Protecting your Social Security Number online is an exercise in futility

Your Social Security Number is under attack and your personal records are more exposed than you'd like to think. At least that seems to be the observation in a frightening study released today that says among other things that 85% of large counties and 41% of small counties in the US make records that may contain SSNs generally available in bulk or online.  On top of that, many record keepers do not or cannot restrict the types of entities that can obtain public records and may not know how records are being used. Finish that observation off with the notion that some businesses are sending records with SSNs offshore, primarily to India and the Philippines, even though not much is known about how such data are protected overseas.

The dour Web-based study was conducted by the Government Accountability Office and looked at 247 counties across the US responsible for recording documents-including the 97 largest counties by population and a random sample of 150 of the remaining counties. Records could include birth, death, and marriage records; criminal and civil court case files; and records that reflect property ownership, such as property liens. Some records contain personal identifying information, such as SSNs, dates of birth, and credit card or bank account numbers.

AK, CT, HI, RI, and VT were not included in the study because the GAO said individual counties don't collect personal data in those states.

So if you have ever wondered how identity theft can be the number one consumer fraud problem seven years running, costing consumers more than $1.2 billion in 2007 alone, and showing no signs of letting up, perhaps we need only look to the results of studies such as this.

 Some of the other disturbing findings include:

  • Only about 16% of counties that make records available in bulk or online place some restrictions on the types of entities that can obtain records.
  • The GAO estimates that only about 23% of counties that make records available in bulk or online take any steps to verify the identity of entities that obtain records.
  • A majority of counties reported that there is no state or local law that requires or prohibits them from obtaining the identity of those who receive records in bulk or online.
  • Businesses obtain these records to use or resell data in them and may use SSNs to link identifying information on records back to specific individuals, such as ensuring that liens are applied to the correct individuals, since many people share the same name.
  • Large counties and businesses said SSNs generally appear more often in certain types of documents, including state and federal liens. To a lesser extent, SSNs appear in judgments and mortgage records. The prevalence of SSNs in documents is relatively low and has decreased over time. However, because record keepers can maintain millions of documents, many SSNs may be displayed.
  • The GAO said that title companies are the most frequent recipients of these records, but others such as mortgage companies and data resellers that collect and aggregate personal information often obtain records as well. Private companies said they obtain records to help them conduct their business, including using SSNs as a unique identifier.
  • The GAO did not identify any federal laws that appeared to restrict the bulk transfer of state and local public records or the display of SSNs in those records, nor did it identify any federal law that provides protections for SSNs obtained from public records and sent overseas by private parties.

The GAO study did say some things were being done to control the use of SSNs.  Several bills are pending in Congress that would limit the display or sale of SSNs to the public or to private entities.

For example, S. 238 generally prohibits the display or purchase of SSNs without the express consent of the SSN holder; contains an exception for certain public records.  H.R. 948 would make it unlawful for any person to sell or purchase SSNs in a manner violating regulations to be promulgated by SSA.  Then H.R. 3046 would restrict the sale and display of SSNs to the general public by government entities; however it does not specifically address SSNs in public records but does require the Social Security Administration to develop uniform truncation standards. Finally S. 2915 would prohibits display of SSNs to the general public on the Internet by state and local governments unless truncation standards to be set by SSA in accordance with certain guidelines are met; considers certain unencrypted transmittals of SSNs through the Internet to be a public display.

The GAO said some federal, state, and local governments have recently taken steps to safeguard SSNs in public records. The GAO said more than a third of counties have already redacted or truncated SSNs or are currently removing SSNs from their records; some in response to state laws and others of their own accord. Some states, such as New Jersey and Ohio, prohibit SSNs from appearing in any publicly recorded document.  Others limit the requirement to specific types of records; for example, Kansas and Utah prohibit SSNs from being shown in voter registration records, the GAO said.

However, recent actions by states and counties to limit the display of SSNs in records made available to the public through redaction or truncation are positive steps, but, because millions of records with SSNs have already been obtained in bulk or online, these actions will protect SSNs only in future transfers, the GAO said.

Ironically or perhaps preemptively in light of the GAO report, the President's Identity Task Force today said federal agencies have worked to eliminate unnecessary uses of SSNs in their programs.  For example, the Social Security Administration has removed SSNs almost entirely from its internal human resources forms.  The Department of Defense has issued a plan to reduce its internal use of SSNs, including their removal from military ID cards.  The Internal Revenue Service has been redacting taxpayer SSNs to the last four digits on all federal tax lien documents filed in public records and issued to taxpayers.

Layer 8 in a box

Check out these other hot stories:

Feds gain little victories in protracted identity theft war

Lunar spacecraft compete for $2 million NASA prize

Are we being chiseled further at the gas pump?

Calling all star gazers

Is the tech industry immune to current financial mess?

FTC wilts mega "male enhancement" spam operation

FTC warns: Financial quagmire bringing out the scammers

The world's 23 toughest math questions

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2008 IDG Communications, Inc.

IT Salary Survey: The results are in