Strengthening Controls to Ensure Identity Protection
Over the last several years, identity theft and the need to protect personal information have received heightened national attention. The aggregation of personal information and Social Security numbers (SSN) in large corporate databases and the display of SSNs in public records have provided opportunities for identity thieves.
- Thus, SSNs are a valuable commodity for persons seeking to assume another individual’s identity or to commit financial crimes.
- Fraudulent and stolen SSNs can be used by noncitizens to work illegally in the United States.
- Although Congress and the states have passed a number of laws to address this issue, the continued reliance on SSNs by private- and public-sector entities underscores the need to identify additional protections.
^ Back to topWhat Needs to Be Done
Both public- and private-sector entities have taken some steps to ensure the integrity of SSNs, though several vulnerabilities remain in both sectors.
- Several federal agencies have begun removing SSNs from individual identification
cards. For example, the Department of Veterans Affairs (VA) is replacing
VA identification cards with ones that no longer display the SSN. However,
as we reported in 2004, the full SSN is still visible on millions of Medicare
cards.
Highlights of GAO-05-59 (PDF) - Although some federal, state, and local agencies have taken steps to remove
SSNs from public records, including those available on the Internet (such
as tax liens filed by the Internal Revenue Service with state and county
public record keepers), there is no uniform practice or policy among federal,
state, or local governments to protect SSNs that are displayed in such records.
Without such practices or policies, SSNs remain vulnerable to identity thieves.
Highlights of GAO-05-59 (PDF), Highlights of GAO-07-752 (PDF) - Federal law and oversight of how various private-sector industries use
SSNs and other personal information also vary. Certain industries, such as
financial services, are subject to federal laws restricting their ability
to sell personal information or share it with their contractors, while others,
such as Internet information resellers and telecommunications firms, may
face fewer restrictions.
Highlights of GAO-06-238 (PDF) - GAO concluded that truncating SSNs to display fewer than all nine digits
could reduce their vulnerability. However, even these remain vulnerable because
there is not a standardized approach concerning which digits to truncate.
GAO suggested that Congress consider enacting such standards, and legislation
has been introduced in both houses to do so.
Highlights of GAO-06-495 (PDF)
^ Back to topKey Reports
- Social Security Numbers: Federal Actions Could Further Decrease Availability in Public Records, though Other Vulnerabilities Remain
- GAO-07-752, June 15, 2007
- Summary (HTML) Full Report (PDF, 47 pages) Accessible Text Recommendations (HTML)
- Social Security Numbers: Governments Could Do More to Reduce Display in Public Records and on Identity Cards
- GAO-05-59, November 9, 2004
- Summary (HTML) Highlights Page (PDF) Full Report (PDF, 65 pages) Accessible Text Recommendations (HTML)
- Social Security Numbers: Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information
- GAO-04-11, January 22, 2004
- Summary (HTML) Highlights Page (PDF) Full Report (PDF, 35 pages) Accessible Text
- Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards
- GAO-02-352, May 31, 2002
- Summary (HTML) Full Report (PDF, 67 pages) Recommendations (HTML)