GAO: Localities Expose Social Security Numbers Online
Many county governments across the U.S. are providing citizen's full or partial Social Security Numbers available online or in bulk to private companies, according to a Government Accountability Office report released last week.
At a time when states are seeking additional laws to punish businesses that inadvertently leak their citizens' personal and financial data, the GAO's findings would appear to highlight an overlooked area of consumer protection, as states weigh trade-offs between open-records laws, privacy, and the potential income that the sale of consumer records can generate.
Roughly 85 percent of counties nationwide make the records available, and only 16 percent of counties place any restrictions on the types of entities that can obtain those records.
As the GAO notes, public records -- such as birth, marriage and death certificates, civil and criminal court case files, and property liens -- that used to be accessible only in the county recorder's office can now be viewed remotely online in many states. Indeed, earlier this year, Security Fix revealed that Maryland was publishing the SSNs, names, birthdays and addresses on tens of thousands of people who had received traffic citations in the state.
And it seems states aren't doing a great job keeping track of who's asking for the records. The GAO found that only about 23 percent of counties that make records available in bulk or online take any steps to verify the identity of entities that obtain records.
Further, most counties surveyed by the GAO said they make SSNs and other consumer data available to comply with state open records laws, but also because private companies often request access to the records to support their businesses. From the report:
"We found that title companies are the most frequent recipients of these records, but others such as mortgage companies and data resellers that collect and aggregate personal information often obtain records as well. In some cases, information from these public records is sent overseas for processing, a practice referred to as offshoring."
The GAO learned that about half of the states have passed laws that in some way limit the display of SSNs in new public records. Still, most of these laws do nothing to wipe SSNs from documents already published and available. Some states' redaction laws only kick in when citizens request the removal of their sensitive information, while states like California have begun truncating SSNs in documents going back to 1980. Virginia has a unique law that authorizes circuit court clerks to redact SSNs from certain land records and provides that they can collect reimbursement for their efforts from a state trust fund.
There are at least four bills pending in this Congress that would limit both private and government entities' ability to sell or display SSNs to other parties. Still, the GAO found that under existing law, this practice might already be illegal:
"A 1990 amendment to the Social Security Act requires that SSNs obtained or maintained pursuant to any provision of law enacted on or after October 1, 1990, be kept confidential, and no authorized person shall disclose any such social security account number or related record."
The GAO said officials at the Social Security Administration and Federal Trade Commission were not aware of any actions taken to enforce this provision, and no regulations have been promulgated to implement this requirement.
Interestingly, the GAO also surveyed entities that most commonly purchase or collect SSN data from states and counties, and found that - aside from consumer reporting agencies - most reported that they only needed a partial SSN (e.g. the last four digits), or that having an SSN was inconsequential.
This finding may be particularly irksome when one considers that most U.S. citizens can be identified using far less sensitive data. For example, armed with public, anonymous data from the 1990 census, a researcher from Carnegie Mellon University found that 87 percent of the U.S. population could be identified based only on their gender, date of birth, and 5-digit ZIP code.
Ari Schwartz, vice president of the Center for Democracy & Technology, a nonprofit policy group in Washington, said states need to do much more to show they are serious about protecting the privacy of citizens: At present, he said, only three states - California, Ohio and West Virginia - have state privacy offices (Colorado has a privacy office for health information).
A copy of the full GAO report is available here (PDF).
October 30, 2008; 11:20 AM ET
Categories: From the Bunker , U.S. Government
Save & Share: Previous: ICANN De-Accredits EstDomains for CEO's Fraud Convictions
Next: Virtual Heist Nets 500,000+ Bank, Credit Accounts
Posted by: infrederick | October 31, 2008 1:02 PM | Report abuse
The comments to this entry are closed.