EPIC logo

July 2, 2004

Chairman Clay Shaw
Committee on Ways and Means
Subcommittee on Social Security
B-316 Rayburn HOB
Washington, DC 20515

Dear Chairman Shaw,

Thank you for inviting the Electronic Privacy Information Center and U.S. PIRG to testify on enhancing Social Security Number Privacy on June 15, 2004. We appreciate your continued attention to this important issue.

You requested that we answer an additional eight questions for the hearing record. Below, we have reproduced the questions and provided answers.

1. Do you agree with Mr. Cate's statement at the hearing that knowing a Social Security Number alone does not get an individual credit and that it is merely a quick way of locating reliable information about an individual that can be used to verify identity?

Mr. Cate's statement perfectly illustrates the problem of the Social Security Number (SSN)-­it is used both as an identifier and as an authenticator. That is, some businesses use it as a record locator, a master identifier to associate and reference records. Other businesses use it for authentication, a process where a person proves he is who he says he is. Serious security problems are raised in any system where a single device is used both as identifier and authenticator.[1] It is not unlike using a password identical to a user name for signing into e-mail. Or like a bank routinely using the SSN as an account number and the last four digits of the SSN as a PIN for its automated teller machines.

It is because the SSN is used as both identifier and authenticator that identity theft has increased in incidence and prevalence. Because the SSN is relied upon so heavily by business, it is the personal identifier that impostors seek in order to commit crime. Congress' goal in addressing identity theft and privacy should seek to limit availability of the SSN generally and to induce businesses to rely upon alternative identifiers.

2. Mr. Cate said that for data to be reliable, businesses and others must have been permitted to use SSNs all along, and that national security and law enforcement uses of SSNs frequently involve access to routine, innocuous data. Do you agree or disagree that prohibiting sale, purchase, and display of SSNs for unnecessary purposes would jeopardize use of SSNs for critical purposes?

We disagree with the proposition that businesses have been permitted to use the SSN. While Congress has approved government uses of the SSN, the identifier has never been approved for general private-sector use.

Restricting the sale, purchase, and display of SSNs for unnecessary purposes preserves their utility for more critical purposes while decreasing opportunities for imposters to obtain identities to hide behind. Additionally, maintenance of dual identifiers, or transitions away from SSNs as identifiers, is a very feasible and desirable goal as demonstrated by Empire Blue Cross’s transition (4.8M customers), and existing requirements in many states prohibiting use of SSNs for student, driver, and other identifiers.

We also contest the notion that government uses of the SSNs frequently involve access to routine, innocuous data. The SSN plays an unparalleled role in aggregation of information, and thus information once thought to be innocuous can take on greater significance. For instance, a document EPIC obtained under the Freedom of Information Act from the United States Marshals Service highlights the amount of information that can be aggregated around identifiers:

With as little as a first name or a partial address, you can obtain a comprehensive personal profile in minutes. The profile includes personal identifying information (name, alias name, date of birth, social security number), all known addresses, drivers license information, vehicle information ... telephone numbers, corporations, business affiliations, aircraft, boats, assets, professional licenses, concealed weapons permits, liens, judgments, lawsuits, marriages, worker compensation claims, etc.[2]

In many cases, collection of the SSN is not necessary, and Congress should act swiftly to curb these uses of the SSN. In January 2002, a statewide grand jury empanelled by the Florida Supreme Court found in its first report that:

We have identified that the government and business take in much more information than necessary to conduct business. For example health clubs require members to disclose their social security numbers on applications for membership; video rental stores ask for social security numbers on applications; and life insurance companies ask for social security numbers of beneficiaries; local governments ask for social security numbers on routine transactions. We were distressed to learn from the Interim Project Report by the Committee on State Administration and Committee on Information Technology that 96.3% of state agencies do not even have a written policy relating to the collection of social security numbers. This same report indicates that 63% of these agencies disclose social security numbers on some public record requests.

Medical service providers and insurance companies routinely substitute social security numbers for patient or policy numbers, unnecessarily exposing this sensitive information to scrutiny on such documents as health and insurance cards. Unsecured mailboxes and trash containers provide thieves with easy access to this personal information.[3]

The body found that personal information was being collected by government entities and disseminated in public records. It recommended that State law be amended to require consent of the citizen, a court order, or a compelling need before identifying information of citizens was included in the public record. It also found that the "public and private sectors routinely use and rely on the consumer's social security number for use as an identifier and an account number." The body recommended that the State legislature "prohibit the use of social security numbers for independently generated identifiers to track customers, patients, policies, etc., unless required by law."[4]

Finally, we note that Mr. Cate's previous testimony supports limits on government collection of personal information.[5] In testimony to the House Energy and Commerce Subcommittee on Consumer Protection, Mr. Cate wrote:

The government plays many critical roles in helping to protect individual privacy. One of the most important responsibilities of the government is assuring that its own house is in order. Only the government has the power to compel disclosure of personal information and only the government operates free from market competition and consumer preferences. As a result, the government has special obligations to ensure that it complies with the laws applicable to it; collects no more information than necessary from and about its citizens; employs consistent, prominent information policies through public agencies; and protects against unauthorized access to citizens’ personal information by government employees and contractors. Similarly, there are many steps that only the government can take to protect citizens against privacy-related harms, such as identity theft: Make government-issued forms for identification harder to obtain; make the promise of centralized reporting of identity thefts a reality; make it easier to correct judicial and criminal records and to remove permanently from one individual’s record references to acts committed by an identity thief. The government alone has this power.

We agree that a large part of protecting privacy in the context of SSNs involves the government reducing the collection and disclosure of personal information. H.R. 2971 has many provisions that would promote these goals.

3. Some of the witnesses at the hearing asked for specific statutory exemptions from the restrictions contained in sections 101 and 107 or H.R. 2971, rather than relying on the Attorney General's regulatory authority provided in section 102. In your view, is the authority provided in the bill to the Attorney General sufficient to address these concerns?

The authority provided to the Attorney General is sufficient, provided that the asked-for exceptions satisfy the statutory standard requiring a compelling interest that cannot be served through the employment of alternative measures. We think that this standard has enough flexibility to address legitimate needs for the SSN while avoiding the codification of exceptions. If exceptions are codified, it is unlikely that qualifying industries will ever transition to alternative identifiers. We therefore suggest that all exceptions sunset after a given number of years to encourage a transition to alternative identifiers.

4. This subcommittee has heard from a number of victims of identity theft. A common, and frustrating, theme is that after individuals discover the theft and report it to credit bureaus and financial institutions, they continue to be victimized by identity theft. How can this continue to occur, given the anti-fraud programs the industry cites? In your judgment, is the private sector doing enough to combat identity theft and assist its victims? Are there more effective ways to assist victims of identity theft to correct their credit histories?

We think that creditors, in order to obtain new accounts and compete vigorously, are employing lax identification and authentication procedures that make identity theft easy to commit.[6] In a typical scenario, an impostor will gather personal information of the victim and apply repeatedly for credit until they get a "hit." Impostors can rely upon a creditor's alacrity to open new accounts in victims' names.

In passing the Fair Credit Reporting Act in 1970, one of Congress' prime goals was to place fairness and privacy duties on credit reporting agencies (CRAs). This was necessary because competition did not produce competent or even decent credit reporting activities.[7] CRAs were not subject to adequate market pressure to ensure accuracy and fairness because the customers of CRAs are creditors, not individual members of the public. Congress thus created duties on the CRAs, users of credit reports, and furnishers of personal information. Those duties are now inadequate. For instance, under the FCRA, credit reporting agencies only are required to "maintain reasonable procedures designed" to prevent unauthorized release of consumer information.[8] In practice, this means that credit reporting agencies must take some action to ensure that individuals with access to credit information use it only for permissible purposes enumerated in the Act. The Federal Trade Commission Commentary on the FCRA specifies that this standard can be met in some circumstances with a blanket certification from credit issuers that they will use reports legally.[9]

This certification standard is too weak. It allows a vast network of companies to gain access to credit reports with little oversight. It treats credit issuers and other users of credit reports as trusted insiders, and their use of credit reports and ultimate extension of credit as legitimate.

Even where fraud is suspected, creditors only have minimal authentication duties. Once the individual does suspect wrongdoing and triggers an alert, new protections in the Fair and Accurate Credit Transactions Act (FACTA) require that creditors use "reasonable policies and procedures to form a reasonable belief that the user [creditor] knows the identity of the person making the request."[10] It is somewhat troubling that a tradeline can be extended without at least "reasonable policies and procedures" to verify the credit applicant's identity. It seems only reasonable that such protections be in place by default, rather than when fraud is actually expected.

We think that more accountability could be encouraged in this area if creditors were held liable to victims for extending credit to impostors. However, courts have been reluctant to recognize a right of action for negligent extension of credit. Most recently, the South Carolina Supreme Court rejected the tort of "negligent enablement of imposter fraud."[11] In that case, the plaintiff identity theft victim alleged that banks owe a duty to identity theft victims when they negligently extend credit in their name. The defendants argued that no such duty existed because the victim was not actually a customer of the bank. Focusing on the requirement that an actual relationship exist between victim and tortfeasor before a legal duty arises, the court rejected the proposed cause of action:

"We are greatly concerned about the rampant growth of identity theft and financial fraud in this country. Moreover, we are certain that some identity theft could be prevented if credit card issuers carefully scrutinized credit card applications. Nevertheless, we…decline to recognize a legal duty of care between credit card issuers and those individuals whose identities may be stolen. The relationship, if any, between credit card issuers and potential victims of identity theft is far too attenuated to rise to the level of a duty between them.[12]

Congress could assist victims greatly by creating an enforceable duty so that creditors were more responsible with victims' credit.

5. We have heard a recommendation that Congress consider creating a nationwide system of cross-verification of SSNs among public agencies and private businesses. What is your view of this recommendation? Are there other ways to increase the security and integrity of the SSN that would not unnecessarily compromise privacy?

In passing the Privacy Act of 1974, Congress was specifically reacting to and rejecting calls for the creation of a similar idea, a one-stop "federal data center" for personal information. A 1977 report issued as a result of the Privacy Act highlighted the dangers and transfers of power from individuals to the government that occur with centralization of personal information:

In a larger context, Americans must also be concerned about the long-term effect record-keeping practices can have not only on relationships between individuals and organizations, but also on the balance of power between government and the rest of society. Accumulations of information about individuals tend to enhance authority by making it easier for authority to reach individuals directly. Thus, growth in society's record-keeping capability poses the risk that existing power balances will be upset.[13]

Creation of a nationwide system of SSN verification across public agencies and private businesses will upset balances of power described in the 1977 report and reduce individuals' autonomy from both government and commercial entities.

Promoting the use of the SSN also hardens the number as a de facto national identifier. The creation of a national ID runs counter to public sentiment and recent congressional action.[14]

This concern is not new; it was voiced at the creation of the SSN and has since been raised repeatedly. The SSN was created in 1936 for the sole purpose of accurately recording individual worker's contributions to the social security fund. The public and legislators were immediately suspicious and distrustful of this tracking system fearing that the SSN would quickly become a system containing vast amounts of personal information, such as race, religion and family history, that could be used by the government to track down and control the action of citizens. Public concern over the potential for abuse inherent in the SSN tracking system was so high, that in an effort to dispel public concern the first regulation issued by the Social Security Board declared that the SSN was for the exclusive use of the Social Security system.

The use of the SSN as the means of tracking every encounter between an individual and the government will expand the treasure trove of information accessible to the unscrupulous individual who has gotten hold of another's SSN. The use of the SSN as the mandatory national identifier will facilitate linkage between various systems of governmental and private sector records further eroding individual privacy and heightening surveillance of each American's life.

There are ways to strengthen integrity of the SSN without implicating privacy. For instance, the format of the SSN could be changed to include a "checksum," a formula that allows one to immediately verify whether the number has a proper form. Credit card numbers already are issued in this fashion so that they cannot be guessed or faked easily.

6. A witness representing the National Council of Investigation and Security Services requested the deletion of section 108 of H.R. 2971, citing the usefulness of credit headers in locating witnesses, criminal suspects, estate beneficiaries, and others. Do you share this view? Are there other sources of information that could be used to locate such persons if section 108 of H.R. 2971 were enacted into law?

Under H.R. 2971, credit headers could still be accessed by private investigators where they have a "permissible purpose" under the FCRA. The FCRA would allow access where the private investigator had a court order, where it is used for employment purposes, or where it is used for collection of an account. In the contexts listed above, it seems that a court order would be readily obtainable, thus satisfying the FCRA requirement, as location of witnesses, criminal suspects, and estate beneficiaries are all activities likely to occur within the context of a court action. As a fairness measure, the law would require the CRA to note on the credit report that the information had been accessed by the private investigator. We think that this is an appropriate standard for access to credit headers, which contain all the personal identifiers necessary for the commission of fraud or harassment.

Investigators did exist before the credit header system was created. They are resourceful and can call upon different resources to obtain personal information. The current system, where a network of private investigators can obtain credit headers on any person, is unfair and privacy invasive. Individuals do not even receive notice that their personal information has been obtained under the current framework. Furthermore, in some states, private investigators are not even licensed to practice. In others, licensure is merely a pro forma activity. Serious accountability concerns are present, most notably exemplified by the Amy Boyer case, where private investigators used credit headers and pretexting to locate a young woman for a stalker who killed her.[15]

We also suspect that the private investigators may be putting on "their best face" for maintaining access to credit headers. No one wants to impede the function of a private investigator when they are finding individuals in order to give them inheritance from an estate. We question what percentage of credit header access is performed for this function.

If Congress chooses to maintain access, it should limit the purposes for which investigators can obtain credit headers. When access is obtained, a notation should be entered onto the credit report so that the individual can find out who has been purchasing access to their personal information.

7. One witness at the hearing testified that an FTC study on identity theft indicated that the SSN does not play a major role in identity theft. Do you agree with this interpretation of the study?

We strongly disagree with the proposition advanced by Mr. Cate in oral and written testimony on June 15, 2004 that the Social Security Number (SSN) does not play a major role in identity theft. Common sense, the experience of identity theft clearinghouses, identity theft litigation, and the academic literature support the proposition that the SSN plays a primary role in identity theft. It is almost impossible to obtain credit without a SSN, making possession of the identifier a necessary condition for commission of identity theft. Under federal law, states must collect SSNs in order to issue driver's licenses; therefore the identifier is always involved in cases where an impostor seeks credentials in a victim's name. Mr. Cate may be correct that the SSN is not a major factor in credit card fraud, but that form of identity theft is less serious from the victim's perspective, and legislative effort to prevent the crime should focus on impostors who obtain new accounts or credentials in the victim's name.

This common-sense problem of SSN being linked to fraud was identified by a Florida statewide grand jury devoted to exploring problems of identity theft:

One of the most valuable pieces of information that an identity thief is searching for is the Social Security number, because the American financial industry has placed great reliance on it as the primary means of identifying individuals. Universities identify students with it. Providers of medical care and insurance coverage use it to identify their patients and clients.[16]

The Florida grand jury made strong recommendations for limiting disclosure and use of the SSN in order to address identity theft:

…the sale of social security numbers must be stopped. The federal proposals must be adopted and Florida must continue its efforts to enforce the recently enacted laws that make social security numbers confidential within public records and prohibit its release. Florida must also continue to minimize the requests for Social Security numbers to be included on documents that will become public record, where the number is of little relevance to the government function.[17]

The experience of the major identity theft clearinghouses point to the central role that the SSN plays in fraud. A visit to the Web site of the Privacy Rights Clearinghouse, a leading provider of direct assistance to identity theft victims, reveals a number of cases where SSNs were the key to fraud:

It's just a number, a nine-digit sequence issued by the U.S. government. Every American must have one. It becomes your identity for life.

But most Americans take it for granted. I did -- until my Social Security number, along with other personal information, fell into the wrong hands a couple of years ago.

Since then, my number -- my identity -- has been hijacked several times for use in stealing thousands of dollars in goods and cash. Each time, I'm left to sort out the mess…

Recently, I saw an entry blank for a drawing for a house. I stopped to look it over, but the instant I saw that the entry required disclosure of Social Security number, I threw it away. That number has become too precious.[18]

Individuals who serve in the military are at particular risk of identity theft, in part because of the government's use of the SSN as an identifier:

I have been an identity theft victim for 1 year and I've yet to find an agency or organization that has brought any relief or words of comfort that can make this nightmare seem like it will have an end.

I retired from the US Army in 1999 after 20 years. July of 2001, Jerry Wayne Phillips, was able to get a military ID from FT. Bragg, NC with my name and SSN. From there, you probably know the rest of the story.

With that ID and my good credit history, he was able to buy cars, motorcycles, open credit card accounts, checking accounts, and get credit at virtually every department store that offers credit. I never came in contact with him, I didn't lose a credit card, and I wasn't careless with my social security number. The accounts he opened had no relationship to any of my accounts.[19]

Another victim testified:

How can this be possible? How can someone else actually open accounts or borrow money in your name? Well, it's quite easy, as we belatedly found out. All that person needs to do this is a close approximation of your first and last name and your SOCIAL SECURITY number. Spelling or accuracy doesn't matter. Nothing else about you is relevant. Different addresses various spouse names, birthday, any random place of employment, and spelling of this information is irrelevant. Age or any other personal information doesn't matter. All that is required is a first and last name that almost matches a social security number. The credit agencies readily verify an application if the social security number presented shows a good credit payment record. It doesn't matter if a different address, birthday, spouse’s name or any variation to their recorded data is submitted with the application for their verification. The false data submitted by their customer now becomes your information. Again every transaction that involves your credit records is based on only one major piece of identification, your social security number.[20]

The Identity Theft Resource Center explains in a publication on the crime that:

It is also clear that in the majority of identity theft situations victims were not responsible for the loss. Most of these situations started because a business or governmental entity allowed the thief access either directly or indirectly to personal identifying information. This includes databases, cards carried in wallets that included one’s SSN or via items mailed to victims with account or SSN information (allowing access through mail theft, dumpster diving or theft), or unsafe information gathering or handling practices. The reality is there are only two things that a victim can do to directly facilitate identity theft: carry a Social Security card in one’s wallet or fall victim to a telephone or Internet scam. In all other situations direct links to a business entity can be drawn.[21]

Identity theft litigation also shows that the SSN is central to committing fraud. In our written testimony, we detailed several identity theft lawsuits where it is clear that the SSN was the key to the impostor's success in the commission of identity theft.[22] In fact, the SSN plays such a central role in identification that there are numerous cases where impostors were able to obtain credit with their own name but a victim's SSN, and as a result, only the victim's credit was affected.[23] Last month, the Salt Lake Tribune reported: "Making purchases on credit using your own name and someone else's Social Security number may sound difficult -- even impossible -- given the level of sophistication of the nation's financial services industry…But investigators say it is happening with alarming frequency because businesses granting credit do little to ensure names and Social Security numbers match and credit bureaus allow perpetrators to establish credit files using other people's Social Security numbers."[24] The same article reports that Ron Ingleby, resident agent in charge of Utah, Montana and Wyoming for the Social Security Administration's Office of Inspector General, as stating that SSN-only fraud makes up the majority of cases of identity theft.[25]

Because creditors will open new accounts based only on a SSN match, California has passed legislation requiring certain credit grantors to comply with heightened authentication procedures. California Civil Code § 1785.14 requires credit grantors to actually match identifying information on the credit application to the report held at the CRA. Credit cannot be granted unless three identifiers from the application match those on file at the credit bureau.

We are aware of no academic literature that supports Mr. Cate's position. Instead, even a cursory review of the identity theft academic literature reveals that the SSN is understood as a principal tool for fraud.[26] In a recently published article, R. Bradley McMahon explains the key role that the SSN plays in identity theft:

The easiest and most common way for a thief to steal someone's identity is by acquiring that person's Social Security number and other private information. Social Security numbers are attractive to identity thieves because the numbers are abundant and provide access to a victim's private information. Social Security numbers commonly are used as a national identifier for everything from car rentals to credit card applications. Often a thief needs only a name and a Social Security number to open up a credit card account or to access an existing account.

A recent study reported that identity theft occurs mainly because information was either stolen or released from a company that compiles personal information. Over one thousand companies compile comprehensive databases of personal information and transfer this information every five seconds. Two of the largest compilers of personal data are the health care and the financial industries. Often, thieves look to these two sources for obtaining personal information. The liberal sharing policies of companies allow personal information to flow far beyond primary compilers. Once a person's information is released to one of these central sources, the dissemination of the personal information is completely out of the person's control. The extent to which this information proliferates into third party networks is not known. The information shared by corporate America is one of the principal sources for identity theft.[27]

Professor Daniel Solove of the George Washington Law School similarly argues that:

SSNs are a key piece of information for identity theft. SSNs can unlock a wealth of other information held by the government and the private sector…

SSNs are used as passwords to obtain access to a host of personal records from banks, investment companies, schools, hospitals, doctors, and so on. The SSN is a powerful number, for with it a person can open and close accounts, change addresses, obtain loans, access personal information, make financial transactions, and more…

In short, the SSN functions as a magic key that can unlock vast stores of records as well as financial accounts. The SSN is the identity thief’s best tool.[28]

The link between SSNs and identity theft is so well established that most academics include reference to the identifier when describing the crime:

The cases described earlier in this article merely hint at the range of actions that may constitute bankruptcy-related identity theft. Forms of bankruptcy-related identity theft include, without limitation:

Finally, we take issue with Mr. Cate's characterization of the Identity Theft Survey Report that appears on page 6 of his testimony. On that page, Mr. Cate suggests that 76 percent of identity theft cases involved family members, friends, or financial institutions, and did not involve third party data. This is not a careful analysis of Federal Trade Commission's findings. Mr. Cate's 76 percent figure is not based on all identity theft victims. Instead, it is based on the minority of identity theft victims who knew the actual identity of the impostor ("in 26% of all cases, the victim knew who had misused their personal information").[30] The correct figure certainly is not 76 percent, as Mr. Cate suggests. Rather, the FTC very clearly wrote that:

"35% of the 26% of victims who knew the identity (or, in other words, 9% of all victims) said a family member or relative was the person responsible for misusing their personal information…23% of the 26% of all victims who knew the identity of the thief (or 6% of all victims) said the person responsible was someone who worked at a company or financial institution that had access to the victim’s personal information… Of the 26% who knew the identity of the person who took their information, 18% said the thief was a friend, neighbor, or in-home employee, while 16% said the thief was a complete stranger, but the victim later became aware of the thief’s identity. (These figures represent 5% and 4% of all victims respectively.)[31]

Mr. Cate would be correct in stating that in 25 percent of cases, the victim knew the impostor. However, that does not lead to the conclusion that H.R. 2971 or restrictions on third-party SSN sale is unjustified. H.R. 2971 could still reduce identity theft in cases where a friend, family member, company, or financial institution has access to SSNs. Instead of dumpster diving or stealing SSNs from computers, these impostors rely upon the appearance of the SSN in their acquaintances' mail or other personal belongings. For instance, in the college context, identity theft is facilitated by institutions that print the SSN directly on the student identity card. Accordingly, a roommate can very easily copy or take the victim's student identity card and then have the identifiers necessary to commit identity theft. Contrary to Mr. Cate's conclusion, H.R. 2971 would address these risks of identity theft. As SSNs are removed from checks, ID badges, and other materials, individuals will be less likely to be victimized by strangers or by their roommates, family members or friends.

8. If a private entity­for example, a consumer reporting agency, health care organization, or information reseller­has an individual's SSN in its possession, and this information is used in an identity theft or fraud, should that entity be held strictly liable for any harm done? Please comment on the advantages or disadvantages of this idea, as well as its feasibility and potential effectiveness in combating identity theft.

EPIC has argued that collection of the SSN should be limited, but where it is allowed, it should be subject to a full set of "Fair Information Practices," rights and responsibilities in data that ensure accuracy, access, and accountability. As part of the accountability responsibility, a strict liability standard would encourage companies to avoid unsafe practices. In particular, when a safer alternative activity exists, strict liability encourages use of the safer alternative while negligence offers no such additional incentive.

Social security number usage is a good fit for this standard. There are clear and equally effective alternatives to SSN use (alternative identifiers, avoiding SSN use altogether if unnecessary, etc.), and there is a far greater interest in avoiding identity theft altogether rather than simply preventing any identity theft that is not cost-effective to prevent in the first place, which negligence provides.

Also, given the relatively small number of SSN aggregators, it is likely to be more efficient and less expensive to provide insurance against identity theft for such aggregators, rather than for individual potential victims who are likely to be less able to gauge their relative risk. The main disadvantage to a strict liability standard is that it may impose damages for losses that are unforeseeable or that would be too costly to prevent. Additionally, liable entities may draw attention to particular cases where significant damages are imposed in the absence of obvious fault.

By encouraging companies to avoid using SSNs at all, rather than simply providing certain protections for unnecessary SSN use, a strict liability standard would be more effective at combating identity theft by decreasing the availability of and dependence on SSNs.

We also suggest that Congress consider as an accountability measure a "security breach notification" law. California enacted such a law that took effect in July 2003. It requires all entities to notify individuals when their unencrypted SSNs are acquired by an unauthorized person.[32] Under current law, a company could suffer a severe security breach and not notify any individual affected (except Californians). We think that a notice requirement is a fair condition for continued use of the SSN.



Chris Jay Hoofnagle Ed Mierzwinski
Associate Director Consumer Program Director
EPIC National Association of State PIRGs (U.S. PIRG)

[1] The driver's license is used as both identifier and authenticator, but it is a superior device because it includes a picture, address, signature, and basic physical information. It expires regularly and must also be renewed. A SSN lacks any of these additional features; see also Lynn M. LoPucki, Human Identification Theory and the Identity Theft Problem, 80 Tex. L. Rev. 89, 100 (November 2001) ("In particular, social security numbers and mothers' maiden names are inherently poor passwords because they are widely known and difficult to change. Knowledge of a social security number supports only a weak inference that the knower is the person to whom that social security number was assigned.").
[2] Sole Source Justification for Autotrack (Database Technologies) (n.d.) (document obtained from the USMS), available at http://epic.org/privacy/choicepoint/cpusms7.30.02j.pdf; see also Chris Jay Hoofnagle, Big Brother's Little Helpers: How ChoicePoint and Other Commercial Data Brokers Collect and Package Your Data for Law Enforcement, 29 N.C.J. Int'l L. & Com. Reg. 595 (Summer 2004).
[3] Identity Theft in Florida, First Interim Report of the Sixteenth Statewide Grand Jury, SC 01-1095 (Fla. Jan. 2002), available at http://myfloridalegal.com/pages.nsf/4492d797dc0bd92f85256cb80055fb97/758eb848bc624a0385256cca0059f9dd!OpenDocument.
[4] Id.
[5] Hearing on Privacy in the Commercial World, Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection, U.S. House of Representatives, Washington, D.C., Mar. 1, 2001 (statement of Fred Cate), at http://www.law.indiana.edu/directory/publications/fcate/cate010301.pdf.
[6] See e.g., Jeff Sovern, The Jewel Of Their Souls: Preventing Identity Theft Through Loss Allocation Rules, 24 U. Pitt. L. Rev. 343, 358 (Winter 2003) (arguing that "[g]reater vigilance on the part of the merchants involved would have prevented many identity frauds").
[7] Robert Ellis Smith, Ben Franklin's Web Site, Privacy and Curiosity from Plymouth Rock to the Internet (Privacy Journal, 2000).
[8] 15 U.S.C. § 1681e(a).
[9] The Federal Trade Commission is statutorily barred from promulgating regulations on the FCRA. 15 U.S.C. § 1681s(a)(4). The agency issues a non-binding commentary on the Act. Credit, Trade Practices, 16 CFR § 600, 607 (1995).
[10] Pub. L. No. 108-159 § 112 (h)(1)(b)(i). FACTA amended the Fair Credit Reporting Act, 15 U.S.C. § 1681.
[11] Huggins v. Citibank, 585 S.E.2d 275 (S.C. 2003).
[12] Id. at 334.
[13] Privacy Prot. Study Comm'n, Personal Privacy in an Information Society: The Report of the Privacy Protection Study Commission (1977), available at http://www.epic.org/privacy/ppsc1977report/c1.htm.
[14] For instance, the Department of Homeland Security is expressly prohibited from developing National ID systems. 6 USCS § 554 (2004).
[15] Electronic Privacy Information Center, Amy Boyer, available at http://www.epic.org/privacy/boyer/.
[16] Identity Theft in Florida, Second Interim Report of the Sixteenth Statewide Grand Jury, SC 01-1095 (Fla. Nov. 2002), available at http://myfloridalegal.com/pages.nsf/4492d797dc0bd92f85256cb80055fb97/f6995a8304fb723685256cca0059975f!OpenDocument.
[17] Id.
[18] Kerry Hill, It All Starts with the SSN: Your Social Security Number Provides Avenue for Thieves, Wisconsin State Journal, Sept. 13, 1998, at 1B, available at http://privacyrights.org/cases/victim13.htm (accessed June 29, 2004).
[19] The Military ID Was too Easy to Get: System Failures Aided the Thief, at http://privacyrights.org/cases/victim22.htm (accessed June 29, 2004).
[20] Legislative Testimony of John and Jane Doe, available at http://privacyrights.org/cases/victim5.htm (accessed June 29, 2004)
[21] Identity Theft Resource Center, Identity Theft: The Aftermath 2003, at http://www.idtheftcenter.org/idaftermath.pdf
[22] See e.g. Nelski v. Pelland, 2004 U.S. App. LEXIS 663 (6th Cir. 2004) (phone company issued credit to impostor using victim's name but slightly different Social Security Number); United States v. Peyton, 353 F.3d 1080 (9th Cir. 2003) (impostors obtained six American Express cards using correct name and Social Security Number but directed all six to be sent to the impostors' home); Aylward v. Fleet Bank, 122 F.3d 616 (8th Cir. 1997) (bank issued two credit cards based on matching name and Social Security Number but incorrect address); Vazquez-Garcia v. Trans Union De P.R., Inc., 222 F. Supp. 2d 150 (D.P.R. 2002) (impostor successfully obtained credit with matching Social Security Number but incorrect date of birth and address); Dimezza v. First USA Bank, Inc., 103 F. Supp. 2d 1296 (D.N.M. 2000) (impostor obtained credit with Social Security Number match but incorrect address).
[23] See e.g. TRW Inc. v. Andrews 534 U.S. 19 (2001) (patient's data was stolen by receptionist who successfully applied for credit with a matching SSN but different addresses in a different state, a different first name, and different date of birth).
[24] Lesley Mitchell, New wrinkle in ID theft; Thieves pair your SS number with their name, buy with credit, never get caught; Social Security numbers a new tool for thieves, The Salt Lake Tribune, June 6, 2004, at E1.
[25] Id.
[26] See e.g. Harry A. Valetk, Mastering the Dark Arts of Cyberspace: A Quest for Sound Internet Safety Policies, 2004 Stan. Tech. L. Rev. 2 (2004) (describing problems caused by the " Nine-Digit Key to Identity Theft"); Peter C. Alexander, Identity Theft and Bankruptcy Expungement, 77 Am. Bankr. L.J. 409 (Fall 2003); Lynn M. LoPucki, Did Privacy Cause Identity Theft?, 54 Hastings L.J. 1277 (April 2003) (noting that of the identifiers on a credit application, " most important will be Consumer's social security number"); Christopher P. Couch, Forcing the Choice Between Commerce and Consumers: Application of the FCRA to Identity Theft, 52 Ala. L. Rev. 583 (Winter 2002); Erin M. Shoudt, Identity Theft: Victims "Cry Out" For Reform, 52 Am. U.L. Rev. 339 (October 2002); Jerilyn Stanley, Crimes Identify Theft: Supporting Victims in Recovering From the Crime of the Information Age, 32 McGeorge L. Rev. 566 (Winter 2001); Stephanie Byers, The Internet: Privacy Lost, Identities Stolen, 40 Brandeis L.J. 141 (Fall 2001); Kurt M. Saunders and Bruce Zucker, Counteracting Identity Fraud In The Information Age: The Identity Theft And Assumption Deterrence Act, 8 Cornell J. L. & Pub. Pol’y 661 (Spring 1999); Kristen S. Provenza, Identity Theft: Prevention and Liability, 3 N.C. Banking Inst. 319 (April 1999).
[27] R. Bradley McMahon, Note: After Billions Spent to Comply With HIPAA and GLBA Privacy Provisions, Why is Identity Theft the Most Prevalent Crime in America?, 49 Vill. L. Rev. 625, 627 (2004).
[28] Daniel J. Solove, Identity Theft, Privacy, and the Architecture of Vulnerability, 54 Hastings L.J. 1227, 1252 (2003)
[29] Jane E. Limprecht, Fresh Start or False Start? Dealing with Identity Theft in Bankruptcy Cases, American Bankruptcy Institute Journal, December 200, 2000 ABI JNL LEXIS 192.
[30] Federal Trade Commission, Identity Theft Survey Report 28, Sept. 2003, available at http://www.ftc.gov/os/2003/09/synovatereport.pdf.
[31] Id. at 28-29.
[32] California Senate Bill 1386, available at http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html.

EPIC Privacy Page | EPIC Home Page

Last Updated: July 2, 2004
Page URL: http://www.epic.org/privacy/ssn/ssnanswers7.2.04.html