contractors that they are responsible for protecting personal information at all times, both on and off duty. Only permit them to access the personal information they need to do their jobs and to disclose personal information only when appropriate (for example, a bank needs a beneficiary’s Social Security number to set up an account or a health care provider needs the beneficiary’s date of birth for patient identification);
- Train employees, volunteers and contractors to handle personal information responsibly and remind them periodically of their responsibilities;
- Educate employees, volunteers and contractors about which confidential records can be taken off site and when they can be taken off site. This includes any records and information on laptop computers or other electronic devices as well as paper files.
- Have a system that tracks any confidential records taken off site (for example, an employee must take work home)
to ensure their timely return to the office.
Require the records be transported and stored when not in use in a locking device such as a briefcase; and
- Train managers to recognize situations where employees, volunteers, or contractors have failed to adequately safeguard personal information by failing to secure it from theft, loss, or accidental disclosure. If theft, loss, or accidental disclosure occurs, document each case for future reference, and consider notifying law enforcement, when appropriate.
Actions Everyone Should Take to Prevent Identity Theft
- Avoid leaving paper documents and records containing personal information unprotected on desktops;
- Store confidential records in locking file cabinets or locking desks both on and off site. When taking records or laptops offsite, lock them in the car trunk. Do not leave them in the passenger compartment; and
- Shred papers with personal information, preferably with a cross-cutting shredder, before throwing them out.
Protecting Records Kept on a Computer
- Do not send personal information via E-Mail unless encrypted. Send reports and documents with personal information via regular mail or send them to a secure FAX location.
- Install firewalls, anti-spyware, and anti-virus software to protect your computer from hacking and keep this software up-to-date;
- Use password protection and encryption software to protect confidential files from unauthorized access. Choose a password that others cannot guess and change it frequently. Peripheral data storage devices, such as CDs and flash drives, with records containing personal information should be password protected and encrypted as well. Password protect and encrypt personal information stored on these devices both on and off the work site.
- Encrypt files with personal information before deleting them from your computer or a peripheral storage device. This will ensure that unauthorized users cannot recover the files.
- Lock or log off the computer when leaving it unattended.
If you believe one of your clients is a victim of identity theft, go to SSA’s online pamphlet, Identity Theft And Your Social Security Number (SSA Publication No. 05-10064, ICN 463270), and follow the instructions. Contact SSA if you think someone is using a client’s Social Security number for work purposes.
For more ideas on preventing identity theft and to learn what else you can do if identity theft occurs, visit the Federal Trade Commission’s (FTC) website, Fighting Back Against Identity Theft. The FTC is the lead government agency on identity theft issues.