The Federal Trade Commission today told the U.S. House Committee on Ways and Means, Subcommittee on Social Security that to prevent thieves from obtaining consumers’ personal information, including Social Security numbers (SSNs), and using it to steal identities, government and businesses should collect only information that is necessary to meet clear legal or business needs, and protect the data they do collect. Other steps to reduce identity theft should include improved authentication techniques, which ensure that consumers are who they claim to be.
Joel Winston, Associate Director of the FTC’s Division of Privacy and Identity Protection, told the committee “SSNs play an important role in our economy. With 300 million American consumers, many of whom share the same name, the unique 9-digit SSN is a key identification tool for businesses, government, and others.” The testimony describes the various uses of SSNs. For example, consumer reporting agencies use SSNs in credit reports and “businesses and other entities use those reports in making eligibility and pricing decisions for a variety of products and services, including as credit, insurance, home rentals or employment.” In addition, city, county, and state governments use SSNs for such things as birth and death records, tax records, and voter registrations. “As these records are increasingly placed online, access to large stores of SSNs becomes easier and less costly.”
The result of the widespread use and ready availability of SSNs means that they are more accessible to scammers who could obtain and use them to commit identity theft, the testimony says. “The challenge is to find the proper balance between the need to keep SSNs out of the hands of identity thieves and the need to give business and government entities sufficient means to attribute information to the correct person.”
The testimony states that in addition to federal laws designed to protect consumers’ sensitive information, including the FTC Act, The Fair and Accurate Credit Transactions Act, The Safeguards Rule, and the Health Information Portability and Accountability Act, the presidentially appointed Identity Theft Task Force has forwarded “recommendations on ways to improve the effectiveness and efficiency of the government’s activities in the areas of identity theft awareness, prevention, detection, and prosecution.”
The Task Force made five recommendations to restrict unnecessary uses of SSNs by the federal government:
- The Office of Personnel Management (OPM) should review the use of SSNs in collecting data from agencies and take steps to eliminate, restrict, or conceal their use wherever possible.
- OPM should issue guidance to agencies on how to restrict, conceal, or mask SSNs in employee records.
- The Social Security Administration should develop “best practices” for minimizing the use and display of SSNs.
- The Office of Management and Budget should complete its analysis of its survey of agency uses of SSNs.
- The Task Force should work with state and local governments to explore ways to eliminate unnecessary use and display of SSNs.
The Task Force also recommended that the FTC and other Task Force agencies review the use of SSNs in the private sector and the extent to which it is driven by business necessity, as opposed to convenience or habit, assess the costs of requiring businesses to use alternate identifiers, and make recommendations to the president on whether additional steps should be taken regarding the use of SSNs.
“To prevent thieves from obtaining sensitive information, government and the business community should, first, limit the information they collect and maintain from or about consumers – including SSNs – to that necessary to meet clear legal or business needs, and second, to better protect the data they do collect. In addition, to keep thieves from using information they do procure to steal identities, consumer authentication techniques must be improved,” the testimony concludes.
The Commission vote authorizing the presentation of the testimony and its inclusion in
the formal record was 5-0. A copy of the testimony can be found on the FTC’s Web site and as a link to this press release.
Copies of the testimony are available from the FTC’s Web site at http://www.ftc.gov and from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov/ftc/complaint.shtm. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,600 civil and criminal law enforcement agencies in the U.S. and abroad.