GSA vulnerability highlights dangers of SSNs as IDs
A recently fixed vulnerability at the U.S. General Services Administration highlights the dangers of using your Social Security Number for identification. Federal and state laws restrict use of SSNs by public and private organizations.
Recently, the General Services Administration sent an e-mail alert to users of its System for Award Management (SAM), reporting that a security vulnerability exposed the users' names, taxpayer identification numbers (TINs), marketing partner information numbers, and bank account information to "[r]egistered SAM users with entity administrator rights and delegated entity registration rights."
The notice warned that "[r]egistrants using their Social Security Numbers instead of a TIN for purposes of doing business with the federal government may be at greater risk for potential identity theft." Also provided was a link to a page on the agency's site where SAM users could find information for protecting against identity theft and financial loss.
The message, which was sent by GSA Integrated Award Environment Acting Assistant Commissioner Amanda Fredriksen, included this suggestion: "We recommend that you monitor your bank accounts and notify your financial institution immediately if you find any discrepancies."
The GSA vulnerability, which the agency says it has fixed, highlights the risks of using your SSN for identification rather than for only tax and government-benefits purposes.
Who has a right to require your SSN?
According to the Privacy Rights Clearinghouse's fact sheet on Social Security Numbers, the Privacy Act of 1974 requires that all local, state, and federal agencies requesting your SSN provide a disclosure statement on the form that "explains whether you are required to provide your SSN or if it's optional, how the SSN will be used, and under what statutory or other authority the number is requested (5 USC 552a, note)."
As the fact sheet points out, you can complain to the agency or to your elected representative in Congress if no disclosure statement is provided, but no penalties are specified for failure to offer such a statement. The Privacy Rights Clearinghouse also has an FAQ on appropriate and inappropriate use of SSNs by public and private organizations.
Kiplinger.com's Cameron Huddleston lists the 10 Riskiest Places to Give Your Social Security Number. Topping the list are universities and colleges, banks and financial institutions, and hospitals. Cameron warns against providing any personal information to someone who contacts you by phone, e-mail, or in person.
She also notes that the Internal Revenue Service never requests information from taxpayers via e-mail.
Check your state's laws for protecting SSNs
In late 2010, Congress enacted the Social Security Number Protection Act, which prohibits local, state, and federal government agencies from displaying an individual's SSN or any "derivative" of the number on a government check. The law also restricts access to SSNs by prisoners.
Your state probably offers a higher level of protection for your SSN. According to the Data Quality Campaign, 34 states have enacted laws restricting the use and disclosure of SSNs. The site provides a state-by-state chart summarizing SSN-protection laws (PDF).
Back in 2005 the U.S. Government Accountability Office issued a report (PDF) summarizing its testimony to the Committee on Consumer Affairs and Protection and the Committee on Governmental Operations of the New York State Assembly that discussed federal and state laws protecting SSNs.
The report concluded that federal protections were industry-specific, focusing primarily on financial services, and no single agency was responsible for safeguarding our personal information. It also found that state SSN-protection statutes were uneven and inconsistent.
The New York State Division of Consumer Protection provides Information You Should Know About Your Social Security Number that explains how businesses and employers are prohibited from using SSNs. Likewise, the California Attorney General's Office site's Your Social Security Number: Controlling the Key to Identity Theft page describes the state's restrictions on displaying SSNs and offers advice for keeping the number private.
The National Conference on State Legislatures site summarizes state laws relating to Internet privacy and includes links to the privacy policies of 16 state Web sites. You can also search the site for privacy-related legislation pending in your state.
Resources for protecting SSNs
The Social Security Administration's Publication No. 05-10064 explains how identity thieves acquire and use SSNs; the page also offers tips for protecting your number. SSA Publication No. 05-10002 serves as an FAQ on general SSN-related topics.
The agency's My Social Security service lets you create an online account for managing your Social Security benefits. The Social Security Number Verification Service allows registered organizations to enter SSNs to ensure their employees' names and SSNs match the agency's records.
The SSA site also features a description of the legal requirements to provide your Social Security Number and lists a Social Security Number Chronology that covers the period from 1935 to 2005.
The Electronic Privacy Information Center's SSN page summarizes recent developments surrounding the security of Social Security Numbers. Finally, the IdentityHawk security service explains who can lawfully request your SSN.
Correction March 25 at 1:36 p.m. PT: This post originally and mistakenly referred to the GSA vulnerability as a "breach." The agency says that the vulnerability was not the result of a hack or breach. Here is the GSA's statement on the matter:
"Recently, U.S. GSA officials identified a security vulnerability in the System for Award Management (SAM), which could allow some existing users in the system to access certain registration information of other entities. Immediately after the vulnerability was identified, GSA implemented a software patch to addresses the immediate vulnerability. GSA is undertaking a full review of the system to investigate and address any additional impacts to registrants in SAM. The security of this information is a top priority for this agency and we will continue to ensure the system remains secure."