Alternate
Identifiers: Not necessarily a foreign concept
Best
Practices
Resources:
Preventing identity theft and effectively responding
In an effort to curtail identity theft, the Social Security
Administration (SSA) is initiating a public information program
to encourage the use of alternate identifiers in place of the
Social Security Number (SSN.) Many organizations including businesses,
government agencies, medical facilities and educational institutions
continue to use the SSN as the primary identifier for their record
keeping systems. We are seeking your support, as well as the
support of the general public, in helping to ensure the integrity
of individual SSNs.
Identity theft is one of the fastest growing crimes in American
society. The routine and often indiscriminate use of SSNs as
identifiers creates opportunities for individuals to inappropriately
obtain personal information. Repetitive use and disclosure of
SSNs in organizational record keeping systems, multiplies the
susceptibility of persons to potential identity theft. Through
misuse of SSNs, individuals are subject to the danger of identity
theft and its repercussions. Access to an individual’s
SSN can enable an identity thief to obtain information that can
result in significant financial difficulties for the victim.
While this can be disruptive for the individual, it can also
lead to civil liability for the organization and its individual
employees if someone is harmed by information that has been made
available to others.
ALTERNATE IDENTIFIERS: NOT
NECESSARILY A FOREIGN CONCEPT
An organization’s collection and use of SSNs can increase
the risk of identity theft and fraud. Each time an individual
divulges his or her SSN, the potential for a thief to illegitimately
gain access to bank accounts, credit cards, driving records,
tax and employment histories and other private information increases.
Because many organizations still use SSNs as the primary identifier,
exposure to identity theft and fraud remains.
We strongly urge all organizations that use SSNs as the identifier
in their record keeping systems to use alternate identifiers.
In recent years, a number of nationally known professional businesses
and schools have moved from an SSN-based identification system
to an alternate employee/student identifier. In fact in our region,
which includes Maryland, Pennsylvania, Virginia, West Virginia,
Delaware and the District of Columbia, many places have found
the cost of this conversion to be reasonable. Some have also
stated that the increased peace of mind for all concerned has
made any costs worthwhile.
A good example for using an alternate identification number
relates to foreign-born students. Foreign students who do not
have jobs or valid job offers are no longer eligible for SSNs
under SSA regulation changes published in September 2004. Various
educational institution record systems had to be changed to handle
these students under alternate ID numbers.
BEST PRACTICES
Assign another primary identifier
Organizations should avoid using Social Security numbers (SSNs)
as identifiers for any type of transaction. The SSN should only
remain in a database as a secondary identifier. Organizations
should exercise limited use of an individual’s SSN. For
example, when it is necessary for a school to verify students’ identities
when processing financial aid applications, use of an alternate
identifier, other than the SSN, can reduce the risk of unauthorized
disclosure of SSNs.
Inform Your Members
When identity data is required by your organization, you should
provide the option of using another number as a personal identifier,
and address the importance of privacy of individual records.
This topic should be discussed on organizational websites that
are accessible to all members.
Organizations that require identity information can also place
a statement on the data request form regarding the state’s
Public Information Act.
There are notably more articles in publications outlining the
concerns and possible solutions to identity theft. Take action
before something happens to inform your clients about alternate
identifier systems.
Data Encryption
Organizations that maintain SSNs in their system of records
should consider encryption of this data. Encrypting data is a
good way to protect sensitive information. It ensures that the
data can only be read by the person who is authorized to have
access to it.
The federal government has required encryption of sensitive
data stored on its laptops since the 2006 theft of computer equipment
that contained data on 26.5 million veterans. Many organizations
in business sectors such as banking and healthcare employ various
types of encryption software and firewalls to safeguard data
they maintain.
Use Employee Disclosure Statement
You can take action to decrease the risk of improper SSN disclosure
by staff and employees. Require that personnel handling documents
containing confidential information sign a disclosure statement.
For example, some educational institutions include references
to the Family Educational Rights and Privacy Act (FERPA) and
the fact that the handler of such documents may be subject to
criminal prosecution and civil penalties, as well as disciplinary
action by their employer, if they improperly disclose confidential
information.
Establish Staff Responsibility
Some organizations have taken the progressive step of creating
a Chief Privacy Officer position for oversight of all issues
involving record security, including protection of SSNs maintained
in the organization’s files.
Comply with State Regulations
Many states have enacted laws that place certain restrictions
on the use of SSNs. Check with your state to see what is required.
PRACTICES TO AVOID
*Never list an SSN when posting a paper record on a public
bulletin board
*Never send SSNs via an electronic format
*Never have a computer log-in system where a person has to
use their SSN
*Never use SSNs on ID cards
*Never send SSNs on postcards
*Never store SSNs on unprotected computer systems
* Never carry a Social Security Number card on your person
----------------------------------------------------------------------------------------------------------
RESOURCES: PREVENTING IDENTITY THEFT AND EFFECTIVELY RESPONDING
The issue of improper or unnecessary use of SSNs is still very
much on the public’s radar. The Office of the Inspector
General (OIG) returned to this issue in a recent audit report
concerning use and protection of SSNs by state and local governments
( http://www.ssa.gov/oig/ADOBEPDF/A-08-07-17086.pdf ),
and has audited use and protection of SSNs by hospitals, schools
and prisons, not to mention SSA itself. You can find other recent
OIG Audit reports at http://www.ssa.gov/oig/office_of_audit/auditreports.htm .
Also, there have been several bills in Congress on the general
issue of use of SSNs as identifiers which, if passed, could make
the issue very current again http://thomas.loc.gov/cgi-bin/bdquery/z?d110:H.R.3046 .
There are a number of resources which provide additional information
on dealing with identity theft and how to prevent it, including:
- FTC is the lead federal agency on identity theft. Their website
is http://www.consumer.gov/idtheft/
- SSA offers a great deal of information on SSNs on our internet
site at http://www.ssa.gov/ssnumber/.
- If you represent an educational institution and you are a
member of the American Association of Collegiate Registrars
and Admissions Officers (AACRAO), the Middle States Association
of Collegiate Registrars and Admissions Officers (MSACRAO),
or a similar organization explore your group’s resources
on the topics of FERPA compliance and protection of SSNs.
To obtain additional information, please visit www.socialsecurity.gov.
If you have questions or would like a presentation on Protecting
the Social Security Number or on a variety of other Social Security
topics, please contact your local Public Affairs Specialist listed
at the Philadelphia
Region Public Affairs web page
|