Avoid Identity Theft: Protect Social Security Numbers

In an effort to curtail identity theft, the Social Security Administration (SSA) is initiating a public information program to encourage the use of alternate identifiers in place of the Social Security Number (SSN.) Many organizations including businesses, government agencies, medical facilities and educational institutions continue to use the SSN as the primary identifier for their record keeping systems. We are seeking your support, as well as the support of the general public, in helping to ensure the integrity of individual SSNs.

Identity theft is one of the fastest growing crimes in American society. The routine and often indiscriminate use of SSNs as identifiers creates opportunities for individuals to inappropriately obtain personal information. Repetitive use and disclosure of SSNs in organizational record keeping systems, multiplies the susceptibility of persons to potential identity theft. Through misuse of SSNs, individuals are subject to the danger of identity theft and its repercussions. Access to an individual’s SSN can enable an identity thief to obtain information that can result in significant financial difficulties for the victim. While this can be disruptive for the individual, it can also lead to civil liability for the organization and its individual employees if someone is harmed by information that has been made available to others.

ALTERNATE IDENTIFIERS: NOT NECESSARILY A FOREIGN CONCEPT

An organization’s collection and use of SSNs can increase the risk of identity theft and fraud. Each time an individual divulges his or her SSN, the potential for a thief to illegitimately gain access to bank accounts, credit cards, driving records, tax and employment histories and other private information increases. Because many organizations still use SSNs as the primary identifier, exposure to identity theft and fraud remains.

We strongly urge all organizations that use SSNs as the identifier in their record keeping systems to use alternate identifiers. In recent years, a number of nationally known professional businesses and schools have moved from an SSN-based identification system to an alternate employee/student identifier. In fact in our region, which includes Maryland, Pennsylvania, Virginia, West Virginia, Delaware and the District of Columbia, many places have found the cost of this conversion to be reasonable. Some have also stated that the increased peace of mind for all concerned has made any costs worthwhile.

A good example for using an alternate identification number relates to foreign-born students. Foreign students who do not have jobs or valid job offers are no longer eligible for SSNs under SSA regulation changes published in September 2004. Various educational institution record systems had to be changed to handle these students under alternate ID numbers.

BEST PRACTICES

Assign another primary identifier

Organizations should avoid using Social Security numbers (SSNs) as identifiers for any type of transaction. The SSN should only remain in a database as a secondary identifier. Organizations should exercise limited use of an individual’s SSN. For example, when it is necessary for a school to verify students’ identities when processing financial aid applications, use of an alternate identifier, other than the SSN, can reduce the risk of unauthorized disclosure of SSNs.

Inform Your Members

When identity data is required by your organization, you should provide the option of using another number as a personal identifier, and address the importance of privacy of individual records. This topic should be discussed on organizational websites that are accessible to all members.

Organizations that require identity information can also place a statement on the data request form regarding the state’s Public Information Act.

There are notably more articles in publications outlining the concerns and possible solutions to identity theft. Take action before something happens to inform your clients about alternate identifier systems.

Data Encryption

Organizations that maintain SSNs in their system of records should consider encryption of this data. Encrypting data is a good way to protect sensitive information. It ensures that the data can only be read by the person who is authorized to have access to it.

The federal government has required encryption of sensitive data stored on its laptops since the 2006 theft of computer equipment that contained data on 26.5 million veterans. Many organizations in business sectors such as banking and healthcare employ various types of encryption software and firewalls to safeguard data they maintain.

Use Employee Disclosure Statement

You can take action to decrease the risk of improper SSN disclosure by staff and employees. Require that personnel handling documents containing confidential information sign a disclosure statement.

For example, some educational institutions include references to the Family Educational Rights and Privacy Act (FERPA) and the fact that the handler of such documents may be subject to criminal prosecution and civil penalties, as well as disciplinary action by their employer, if they improperly disclose confidential information.

Establish Staff Responsibility

Some organizations have taken the progressive step of creating a Chief Privacy Officer position for oversight of all issues involving record security, including protection of SSNs maintained in the organization’s files.

Comply with State Regulations

Many states have enacted laws that place certain restrictions on the use of SSNs. Check with your state to see what is required.

PRACTICES TO AVOID

  • Never list an SSN when posting a paper record on a public bulletin board
  • Never send SSNs via an electronic format
  • Never have a computer log-in system where a person has to use their SSN
  • Never use SSNs on ID cards
  • Never send SSNs on postcards
  • Never store SSNs on unprotected computer systems
  • Never carry a Social Security Number card on your person

RESOURCES: PREVENTING IDENTITY THEFT AND EFFECTIVELY RESPONDING

The issue of improper or unnecessary use of SSNs is still very much on the public’s radar. The Office of the Inspector General (OIG) returned to this issue in a 2011 field hearing concerning use and protection of SSNs and child identity theft, and has audited use and protection of SSNs by hospitals, schools and prisons, not to mention SSA itself.

You can find other recent OIG Audit reports at http://oig.ssa.gov/audits-and-investigations/audit-reports/all . Also, there have been several bills in Congress on the general issue of use of SSNs as identifiers which, if passed, could make the issue very current again http://thomas.loc.gov/ .

There are a number of resources which provide additional information on dealing with identity theft and how to prevent it, including:

  • FTC is the lead federal agency on identity theft. Their website is http://www.consumer.gov/idtheft/
  • SSA offers a great deal of information on SSNs on our internet site at http://www.ssa.gov/ssnumber/.
  • If you represent an educational institution and you are a member of the American Association of Collegiate Registrars and Admissions Officers (AACRAO), the Middle States Association of Collegiate Registrars and Admissions Officers (MSACRAO), or a similar organization explore your group’s resources on the topics of FERPA compliance and protection of SSNs.

To obtain additional information, please visit www.socialsecurity.gov.

If you have questions or would like a presentation on Protecting the Social Security Number or on a variety of other Social Security topics, please contact your local Public Affairs Specialist listed at the Philadelphia Region Public Affairs web page

This is the official web page of the Philadelphia Region, U.S. Social Security Administration. If you have comments about the design or function of this web page, you may contact the Webmaster. Because the Internet is not secure, please do not send any personal information, especially social security numbers, in your feedback.