The Federal Trade Commission has issued a report which doesn't break much new ground on protecting American citizen's Social Security Numbers. It does make official the call for new regulations intended to end unnecessary use of the Social Security Number (SSN) and provide for the privacy concerns of consumers when it is used. As the report makes clear, the genie cannot be stuffed back into the bottle. The SSNs of Americans are used, filed, stored, and accessed everywhere for business and identification purposes. That's pretty amazing for a number which is not officially an identification number.
Think about this. SSNs are assigned almost immediately after the birth of a baby. A basic paper card with few security provisions is given to the parents of the baby. The Social Security Administration will be happy to re-issue a card to a consumer as many as 10 times over a life time, not including legal name changes. If the card is lost or stolen, that is too bad. Apply for a new card - same number. No changes to your number will occur. Small wonder why identity theft is so easy to perpetrate. One of the basic pieces of information needed to commit identity frauds of all sorts is unprotected and is rarely changed even after it is exploited for criminal purposes.
Because so many functions of business though rely on the SSN for day to day operations, it will not go away anytime soon. Especially now as we boldly head into uncertain economic times, businesses cannot afford the cost of re-tooling from an obsolete identification system to a technologically safer credentialing system which matches stored card data to knowledge based authentication (KBA), PIN and/or biometrics. Many people are rightfully very concerned about these technologies and the implications they pose for consumer privacy. What cannot continue however is the current unabated abuse of the SSN which results in costly and time consuming identity restoration for consumers and billions of dollars in costs due to fraud; all facilitated by the SSNs inherent lack of safety. I am certainly not a proponent for national identity cards but the current system of using SSNs as a primary ID has to be put out to pasture. This is a subject we will need to visit again in the future.
FTC Issues Report on Social Security Numbers and Identity Theft excerpts
The Commission believes that the most effective course of action is to strengthen the methods by which businesses authenticate new and existing customers. Stronger authentication would make it more difficult for criminals to use stolen information, including SSNs, to impersonate consumers, thus devaluing the SSN to identity thieves and reducing the demand for it.
Limiting the supply of SSNs that are available to criminals, as a complement to improved authentication, although important, is more complex. SSNs already are available from many sources, including public records, and it may be impossible to “put the genie back in the bottle.” Moreover, there is a danger that reducing the availability of SSNs would have unintended, adverse consequences. A number of important functions in our economy depend on access to SSNs. Businesses routinely rely on SSNs to ensure that the information they use or share with other organizations is matched to the right individual. Still, we believe it is feasible to reduce the availability of SSNs to identity thieves, such as by eliminating unnecessary public display, while preserving the legitimate and beneficial uses and transfers of SSNs. The Commission’s five recommendations, detailed below in Section III, are:
- Improve consumer authentication;
- Restrict the public display and the transmission of SSNs;
- Establish national standards for data protection and breach notification;
- Conduct outreach to businesses and consumers; and
- Promote coordination and information sharing on use of SSNs.
This dual use of the SSN as identifier and authenticator has created significant identity theft concerns. SSNs often are described as the “keys to the kingdom,” because an identity thief with a consumer’s SSN (and perhaps other identifying information) may be able to use that information to convince a business that he is who he purports to be, allowing him to open new accounts, access existing accounts, or obtain other benefits in the consumer’s name. Unfortunately, SSNs have become
increasingly available to identity thieves, at least in part because they are so widely used as identifiers.
“Authentication” is the process of verifying that someone is who he or she claims to be. It is distinguished from “identification,” which simply matches an individual with his or her records, but does not prove that the individual is who he or she purports to be.
Given that the widespread use and availability of SSNs cannot be completely reversed,33 the Commission believes that the central component of the solution is to reduce the demand for SSNs by minimizing their value to identity thieves. This could be achieved by encouraging or requiring entities that have consumer accounts that can be targeted by identity thieves to adopt more effective authentication procedures, thereby making it more difficult for wrongdoers to use SSNs to open new accounts,
access existing accounts, or otherwise impersonate a consumer.
1. Improve Consumer Authentication
The Commission recommends that Congress consider establishing national consumer authentication standards covering all private sector entities that maintain consumer accounts other than financial institutions subject to the jurisdiction of the bank regulatory agencies, which already are subject to such requirements. These standards, which should be consistent with those covering financial institutions, should require private sector entities to create a written program that establishes
reasonable procedures to authenticate new or existing customers. This “reasonable procedures” approach, which should be fleshed out through agency rulemaking, should be technology-neutral and provide flexibility to private sector entities to implement a program that is compatible with their size, the nature of their business, and the specific authentication risks they face.
In developing authentication standards, Congress should consider several factors. First, the cost of implementing new authentication procedures should be evaluated in determining what is “reasonable.” Second, consumer convenience is a critical concern and also should be weighed in the reasonableness determination. Consumers are likely to resist authentication requirements that are too time-consuming or difficult, or that require the memorization or retention of too much information. Third, more robust authentication procedures that require consumers to provide additional information about themselves raise potential privacy concerns. For instance, some
businesses have developed authentication methods that require consumers to provide additional personal information either at the time the account is established or when the consumer later attempts to access the account. Many businesses use knowledge-based authentication in which they ask challenge questions, the answers to which are likely to be known only by the true individual. Although this method of authentication can overcome concerns about the unreliability of documentary evidence of identity45 and the lack of personal interaction in telephone or online transactions, challenge questions may require consumers to provide increasing amounts of information to businesses that are linked together in ways that may be unsettling to some.
2. Restrict the Public Display and the Transmission of SSNs
Although SSNs are valuable as a means of linking consumers with their information, much can be done to reduce the availability of SSNs to identity thieves by eliminating the unnecessary display and transmission of SSNs by the private sector. Restricting the display of SSNs on publicly-available documents and identification cards, and limiting the circumstances and means by which they can be transmitted, would make it more difficult for thieves to obtain SSNs, without hindering their use for legitimate identification and data matching purposes.
The Commission recommends that Congress consider creating national standards for the public display and the transmission of SSNs.64 Federal legislation would establish a nationwide approach to Federal Trade Commission reducing unnecessary display and transmission of SSNs, while addressing concerns about a patchwork of state laws with varying requirements. National standards should prohibit private sector entities
from unnecessarily exposing SSNs. The precise standards should be developed in rulemaking by appropriate federal agencies (i.e., agencies that oversee organizations that routinely transmit or display SSNs), and should include, for example, prohibitions against:
- publicly posting or displaying SSNs;
- placing SSNs on cards or documents required for an individual to access products or services provided by a covered entity, including student ID cards, employee ID cards, and insurance cards;
- transmitting (or requiring an individual to transmit) an SSN over the Internet, unless the connection is secure from unauthorized access, e.g., by encryption or other technologies that render the data generally unreadable;
- printing an individual’s SSN in materials mailed to the individual; and
- printing an individual’s SSN on the outside of an envelope or other mailer, or in a location that is visible without opening the envelope or mailer.
3. Establish National Standards for Data Protection and Breach
The Commission has previously expressed support for national data security standards that would cover SSNs in the possession of any private sector entity, and numerous commenters and workshop participants voiced similar support. Such standards, which would be implemented in rulemaking by federal agencies that oversee entities that routinely use and transfer sensitive consumer information, could be modeled after the Safeguards Rules and cover all entities that maintain sensitive consumer information.
The Commission also reiterates its support of its prior recommendation that Congress consider establishing national data breach notification standards requiring private sector entities to provide public notice when the entity suffers a breach of consumers’ personal information and the breach creates a significant risk of identity theft or other harms. These standards would also be implemented in rulemaking by appropriate federal agencies. Most states now have breach notification laws, but currently there is no across-the-board federal requirement. Commenters and workshop participants noted that, in addition to alerting affected consumers to protect themselves, these laws have had the indirect benefit of motivating companies to weigh their need to collect SSNs against the potential cost and liability that may ensue if the SSNs are compromised. Participants also noted that many businesses
have strengthened their safeguards practices to avoid data breaches, at least in part as a result of breach notification requirements. The state laws differ in various respects, however, complicating compliance.
4. Conduct Outreach to Businesses and Consumers
The Commission recommends increasing education and guidance efforts as additional steps to help reduce the role of SSNs in facilitating identity theft.
This type of guidance would be especially useful to small businesses and could include the following messages:
- the importance of collecting SSNs only when necessary and storing them only as long as necessary;
- steps businesses can take to reduce the use of SSNs as internal identifiers;
- proper disposal of SSNs;
- the importance of securing SSNs (such as by encrypting them) during their transmission; and
- limiting employee access to SSNs and conducting employee screening and training.
5. Promote Coordination and Information Sharing on Use of SSNs
Many private sector entities, from large multi-nationals and universities to small businesses and health care systems, have described the difficulties and expense of removing SSNs from computer systems and files, as well as the challenges of keeping up with the sophisticated and changing methods of identity thieves.
The Commission recommends that appropriate governmental entities explore helping private sector organizations establish a clearinghouse of best practices, enabling those organizations to share approaches and technologies on SSN usage and protection, fraud prevention, and consumer authentication.
Text of the Commission Report