Strengthening Controls to Ensure Identity Protection

What Needs to Be Done | Key Reports

Over the last several years, identity theft and the need to protect personal information have received heightened national attention. The aggregation of personal information and Social Security numbers (SSN) in large corporate databases and the display of SSNs in public records have provided opportunities for identity thieves.

  • Thus, SSNs are a valuable commodity for persons seeking to assume another individual’s identity or to commit financial crimes.
  • Fraudulent and stolen SSNs can be used by noncitizens to work illegally in the United States.
  • Although Congress and the states have passed a number of laws to address this issue, the continued reliance on SSNs by private- and public-sector entities underscores the need to identify additional protections.

^ Back to topWhat Needs to Be Done

Both public- and private-sector entities have taken some steps to ensure the integrity of SSNs, though several vulnerabilities remain in both sectors.

  • Several federal agencies have begun removing SSNs from individual identification cards. For example, the Department of Veterans Affairs (VA) is replacing VA identification cards with ones that no longer display the SSN. However, as we reported in 2004, the full SSN is still visible on millions of Medicare cards.
    Highlights of GAO-05-59 (PDF)
  • Although some federal, state, and local agencies have taken steps to remove SSNs from public records, including those available on the Internet (such as tax liens filed by the Internal Revenue Service with state and county public record keepers), there is no uniform practice or policy among federal, state, or local governments to protect SSNs that are displayed in such records. Without such practices or policies, SSNs remain vulnerable to identity thieves.
    Highlights of GAO-05-59 (PDF), Highlights of GAO-07-752 (PDF)
  • Federal law and oversight of how various private-sector industries use SSNs and other personal information also vary. Certain industries, such as financial services, are subject to federal laws restricting their ability to sell personal information or share it with their contractors, while others, such as Internet information resellers and telecommunications firms, may face fewer restrictions.
    Highlights of GAO-06-238 (PDF)
  • GAO concluded that truncating SSNs to display fewer than all nine digits could reduce their vulnerability. However, even these remain vulnerable because there is not a standardized approach concerning which digits to truncate. GAO suggested that Congress consider enacting such standards, and legislation has been introduced in both houses to do so.
    Highlights of GAO-06-495 (PDF)

^ Back to topKey Reports

Social Security Numbers: Federal Actions Could Further Decrease Availability in Public Records, though Other Vulnerabilities Remain
GAO-07-752, June 15, 2007
Summary (HTML)   Full Report (PDF, 47 pages)   Accessible Text   Recommendations (HTML)
Social Security Numbers: Governments Could Do More to Reduce Display in Public Records and on Identity Cards
GAO-05-59, November 9, 2004
Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 65 pages)   Accessible Text   Recommendations (HTML)
Social Security Numbers: Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information
GAO-04-11, January 22, 2004
Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 35 pages)   Accessible Text
Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards
GAO-02-352, May 31, 2002
Summary (HTML)   Full Report (PDF, 67 pages)     Recommendations (HTML)
GAO Contact
portrait of Daniel Bertoni

Daniel Bertoni

Director, Education, Workforce, and Income Security

bertonid@gao.gov

(202) 512-5988