My Social Security Number: How Secure Is It? See also our FAQ on Social Security numbers, www.privacyrights.org/fs/fs10a-SSNFAQ.htm Contents: * Introduction * Why is my Social Security number used so often as an identification number? * Am I required to give my Social Security number to government agencies? * Must I give my Social Security number to private businesses? * Should I disclose my Social Security number over the Internet? * Can my employer use my Social Security number as an employee identification number? * Why do financial transactions require my Social Security number? * Can a school or college use my Social Security number as an ID number? Do I need to provide my SSN to the school? * Can a state use my Social Security number as my drivers’ license number? * How can I protect my Social Security number? * Resources Introduction When Social Security numbers were first issued in 1936, the federal government assured the public that use of the numbers would be limited to Social Security programs such as calculating retirement benefits. Today, however, the Social Security number (SSN) has become the de facto national identifier. Government agencies and private businesses use SSNs for a wide range of non-Social Security purposes — such as employee files, medical records, health insurance accounts, credit and banking accounts, university ID cards, utility accounts, and many more. The use of SSNs as an identifier and an authenticator makes these numbers highly desirable to criminals, such as identity thieves. The U.S. Government Accountability Office (GAO) reported in 2006 that state agencies in 41 states and the District of Columbia display SSNs in at least one type of public record. Most often they appear in state and local court files and local property-ownership records. As many as 28 percent of the nation’s counties also place records with SSNs on the Internet, potentially exposing millions of people to identity theft. (www.gao.gov/new.items/d06586t.pdf) There is an increasing body of evidence that crooks visit such government Web sites to find SSNs in order to use them to obtain employment, credit cards and wireless phone accounts. The GAO found that SSNs are displayed on millions of cards issued by federal agencies, including 42 million Medicare cards, 8 million Department of Defense identification cards and insurance cards, and 7 million Veteran Affairs identification cards. Individuals in some states carry a driver’s license or state issued identification card which uses their SSN is used as the ID number. This is now prohibited by federal law. Anyone holding such a card is encouraged to request a replacement that uses an alternate number (there may be a fee for the new card). Individuals who routinely carry cards containing their Social Security number may be at risk for identity theft through loss, theft, or visual exposure of the card. While some of these agencies are taking steps to remove the SSNs, the lack of a broad, uniform policy “allows for unnecessary exposure of personal Social Security numbers,” the GAO concluded. Your Social Security number is also frequently used as your identification number in many computer files, giving access to information you may want kept private and allowing an easy way of linking databases. A major concern is the sale of SSNs over the Internet by information brokers. “As long as criminals can buy a list of names and SSNs through an Internet auction, we will continue to be plagued by the consequences,” the Social Security Administration’s inspector general has noted. (Testimony before the Subcommittee on Social Security of the House Committee on Ways and Means, July 10, 2003, http://waysandmeans.house.gov/hearings.asp?formmode=view&id=655 ) Legislation has been introduced in the U.S. Congress in recent years to prohibit the commercial sale of SSNs. The latest version is the Social Security Number Misuse Prevention Act, introduced in the U.S. Senate in 2007. To date, none has been passed into law. (Use the search feature in http://thomas.loc.gov to locate this bill.) Identity thieves seek out SSNs so they can use these numbers to assume the identity of another person and commit fraud. It’s relatively easy for someone to fraudulently use your SSN to assume your identity and gain access to your bank account, credit accounts, utilities records, and other sources of personal information. Identity thieves also can establish new credit and bank accounts in your name, or use your SSN for employment purposes or to obtain medical care. (See PRC Fact Sheets 17 and 17(a) on identity theft, www.privacyrights.org/identity.htm ) Therefore, it’s wise to limit access to your SSN whenever possible. While the potential sources of SSNs are vast and accessible, you can take steps to keep your SSN out of the hands of potential thieves. By doing so, you will reduce the chances of joining the list of some 9-10 million Americans who become identity theft victims each year. (For links to recent survey findings, visit www.privacyrights.org/ar/idtheftsurveys.htm ) Official efforts also are under way to restrict use of SSNs. For instance, the Social Security Administration truncates SSNs on the benefit statements it mails each year. Proposed state and federal legislation would seek to restrict some of the myriad other uses of the numbers. Removal of SSNs from public documents will be a difficult, costly, and very long process. Until that’s accomplished, if ever, it is in everyone’s best interest to protect his or her SSN whenever possible. Why is my Social Security number used so often as an identification number? Computer records have largely replaced paper filing systems in businesses and government agencies. Because more than one person may share the same name, accurate retrieval of information works best if each file is assigned a unique number. Many businesses and government agencies believe the SSN is ideal for this purpose. However, with the rise in the crime of identity theft and other illegitimate uses of the SSN, this assumption is dangerous. Recent security breaches show that databases containing legally collected SSNs are often inadequately protected against accidental or intentional disclosure. www.privacyrights.org/ar/ChronDataBreaches.htm Beginning in 2003, California laws began requiring firms and organizations that maintain personal information in electronic data files, such as SSNs, to notify any California resident whose information may have been exposed through a data breach. For more information about this California law, see the resource provided by the California Office of Privacy Protection at www.privacy.ca.gov/recommendations/secbreach.pdf. (CA Civil Code section 1798.29 and sections 1798.82-1798.84) Now more than 30 states have adopted similar laws and as of this writing, Congress is considering federal laws requiring notice of data breaches. For information on state laws, visit www.consumersunion.org/campaigns/Breach_laws_May05.pdf Am I required to give my Social Security number to government agencies? The answer depends upon the agency. Some government agencies, including tax authorities, welfare offices, and state Departments of Motor Vehicles, can require your SSN number as mandated by federal law (42 USC 405 (c)(2)(C)(v) and (i)). Others may request the SSN, leading you to believe you must provide it. The Privacy Act of 1974 requires all government agencies — federal, state and local — that request SSNs to provide a "disclosure" statement on the form. The statement explains whether you are required to provide your SSN or if it’s optional, how the SSN will be used, and under what statutory or other authority the number is requested (5 USC 552a, note). The U.S. Office of Management and Budget, Office of Information and Regulatory Affairs (OIRA) provides guidance and oversight regarding the Privacy Act of 1974. The text of the Privacy Act can be found at the Web site www.usdoj.gov/foia/privstat.htm The Privacy Act states that you cannot be denied a government benefit or service if you refuse to disclose your SSN unless the disclosure is required by federal law, or the disclosure is to an agency that has been using SSNs before January 1975, when the Privacy Act went into effect. There are other exceptions as well. Read the U.S. Department of Justice's explanation at this Web site, www.usdoj.gov/04foia/1974ssnu.htm . If you are asked to give your SSN to a government agency and no disclosure statement is included on the form, you should complain to the agency and cite the Privacy Act of 1974. You can also contact your Congressional representative and U.S. Senators with your complaint. Unfortunately, there appear to be no penalties when a government agency fails to provide a disclosure statement. A relatively new federal program called the Federal Parent Locator Service — and its subset, the National Directory of New Hires — uses computerized databases to provide addresses and SSNs to state and local agencies to help locate parents evading child-support orders or to resolve parental kidnapping and child custody cases. No consent is required. While beneficial, such databases contain the potential for abuse if other purposes are found for such information. Must I give my Social Security number to private businesses? Usually, no, you do not have to provide your Social Security number. You are not legally required to provide your SSN to private businesses — including private health care providers and insurers — unless you are involved in a transaction in which the Internal Revenue Service requires notification. (MediCal and Medicare are government health plans and can require a Social Security number.) There is no law, however, that prevents businesses from requesting your SSN, and there are few restrictions on what businesses can do with it. However, even though you are not required to disclose your SSN, the business can refuse to provide you with service if you refuse to give it. If a business insists on knowing your SSN when you do not see a reason for it, we encourage you to speak to a manager who may be authorized to make an exception or who may know whether company policy requires it. If the company will not allow you to use an alternate number such as your driver’s license number, you may want to take your business elsewhere. Credit card applications usually request SSNs. Your number is used primarily to verify your identity in situations where you have the same or a similar name to others. Most credit grantors will insist on having your SSN. But in rare cases, you may be able to find a credit grantor who will provide you credit without knowing your SSN, especially if you are persistent and can provide other forms of identification. If you are dealing with a credit reporting agency, such as Experian, Equifax, or TransUnion, you will generally need to give your SSN because they claim that’s how the agency will find your file from among the millions of records they maintain. These agencies already have your SSN. Unfortunately, you do need to give out your SSN over the telephone to stop receiving pre-approved credit card offers. This becomes an issue when calling (888) 5 OPT-OUT (1-888-567-8688), the toll-free line shared by the three credit bureaus whose mailing lists are often used to generate credit card solicitations. You can use the agencies’ online form instead https://www.optoutprescreen.com . While that doesn’t require the SSN, the agencies say that including it will help to ensure your request will be successful. In California, the law restricts how certain businesses can display their customers’ Social Security numbers. It does not restrict the collection of SSNs, however, and it doesn’t affect government agencies. California Civil Code §1798.85 prohibits, for example, insurance companies from printing the SSN on identification cards that are carried in the wallet. Similarly, customers of banks and investment companies cannot be required to transmit the SSN over the Internet when conducting business online, unless the number is encrypted. SSNs cannot be printed on documents sent through the mail, with some exceptions. The California Office of Privacy Protection provides a guide for businesses on “recommended practices” for using SSNs. It includes a description of the law at www.privacy.ca.gov/recommendations/ssnrecommendations.pdf The full text of the law is found on the state’s official legislative Web site, www.leginfo.ca.gov Other state legislatures and Congress have considered similar laws since passage of California’s landmark law. Visit the Web site of the National Conference of State Legislatures and use its search engine for “Social Security numbers.” www.ncsl.org . Should I disclose my Social Security number over the Internet? When you use the Internet, you may find Web sites that require your SSN when, for example, you apply for a credit card online or seek an insurance quote. We advise that you take extra precautions to determine that your personal data is transmitted securely and that it’s stored safely by the online business. Make sure you have the latest anti-virus and spyware software installed on your computer. Only conduct business transactions with well-known, reputable companies. Look for the closed padlock symbol on the bottom of the page that indicates it is a secure connection. Click on the padlock to determine if the security certificate is up-to-date. Read the company’s privacy policy to learn how it safeguards your personal data. If necessary, call the company and talk with an individual who is knowledgeable about the firm’s security practices. Do not conduct business with the company if it does not appear to protect its customers’ data. For more online shopping tips, read the our Fact Sheet 23, www.privacyrights.org/fs/fs23-shopping.htm . Beware of spam (unsolicited e-mail messages) that asks for your SSN or other personal information. Many people receive e-mail messages that appear to be from their Internet Service Provider, (for example AOL or Yahoo), from a government agency like the Internal Revenue Service, from a bank, Amazon, eBay, or PayPal. The message typically says that the company or agency is updating its records or has detected fraudulent activity with your account and needs personal information from you, such as your Social Security number, account number, password, mother’s maiden name, and so on. It may direct you to an official-looking Web site through a link contained in the message. Do not respond to such messages! These are called “phishing” scams. Although they appear to be legitimate, these messages and Web sites are scams to get your personal information. No reputable company or government agency sends e-mail messages asking for sensitive personal data. For more information, visit the following Web site: www.lookstoogoodtobetrue.com . Can my employer use my Social Security Number as an employee identification number? Yes. However, the Social Security Administration discourages employers from displaying SSNs on documents that are viewed by other people — such as badges, parking permits, or on lists distributed to employees. Employers do, however, need each employee’s SSN to report earnings and payroll taxes. In California, as explained above, employers cannot display the employee’s SSN in certain situations. For further information, visit www.privacy.ca.gov/recommendations/ssnrecommendations.pdf . Why do financial transactions require my Social Security number? In 1961 the Internal Revenue Service began using SSNs as taxpayer ID numbers (TIN). Therefore, SSNs are required on transactions in which the IRS may be interested. That includes most banking, stock market and other investments, real estate purchases, automobile purchases over $10,000, many insurance documents and other financial transactions as well as employment records. Financial institutions are required by federal law to participate in Customer Identification Programs (CIPs). Banks must keep records of identifying information and check customer names against terrorist lists. This applies to anyone who opens a new account. The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, (USA PATRIOT Act), Pub.L. 107-56, includes measures to undercut terrorist financing and combat money laundering. Customer identification programs for financial institutions are required by §326 of the PATRIOT Act, with the details spelled out in regulations published by multiple federal agencies. For additional information about CIPs, read Fact Sheet 31, www.privacyrights.org/fs/fs31-CIP.htm . Because your SSN must be included on all of these sensitive financial documents, it’s important to limit other uses of the number. Can a school or college use my Social Security number as an identification number? Do I need to provide my SSN to the school? Publicly-funded schools and those that receive federal funding must comply with the Family Educational Rights and Privacy Act in order to retain their funding (FERPA, also known as the "Buckley Amendment," enacted in 1974, 20 USC 1232g). One of FERPA's provisions requires written consent for the release of “educational records” or personally identifiable information, with some exceptions. The courts have stated that SSNs fall within this provision. (See Krebs v. Rutgers, 797 F. Supp. 1246 (D.N.J. 1992)). The FERPA text can be found at the Web site www.cpsr.org/cpsr/privacy/ssn/ferpa.buckley.html. Read the Department of Education’s FERPA guide for students, www.ed.gov/policy/gen/guid/fpco/ferpa/students.html . FERPA applies to state colleges, universities, and technical schools that receive federal funding. An argument can be made that if such a school displays students' SSNs on identification cards or distributes class rosters or grades listings containing SSNs, it would be a violation of FERPA. However, some schools and universities have not interpreted the law this way and continue to use SSNs as a student identifier. To succeed in obtaining an alternate number to the SSN, you will probably need to be persistent and cite the law. SSNs may be obtained by colleges and universities for students who have university jobs and/or receive federal financial aid. Public schools, colleges, and universities that ask for your SSN fall also within the provisions of another federal law, the Privacy Act of 1974. This act requires such schools to provide a disclosure statement telling students how the SSN is used. If you are required to provide your SSN, be sure to look for the school's disclosure statement. If one is not offered, you may want to file a complaint with the school, citing the Privacy Act. When the school is a private institution, your only recourse is to work with the administration to change the policy or at least to let you use an alternate identification number as your student ID. Many states now have laws banning public universities and colleges from using SSNs as student IDs. These include: Arizona, Colorado, New York, Rhode Island, Wisconsin, Washington, and West Virginia. See Privacy Journal’s Compilation of State and Federal Privacy Laws, www.privacyjournal.net/work1.htm And some universities have voluntarily began using numbers other than SSNs on student IDs. For more information on education-related privacy issues, see our Fact Sheet 29, www.privacyrights.org/fs/fs29-education.htm Can a state use my Social Security number as my drivers' license number? Not any longer. The Intelligence Reform and Terrorism Prevention Act of 2004 prohibits states from displaying your SSN on drivers' licenses or motor-vehicle registrations. The law went into effect on December 17, 2005, and applies to all licenses, registrations, and identification cards issued after that date. If your license still uses your SSN as the ID number, you can request this be changed. You don’t need to wait until it expires to get one with a different number, though you may be charged a fee for the new issuance. More information on the Intelligence Reform and Terrorism Prevention Act of 2004 is available as follows: * Social Security Administration, www.ssa.gov/legislation/legis_bulletin_010705.html * Congressional Research Service, www.fas.org/irp/crs/RL32722.pdf . How can I protect my Social Security number? 1. Adopt a policy of not giving out your SSN unless you are convinced it’s required or is to your benefit. Ask them to show you why it is needed. Resist merchants' requests to write your SSN on your checks. Explain that you could become a victim of fraud if someone were to use your SSN and account number to gain access to your bank or credit accounts or to open new accounts in your name. 2. Never print your Social Security number on your checks, business cards, address labels or other identifying information. 3. Do not carry your SSN card in your wallet except for situations when it is required, such as the first day of a new job. If possible, do not carry any items in your wallet that include your SSN, such as insurance cards, except when they are needed to receive healthcare services. Your wallet could be lost or stolen, resulting in your SSN being vulnerable to fraudulent use. A California law places restrictions on the display and transmission of SSNs by companies. For more information, read the California Office of Privacy Protection guide on SSN “recommended practices,” at www.privacy.ca.gov/recommendations/ssnrecommendations.pdf If you feel that you must carry a health insurance card that includes your SSN or a Medicare card with you at all times, photocopy the original card and cut it down to wallet size. Then blacken out or cut out the last four digits of the SSN on the copy. Carry the copy with you rather than the actual card. 4. Pay attention to your Social Security Personal Earnings and Benefit Estimate Statement (PEBES). The Social Security Administration (SSA) mails it to you each year about three months before your birthday. Be sure the information in the file is correct. You can also contact the SSA at (800) 772-1213 or www.ssa.gov to learn how to obtain this free report. If incorrect information is recorded, contact the SSA immediately. Someone may be fraudulently using your SSN for employment purposes. The Social Security Administration’s fraud department can be reached at (800) 269-0271. Its Web site is www.ssa.gov 5. Order a copy of your free credit reports each year by calling 1-877-322-8228 and using the automated telephone system to process your request. If you are a victim of identity theft, the credit report will likely contain evidence of credit or banking fraud committed using your name and SSN. It will also show other SSNs or names associated with you. (See PRC Fact Sheet 6 on credit reporting, www.privacyrights.org/fs/fs6-crdt.htm) For more information on free credit reports, visit www.AnnualCreditReport.com. 6. If a private business requests your SSN: * Leave the space for the SSN on the form blank or write "refused" or “N/A” in that space. * Speak to someone in management or write to the business and explain why you do not want your SSN used to identify you. If you don’t receive satisfaction from the first person you contact, go to someone in the organization with more authority. * Insist that the company document its policy of why they are requiring a SSN. If a written policy cannot be found or too much time is taken looking for one, maybe the business will allow you to use an alternate number. * Ask why your SSN is requested and suggest alternatives like using your driver’s license number (except if your driver’s license number is the SSN and you haven’t yet obtained a different number from your Department of Motor Vehicles). * If the company insists on having your SSN, explain that you will take your business elsewhere. If the company persists, follow through on your promise. (In California, utilities cannot deny you service if you refuse to provide your SSN. However, a deposit may be required if you do not provide the information. www.cpuc.ca.gov/static/telco/information+for+providing+service/clc+application/resource3.txt ) 7. If your employer releases or displays your SSN, explain why you disapprove of this practice. Some employers do not treat SSNs as confidential information. They may be willing to change their policy when they understand the twin dangers of invasion of privacy and potential for fraud. As explained above, a California law places restrictions on the display and transmission of SSNs by companies. 8. If your bank, credit union or other financial service provider uses your Social Security number as a personal identification number (PIN) or as the identifier for banking by phone or the Internet, write a letter of complaint. Demand to have a different PIN and/or identification number assigned. Explain why the SSN is an extremely poor choice for a password or security code. If you use the last four digits of your SSN as your PIN for ATM and other banking or credit transactions, change it to something else, but not to a common number such as your birthdate, telephone number, or ZIP code. 9. If your state’s Department of Motor Vehicles still uses the SSN as the driver’s license number, ask for an alternate number. Federal law now requires state Motor Vehicles departments to use a number other than the SSN for the driver’s license number. (See above.) 10. If you fear your SSN has gotten into the wrong hands, take the following steps to reduce the risk of new accounts being opened in your name: * Place a 90-day fraud alert on your credit reports by calling one of the three credit bureaus: TransUnion (800) 680-7289; Equifax (888) 766-0008; Experian (888) 397-3742. * Monitor your credit reports very closely. Placing the fraud alert allows you to order a free credit report within 90 days. * If you have evidence of actual or attempted identity theft, additional steps are needed, such as notifying the police and the Federal Trade Commission. See our Fact Sheet 17(a) “Identity Theft: What to Do if It Happens to You,” www.privacyrights.org/fs/fs17a.htm . 11. If you have a military identification card or receive SSI, MediCal, or MediCare benefits, your ID card displays your SSN and exposes you to the risk of identity theft. Complain to your Congressional representative and to your U.S. Senators and demand that they pass laws prohibiting that practice. Resources * California Office of Privacy Protection, “Recommended Practices for Protecting the Confidentiality of Social Security Numbers,” www.privacy.ca.gov/recommendations/ssnrecommendations.pdf * National Conference of State Legislatures o 2007 introduced legislation on Social Security numbers, www.ncsl.org/programs/lis/privacy/SSN2007_Pending.htm o 2007 enacted Social Security number legislation, www.ncsl.org/programs/lis/privacy/SSN2007.htm * Privacy Journal, Compilation of State and Federal Privacy Laws * Contains a chapter on SSN-related laws, www.privacyjournal.net/work1.htm * Universities that have adopted ID numbers other than the SSN include these: o University of Illinois, Social Security Number Policy, www.ssn.uillinois.edu o University of Michigan, Social Security Number Privacy Policy, http://spg.umich.edu/pdf/601.14.pdf * The Privacy Rights Clearinghouses gratefully acknowledges the efforts of Chris Hibbert of Computer Professionals for Social Responsibility in compiling his useful guide on SSNs. To read his SSN FAQ, visit, www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html .