Summary
Recent data breaches highlight how identity theft may occur when businesses share individuals' personal information, including Social Security Numbers (SSNs), with contractors. Because private sector entities are more likely to share consumers' personal information via contractors, members of Congress raised concerns about the protection of this information in contractual relationships. In response, GAO examined (1) how entities within certain industries share SSNs with contractors; (2) the safeguards and notable industry standards in place to ensure the protection of SSNs when shared with contractors; and (3) how federal agencies regulate and monitor the sharing and safeguarding of SSNs between private entities and their contractors.
Banks, securities firms, telecommunication companies, and tax preparation companies share SSNs with contractors for limited purposes. Firms GAO interviewed routinely obtain SSNs from their customers for authentication and identification purposes, and contract out various services, such as data processing and customer service functions. Although these companies may share consumer information, such as SSNs, with contractors, company officials said that they only share such information with their contractors when it is necessary or unavoidable. Companies in the four business sectors GAO studied primarily relied on accepted industry practices and used the terms of their contracts to protect the personal information shared with contractors. Most company officials stated that their contracts had provisions for auditing and monitoring to assure contract compliance. Some noted that their industry associations have also developed general guidance for their members on sharing personal information with third parties. Federal regulation and oversight of SSN sharing varied across the four industries GAO reviewed, revealing gaps in federal law and agency oversight in the four industries GAO reviewed that share SSNs with contractors. Financial services companies must comply with the Gramm-Leach-Bliley Act (GLBA) for safeguarding customers' personal information and regulators have an examination process in place to determine whether banks and securities firms are safeguarding this information. IRS has regulations and guidance in place to restrict the disclosure of SSNs by tax preparers and their contractors, but does not perform periodic reviews of tax preparers' compliance. Because the Federal Communications Commission (FCC) believes that it lacks statutory authority to do so, it has not issued regulations covering SSNs and also does not periodically review telecommunications companies to determine whether they are safeguarding such information.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Barbara D. Bovbjerg
Government Accountability Office: Education, Workforce, and Income Security
(202) 512-5491
Matters for Congressional Consideration
Recommendation: Congress may wish to consider possible options for addressing the gaps in existing federal requirements for safeguarding SSNs shared with contractors. One approach would be to require industry-specific protections for the sharing of SSNs with contractors where such measures are not already in place. For example, Congress could consider whether the Telecommunications Act of 1996 should be amended to address how that industry shares SSNs with contractors. Alternatively, Congress could take a broader approach. For example, in considering proposed legislation that would generally restrict the use and display of SSNs, Congress could also include a provision that would explicitly apply this restriction to third party contractors. With either approach, Congress may also want to establish a mechanism for overseeing compliance by contractors and enforcement.
Status: In process
Comments: No action has been taken in FY06 that specifically addresses the recommendation.
