Pursuant to a congressional request, GAO discussed the usage of the
social security number (SSN), focusing on: (1) federal laws and
regulations directing the number's use; (2) the non-federal purposes for
which the number is used; and (3) what businesses and state governments
believe the impact would be if federal laws limiting the use of SSNs
were passed.

GAO noted that: (1) the federal government, states and local
governments, and private businesses all widely use SSNs; (2) in the case
of the federal government, a number of laws and regulations require the
use of SSNs for various programs, but some also impose limitations on
how these SSNs may be used; (3) however, no federal law imposes broad
restrictions on businesses' and state and local governments' use of SSNs
when that use is unrelated to a specific federal requirement; (4)
governments and businesses frequently use SSNs to identify and organize
individuals' records; (5) some may also use SSNs to exchange information
with other organizations to verify information on file, to coordinate
benefits or services, or to ensure compliance with federal laws; (6) for
example, by sharing information about applicants for the Supplemental
Security Income program, the Social Security Administration can identify
individuals whose benefits should be reduced, such as those in prison;
(7) some information brokers use SSNs to retrieve the large amount of
personal information on individuals that they collect and sell; (8)
public concern over the availability of personal information has
encouraged some to consider ways to limit using SSNs to disclose such
information; (9) however, officials from both private businesses and
government have stated that if the federal government passed laws that
limited their use of SSNs, their ability to reliably identify
individuals' records would be limited as would their subsequent ability
to administer programs and conduct data exchanges with others; and (10)
nonetheless, some state agencies and businesses have voluntarily taken
measures to limit their disclosures of SSNs.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-HEHS-00-111
     TITLE:  Social Security: Use of the Social Security Number is
	     Widespread
      DATE:  05/09/2000
   SUBJECT:  Federal aid programs
	     Confidential communication
	     State programs
	     Social security number
	     Social security benefits
	     Right of privacy
	     Computer matching
IDENTIFIER:  Supplemental Security Income Program
	     SSI
	     Social Security Program
	     Medicaid Program
	     Food Stamp Program
	     HHS Temporary Assistance for Needy Families Program

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************

   * For Release on Delivery
     Expected at 10:00 a.m.

Tuesday, May 9, 2000

GAO/T-HEHS-00-111

SOCIAL SECURITY

Use of the Social Security Number Is Widespread

        Statement of Barbara D. Bovbjerg, Associate Director

Education, Workforce, and Income Security Issues

Health, Education, and Human Services Division

Testimony

Before the Subcommittee on Social Security, Committee on Ways and Means,
House of Representatives

United States General Accounting Office

GAO

Social Security: Use of the Social Security Number is Widespread

Mr. Chairman and Members of the Subcommittee:

Thank you for inviting me here today to discuss usage of the Social Security
number (SSN) for purposes not related to Social Security. The SSN was
created in 1936 as a means of tracking workers' earnings and eligibility for
Social Security benefits. Today over 277 million individuals have a unique
SSN. For this reason it is used for myriad purposes not related to Social
Security. Both private businesses and government agencies frequently ask
individuals for their SSNs because in certain instances they are required to
or because SSNs provide a convenient means to track and exchange
information.

Perceived widespread sharing of personal information and occurrences of
identity theft have raised public concern. To provide information about how
the SSN is currently used, in my remarks today I will describe (1) federal
laws and regulations directing the number's use, (2) the nonfederal purposes
for which the number is used, and (3) what businesses and state governments
believe the effect would be if federal laws limiting the use of SSNs were
passed. My testimony is based on findings from a study we conducted for this
Subcommittee during 1998 and recent work conducted to update our
information.

In summary, the federal government, states and local governments, and
private businesses all widely use SSNs. In the case of the federal
government, a number of laws and regulations require the use of SSNs for
various programs, but they generally also impose limitations on how these
SSNs may be used. However, no federal law imposes broad restrictions on
businesses' and state and local governments' use of SSNs when that use is
unrelated to a specific federal requirement. Currently, governments and
businesses frequently use SSNs to identify and organize individuals'
records. Some may also use SSNs to exchange information with other
organizations to verify information on file, to coordinate benefits or
services, or to ensure compliance with certain federal laws. For example, by
sharing information about applicants for the Supplemental Security Income
(SSI) program, the Social Security Administration (SSA) can identify
individuals whose benefits should be reduced, such as those in prison. In
addition, some information brokers use SSNs to retrieve the large amount of
personal information on individuals that they collect and sell. Public
concern over the availability of personal information has encouraged some to
consider ways to limit using SSNs to disclose such information. However,
officials from both private businesses and state governments have stated
that if the federal government passed laws that limited their use of SSNs,
their ability to reliably identify individuals' records would be limited, as
would their subsequent ability to administer programs and conduct data
exchanges with others. Nonetheless, some state agencies and businesses have
voluntarily taken steps to limit their disclosure of SSNs.

Federal Laws and Regulations Require and Restrict Certain SSN Uses

Federal laws that require the use of an SSN generally limit its use to the
statutory purposes described in each of the laws. For example, the Internal
Revenue Code, which requires the use of SSNs for tax purposes, also declares
tax return information, including SSNs, to be confidential and prescribes
both civil and criminal penalties for unauthorized disclosure. Similarly,
the Social Security Act, which requires the use of SSNs for disbursement of
benefits, declares that SSNs obtained or maintained by authorized
individuals on or after October 1, 1990, are confidential and prohibits
their disclosure. Finally, the Personal Responsibility and Work Opportunity
Act, which expanded the Federal Parent Locator Service, explicitly restricts
the use of SSNs to purposes set out in the act, such as locating absentee
parents to enforce child support payments.

In addition to the restrictions contained in laws that require the use of
SSNs, the Privacy Act of 1974 also restricts federal agencies in collecting
and disclosing personal information, which includes SSNs. The act requires
federal agencies that collect information from individuals to inform the
individuals of the agencies' authority for requesting the information,
whether providing the information is optional or mandatory, and how the
agencies plan to use the information. The act, which also prohibits federal
agencies from disclosing information without individuals' consent, does not
apply to other levels of government or to private businesses.

Except as discussed above, federal law does not regulate the use of SSNs.
Thus, nonfederal agencies and legitimate businesses have uses of SSNs not
covered by federal law, which I will now discuss.

Governments and Businesses Use SSNs Extensively

State Agencies

States use SSNs to support state government operations and offer services to
residents. The Social Security Act allows states to use SSNs to identify
individuals who pay taxes, receive general public assistance, own a vehicle,
or drive. My comments today will focus on two examples of how states use
SSNs to administer programs: states' personal income tax programs and
licensing of drivers.

All states that have personal income tax use SSNs to administer their
programs, according to an official at an organization representing state tax
administrators. States use SSNs as primary identifiers in their programs and
for auditing purposes. Tax administrators from Maryland and Virginia told us
that their states require individuals to provide their SSNs on state tax
returns and that those who do not risk being considered nonfilers if tax
administrators cannot otherwise identify them. In order to monitor taxpayer
income reporting, states rely on SSNs to match data with IRS and state tax
agencies. In addition, tax administrators said they use SSNs to
cross-reference owners' or officers' business income tax returns with their
personal income tax returns so that an audit of one triggers an audit of the
other. They also use SSNs to identify residents who received income or tax
credits in other states. Finally, when they assess liens against a taxpayer,
tax administrators may also use SSNs to gather information from credit
bureaus and information brokers about a taxpayer's assets.

State driver licensing agencies are more likely to use SSNs to exchange data
with other organizations than to support internal activities. Information
from the American Association of Motor Vehicle Administration (AAMVA) and
other sources suggests that many states request, but may not require,
applicants for noncommercial driver licenses to provide their SSNs. Most
state driver licensing agencies that request SSNs include SSNs in driver
records as a secondary identifier and devise their own license numbers. To
monitor drivers' compliance with state laws, state officials said they use
SSNs during the licensing process to search national databases maintained by
AAMVA. This allows states to identify driver licenses an applicant may hold
in other states and to determine whether the applicant has had a license
suspended or revoked in another state. Licensing officials told us that
courts and law enforcement agencies may request driver records by SSN when
they do not know the driver's license number. In the past, some states have
sold personal information collected from drivers and automobile owners,
including SSNs, to individuals and businesses. However, the federal Drivers'
Privacy Protection Act now prohibits states from disclosing this personal
information for purposes such as surveys, marketing, and solicitation
without the express consent of the individual.

Having discussed how state governments use SSNs, I would like now to focus
on how private businesses use these numbers. Specifically, I will discuss
use of SSNs by health care service organizations, financial services
businesses, and businesses that sell information.

Health Care Services Organizations

Officials from a hospital and an HMO told us that although they ask patients
for their SSNs, they assign patients other identifying numbers, which they
use internally as the primary identifiers for patient medical records. If a
patient either forgets or does not know the patient number he or she was
assigned then the hospital or HMO uses SSNs as a backup to identify records.
These officials also told us that hospitals and HMOs use SSNs to track
patients' medical care across multiple providers because doing so helps
establish a patient's medical history and avoid duplicate tests. Similarly,
health care providers use SSNs to integrate patients' records when providers
merge, a trend that is growing.

We also spoke with a representative from a health insurance trade
association to understand how insurers use SSNs. He told us that some health
insurers use the SSN or a variation of the number as the customer's
insurance number. We were told that the BlueCross BlueShield health
insurance plans and the Medicare program frequently use this method. This
representative also said that insurers and providers frequently match
records among themselves, using SSNs to determine whether individuals have
other insurance. This allows insurers to coordinate payment of insurance
benefits.

Officials in the health care industry expect their use of SSNs to increase.
Because health care services are generally delivered through a coordinated
system that includes health care providers and insurers, it is important for
health care providers to be able to accurately identify information about
patients. However, health care providers may also use SSNs to gather
information that is not directly relevant to a patient's health care. For
example, one hospital official said that her hospital plans to use SSNs
during the admission process to obtain on-line verification of patients'
addresses.

Financial Services Businesses

Businesses such as insurance companies, collection agencies, and credit
grantors use SSNs to request information about customers from credit
bureaus. Banks and credit card companies in particular want information on
customers' histories of repaying debts and whether customers have filed for
bankruptcy or have monetary judgments against them, such as tax liens.
Officials representing credit grantors said most banks and credit card
companies ask applicants to provide their SSNs, and these credit grantors
may choose to deny services to individuals who refuse. These officials said
that their organizations generally do not use SSNs as internal identifiers
but instead assign an account number as a customer's primary identifier.

Businesses That Sell Personal Information

Brokers buy and sell information from and to a variety of public and
nonpublic sources. Examples of the information they buy include public
records of bankruptcy, tax liens, civil judgments, real estate ownership,
driving histories, voter registration, and professional licenses. The
information broker's purchase may include SSNs. Some brokers sell
information only to businesses that establish accounts with them; others
sell it to anyone. Law firms, law enforcement agencies, research
organizations, and individuals are among those who use brokers' services.
For example, lawyers, debt collectors, and private investigators may request
information about an individual's bank accounts and real estate holdings for
use in divorce or other civil proceedings; automobile insurers may want
information about whether insurance applicants have been involved in
accidents or have been issued traffic citations; employers may want
background checks on new hires; pension plan administrators may want
information to locate pension beneficiaries; and individuals may ask for
information to help locate their birth parents.

To meet the needs of the parties to whom they sell information, information
brokers have databases that can be searched by identifiers that may include
SSNs; brokers may also include SSNs along with the other information they
provide to customers. When possible, information brokers retrieve data by
SSN because it is more likely than other identifiers to produce records for
a specific individual.

Business and State Officials Believe Federal Laws Restricting Uses of SSNs
Would Have a Negative Effect on Their Activities and Programs

Because of privacy concerns raised by the disclosure of personal
information, some businesses and states have voluntarily restricted their
disclosure of such information, including SSNs. In December 1997, 14 of the
self-identified industry leaders of those businesses that sell personal
information voluntarily agreed to make the SSNs they obtain from nonpublic
sources available only to a limited range of customers. They identified such
customers as those having appropriate uses for this information, such as law
enforcement. Although these brokers agreed to limit their disclosure of SSNs
obtained from nonpublic sources, it should be noted that most of the SSNs
they acquire come from public sources, according to an official from an
information brokerage company. As part of their agreement regarding
disclosure of SSNs, the 14 organizations also agreed to annual compliance
reviews by independent contractors. If an organization fails to comply with
the agreement, the Federal Trade Commission can cite the organization for
unfair and deceptive business practices. The agreement became effective on
December 31, 1998. Recent reports indicate that the first round of
compliance reviews is complete and all of the companies have generally
complied with the agreement.

In addition to the voluntary efforts of businesses, some states are
discontinuing practices that result in routine disclosure of SSNs. For
example, since July 1, 1997, Georgia no longer automatically prints SSNs on
licenses but rather assigns its own numbers for driver licenses and uses the
SSN as a license number only if requested by the license holder to do so.
Ohio, which before July 29, 1998, routinely printed SSNs along with
state-assigned numbers on driver licenses, now allows drivers the option of
not having SSNs printed on their licenses. Also, AAMVA officials believe
most states in which driver records are public now exclude SSNs when
responding to requests for driver records.

Finally, SSA has stated that the expanded use and misuse of SSNs poses an
administrative burden for the agency. According to agency officials,
widespread use of SSNs as identifiers requires SSA to meet more requests for
SSN verification from employers and government agencies. In addition, the
disclosure of SSNs increases those instances in which the agency must issue
individuals new SSNs when theirs are being misused by another party.

Concluding Observations

In conclusion, the widespread use of the SSN is permissible under existing
laws and regulations, but because it provides a means to build and share
databases of personal information, it creates privacy concerns and enables
the growing problem of identity theft. Although restricting the use of SSNs
may slow or reduce wide dissemination of personal information, such an
action could also restrict commercial and public sector activities. However,
such effects could be only temporary, until a new means of identifying
unique personal records was devised. In our increasingly electronic world,
protecting privacy will continue to be a public policy challenge.

Mr. Chairman, this concludes my prepared statement. At this time, I will be
happy to answer any questions you or other Members of the Subcommittee may
have.

GAO Contact and Staff Acknowledgments

(207097)

        Orders by Internet

For information on how to access GAO reports on the Internet, send an e-mail
message with "info" in the body to:

Info@www.gao.gov

or visit GAO's World Wide Web home page at:

http://www.gao.gov

        Web site: http://www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

1-800-424-5454 (automated answering system)
  
*** End of document. *** answering system)