Network News

X My Profile
View More Activity

GAO: Localities Expose Social Security Numbers Online

Many county governments across the U.S. are providing citizen's full or partial Social Security Numbers available online or in bulk to private companies, according to a Government Accountability Office report released last week.

At a time when states are seeking additional laws to punish businesses that inadvertently leak their citizens' personal and financial data, the GAO's findings would appear to highlight an overlooked area of consumer protection, as states weigh trade-offs between open-records laws, privacy, and the potential income that the sale of consumer records can generate.

Roughly 85 percent of counties nationwide make the records available, and only 16 percent of counties place any restrictions on the types of entities that can obtain those records.

As the GAO notes, public records -- such as birth, marriage and death certificates, civil and criminal court case files, and property liens -- that used to be accessible only in the county recorder's office can now be viewed remotely online in many states. Indeed, earlier this year, Security Fix revealed that Maryland was publishing the SSNs, names, birthdays and addresses on tens of thousands of people who had received traffic citations in the state.

And it seems states aren't doing a great job keeping track of who's asking for the records. The GAO found that only about 23 percent of counties that make records available in bulk or online take any steps to verify the identity of entities that obtain records.

ssnrelease.jpg

Further, most counties surveyed by the GAO said they make SSNs and other consumer data available to comply with state open records laws, but also because private companies often request access to the records to support their businesses. From the report:

"We found that title companies are the most frequent recipients of these records, but others such as mortgage companies and data resellers that collect and aggregate personal information often obtain records as well. In some cases, information from these public records is sent overseas for processing, a practice referred to as offshoring."

The GAO learned that about half of the states have passed laws that in some way limit the display of SSNs in new public records. Still, most of these laws do nothing to wipe SSNs from documents already published and available. Some states' redaction laws only kick in when citizens request the removal of their sensitive information, while states like California have begun truncating SSNs in documents going back to 1980. Virginia has a unique law that authorizes circuit court clerks to redact SSNs from certain land records and provides that they can collect reimbursement for their efforts from a state trust fund.

There are at least four bills pending in this Congress that would limit both private and government entities' ability to sell or display SSNs to other parties. Still, the GAO found that under existing law, this practice might already be illegal:

"A 1990 amendment to the Social Security Act requires that SSNs obtained or maintained pursuant to any provision of law enacted on or after October 1, 1990, be kept confidential, and no authorized person shall disclose any such social security account number or related record."

The GAO said officials at the Social Security Administration and Federal Trade Commission were not aware of any actions taken to enforce this provision, and no regulations have been promulgated to implement this requirement.

Interestingly, the GAO also surveyed entities that most commonly purchase or collect SSN data from states and counties, and found that - aside from consumer reporting agencies - most reported that they only needed a partial SSN (e.g. the last four digits), or that having an SSN was inconsequential.

This finding may be particularly irksome when one considers that most U.S. citizens can be identified using far less sensitive data. For example, armed with public, anonymous data from the 1990 census, a researcher from Carnegie Mellon University found that 87 percent of the U.S. population could be identified based only on their gender, date of birth, and 5-digit ZIP code.

Ari Schwartz, vice president of the Center for Democracy & Technology, a nonprofit policy group in Washington, said states need to do much more to show they are serious about protecting the privacy of citizens: At present, he said, only three states - California, Ohio and West Virginia - have state privacy offices (Colorado has a privacy office for health information).

A copy of the full GAO report is available here (PDF).

By Brian Krebs  |  October 30, 2008; 11:20 AM ET
Categories:  From the Bunker , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: ICANN De-Accredits EstDomains for CEO's Fraud Convictions
Next: Virtual Heist Nets 500,000+ Bank, Credit Accounts

Comments

Yes it certainly is a crime, in fact it is a felony both for the offical and for any person buying the information.

See United States Code TITLE 26 INTERNAL REVENUE CODE, Subtitle F, CHAPTER 75 —CRIMES, OTHER OFFENSES, AND FORFEITURES, Section 7213. Unauthorized disclosure of information
(a) Returns and return information
(1) Federal employees and other persons
It shall be unlawful for any officer or employee of the United States or any person described in section 6103 (n) (or an officer or employee of any such person), or any former officer or employee, willfully to disclose to any person, except as authorized in this title, any return or return information (as defined in section 6103 (b)). Any violation of this paragraph shall be a felony punishable upon conviction by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years, or both, together with the costs of prosecution, and if such offense is committed by any officer or employee of the United States, he shall, in addition to any other punishment, be dismissed from office or discharged from employment upon conviction for such offense.
(2) State and other employees
It shall be unlawful for any person (not described in paragraph (1)) willfully to disclose to any person, except as authorized in this title, any return or return information (as defined in section 6103 (b)) acquired by him or another person under subsection (d), (i)(3)(B)(i) or (7)(A)(ii), (l)(6), (7), (8), (9), (10), (12), (15), (16), (19), or (20) or (m)(2), (4), (5), (6), or (7) of section 6103 or under section 6104 (c). Any violation of this paragraph shall be a felony punishable by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years, or both, together with the costs of prosecution.
(3) Other persons
It shall be unlawful for any person to whom any return or return information (as defined in section 6103 (b)) is disclosed in a manner unauthorized by this title thereafter willfully to print or publish in any manner not provided by law any such return or return information. Any violation of this paragraph shall be a felony punishable by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years, or both, together with the costs of prosecution.
(4) Solicitation
It shall be unlawful for any person willfully to offer any item of material value in exchange for any return or return information (as defined in section 6103 (b)) and to receive as a result of such solicitation any such return or return information. Any violation of this paragraph shall be a felony punishable by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years, or both, together with the costs of prosecution.

Posted by: infrederick | October 31, 2008 1:02 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company