This is the accessible text file for GAO report number GAO-02-239 entitled 'Child Support Enforcement: Most States Collect Drivers’ SSNs and Use Them to Enforce Child Support' which was released on February 15, 2002. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States General Accounting Office: GAO: Report to the Subcommittee on Human Resources, Committee on Ways and Means, House of Representatives: February 2002: Child Support Enforcement: Most States Collect Drivers’ SSNs and Use Them to Enforce Child Support: GAO-02-239: Contents: Letter: Results in Brief: Background: Most MVAs Are Collecting SSNs from Driver’s License Applicants but OCSE Actions to Track and Promote Compliance Have Been Limited: Few Privacy Concerns Expressed about MVAs Collecting SSNs, Yet Potential Weaknesses in Safeguarding SSNs May Compromise Privacy: Driver’s License Suspension Is Not Fully Used in All States Even Though It Can Result in Collecting Payments: Conclusions: Recommendation for Executive Action: Agency Comments: Appendix I: Objectives, Scope, and Methodology: Objectives: Scope and Methodology: Appendix II: Survey to MVAs: Appendix III: Comments From the Department of Health and Human Services: GAO Comments: Appendix IV: GAO Contacts and Staff Acknowledgments: GAO Contacts: Staff Acknowledgments: Tables: Table 1: SSN Collection Practices at MVAs Prior to SSN Requirement Becoming Law: Table 2: MVA Risk Assessments and Agencywide Security Plans: Table 3: MVA Monitoring Access and Adherence to Password Policies: Table 4: Outcome of Driver’s License Suspension in Three States in 2000: Abbreviations: AAMVA: American Association of Motor Vehicle Administrators: CSE: child support enforcement: OCSE: Office of Child Support Enforcement: DPPA: Driver’s Privacy Protection Act: FISCAM: Federal Information System Controls Audit Manual: GISRA: Government Information Security Reform provisions: HHS: Department of Health and Human Services: MVA: Motor Vehicle Agency: OCSE: Office of Child Support Enforcement: OMB: Office of Management and Budget: PRWORA: Personal Responsibility and Work Opportunity Reconciliation Act: [End of section] United States General Accounting Office: Washington, DC 20548: February 15, 2002: The Honorable Wally Herger: Chairman, Subcommittee on Human Resources: Committee on Ways and Means: House of Representatives: The Honorable Nancy Johnson: House of Representatives: The Honorable Sander Levin: House of Representatives: In 1975, the Congress established a national child support enforcement (CSE) program to ensure that noncustodial[Footnote 1] parents financially support their children. From fiscal years 1976 through 2000, this program collected approximately $156.6 billion in child support, with approximately $84.3billion collected from 1995 through 2000. Despite these results, billions in child support remain uncollected. In fiscal year 2000, the Office of Child Support Enforcement (OCSE), which is located in the Department of Health and Human Services (HHS), estimated that $84 billion in past-due child support was owed, but never collected, for all previous fiscal years. The Social Security Act as amended contains many provisions designed to help child support agencies collect support when noncustodial parents or their income and assets are hard to find, including two which relate to driver’s licenses. The act mandates that states enact and implement laws requiring the recording of social security numbers (SSN) of any applicants for a driver’s license on the application. State CSE programs rely on SSNs to locate the addresses, income, and assets of noncustodial parents. Motor vehicle agencies (MVA) can be a valuable source of SSNs that CSE programs have difficulty obtaining elsewhere. The act also requires that states have laws requiring procedures to suspend, withhold, or restrict[Footnote 2] the driver’s licenses of noncustodial parents who are delinquent in their child support payments. In light of both the desire to have an effective child support enforcement system and the desire to protect personal privacy, you requested that we (1) determine the extent to which states collect SSNs from all applicants for driver’s licenses and what OCSE has done to promote compliance in states not doing so, (2) identify privacy concerns associated with MVA efforts to collect and safeguard SSNs that are used for child support enforcement purposes, and (3) determine the extent to which state CSE programs use driver’s license suspension to collect past-due child support and whether this tool has resulted in collections. To accomplish these objectives, we mailed a survey to 54 MVAs-—one in each of the 50 states, the District of Columbia, and 3 U.S. territories[Footnote 3]—-and received 53 back. The intent of the survey was to obtain information about (1) the extent to which MVAs collect SSNs from licensed drivers and (2) their policies and procedures regarding the collection and safeguarding of SSNs. We also telephoned the CSE programs in the 50 states, the District of Columbia, and the 3 U.S. territories to obtain information on how they use MVA-collected SSNs, the extent to which privacy concerns about MVA-collected SSNs exist in their jurisdictions, and their use of driver’s license suspension. We visited MVAs, CSE programs, Offices of Attorney General, and legislators in 5 states (California, Georgia, Michigan, North Carolina, and Texas) to obtain more in-depth information on the same topics that we addressed in the MVA survey and CSE program telephone calls. We analyzed data on driver’s license suspensions during calendar year 2000 from CSE programs in 4 other states (Colorado, Maryland, Pennsylvania, and Washington) to determine the extent to which this action resulted in child support payments. Finally, we interviewed officials from OCSE and privacy experts about these two federal requirements. We performed our work from November 2000 through December 2001 in accordance with generally accepted government auditing standards. See appendix I for additional information on our scope and methodology and appendix II for a copy of our survey and responses. Results in Brief: Most motor vehicle agencies (47 out of 53 that returned our survey) collect SSNs from all applicants for driver’s licenses, but the Office of Child Support Enforcement has taken limited or no steps to promote such collection of SSNs in states not currently doing so. All except two of the child support enforcement programs in the 47 states collecting SSNs use motor vehicle agency collected SSNs, along with SSNs from other sources, when establishing or verifying SSNs or seeking other information about noncustodial parents. Further, officials from most of these states believe that motor vehicle agency collected SSNs are helpful in these endeavors. Of the six states that are not collecting SSNs from all applicants for driver’s licenses, the legislatures in five have not passed laws requiring their motor vehicle agencies to collect SSNs from all noncommercial drivers. Although the legislature in the sixth state has passed such a law, at the time of our review, the motor vehicle agency had not implemented it. The Office of Child Support Enforcement is responsible for overseeing state adoption and implementation of federal requirements related to child support enforcement. This includes tracking whether states are complying with federal requirements and, when necessary, taking formal action to promote compliance. Such action could result in states losing all or part of federal funds for child support enforcement until they come into compliance. During our review, the Office of Child Support Enforcement had not taken action to promote compliance in four of the six states because they did not know that these states were not collecting SSNs from all applicants for driver’s licenses. Although the Office of Child Support Enforcement officials knew that two states had not passed laws requiring collection, they did not initiate formal action to try to remedy the situation because they had not yet determined the extent to which these states are complying with various requirements of the law. They did, however, elect to work with these two states through informal mechanisms. Although state officials and privacy experts we spoke with expressed few privacy concerns regarding the policy that motor vehicle agencies collect SSNs for child support enforcement, possible weaknesses in the policies and procedures that some motor vehicle agencies use to safeguard SSNs indicate the potential for compromising privacy. While many of the state officials and privacy experts we spoke with recognized the increased dissemination of SSNs throughout society as a serious concern, few felt that this concern extended to the policy of motor vehicle agencies collecting SSNs for child support enforcement. The low level of concern about this policy may reflect two factors. First, this policy relates to a government program—-child support enforcement—-that many view as having a legitimate need for SSNs. Second, federal and state laws greatly limit the extent to which motor vehicle agencies can provide SSNs to other entities, including those in the private sector. However, limiting who can legally receive SSNs is not enough to ensure privacy. SSNs also must be protected from unauthorized access and misuse. Our survey of motor vehicle agencies revealed potential deficiencies in protecting SSNs from such abuse. Although most motor vehicle agency officials believed that the SSNs stored on their agency’s computers were safe from unauthorized access, officials in 40 states also reported that their computer security programs lacked at least one of five basic components of information security included in our survey—-risk assessments, agencywide security plans, audits, access monitoring, and policies for password selection and use. These five components—-all of which are requirements of computer security programs at federal agencies—are among those essential for safeguarding data. However, no guidelines exist regarding the components that motor vehicle agencies should include in their computer security programs. Child support enforcement officials in 35 states told us that their agencies use driver’s license suspension extensively, and our work shows that, when used, this process can result in collecting some payments. All 54 child support enforcement programs have policies and procedures in place for driver’s license suspension, including criteria specifying the level of delinquency that a noncustodial parent must meet before the CSE program begins the suspension process by sending a warning letter. Child support enforcement officials in 35 states explained that their programs either use this tool in all cases that meet their state’s delinquency criteria or use it frequently. Child support enforcement officials in 16 states, however, told us that their programs were not using this tool in all cases that met their state’s delinquency criteria primarily because some judges were reluctant to order its use or because of cumbersome administrative processes. Additionally, most of these officials indicated that they would like to use it more. It was too soon to gauge the extent of driver’s license suspension use in the remaining 3 states because they were either just beginning to implement it or making significant changes to the process. According to officials from the Office of Child Support Enforcement as well as officials from state child support enforcement programs, when used, the driver’s license suspension process can result in collecting some particularly difficult-to-collect child support payments-—those that are overdue and from noncustodial parents who are self-employed or who work informally for cash. It is also useful for collecting payments from noncustodial parents who depend upon their driver’s licenses for work. We analyzed data on the use of the driver’s license suspension process in 4 states and found that it led to collecting payments in 29 percent of the cases for which it was used and resulted in $48 million in collections. To ensure that all states are following the act’s requirement that states enact and implement laws requiring the collection of SSNs from all applicants for driver’s licenses, we are recommending that the Office of Child Support Enforcement more effectively track compliance with this requirement and take formal steps to bring about such compliance. Although the motor vehicle agency officials reported that their computer security programs lacked at least one of the basic components of information security included in our survey, we are not recommending specific action because, at this time, no federal agency has responsibility related to computer security at state motor vehicle agencies. Background: The child support enforcement (CSE) program is a joint federal and state partnership mandated in 1975 under Title IV-D of the Social Security Act[Footnote 4] through which noncustodial parents are located, paternity is established, and child support orders are issued and enforced. State CSE programs are responsible for carrying out these basic activities. These activities may take place through judicial action or an expedited administrative process, depending on the state where the action takes place. In a judicial process, the courts have the authority to make certain decisions and take certain actions, and proceedings take place in a legal setting, typically involving district, state, or county attorneys, judges, and other parties. By contrast, in an expedited administrative process, the state CSE program has the authority to administer certain aspects of state child support law or regulation without court approval being required for legally binding actions. Although the states administer the child support enforcement program, the federal government plays a major role. This includes funding most of the program and requiring states to develop certain policies and procedures to help locate noncustodial parents and enforce child support orders. The Office of Child Support Enforcement (OCSE), in conjunction with regional HHS offices, is responsible for overseeing and monitoring state CSE programs’ compliance with federal requirements. The Personal Responsibility and Work Opportunity Reconciliation Act (PRWORA) of 1996[Footnote 5] amended portions of the Social Security Act, including some provisions that pertained to child support enforcement. One such provision mandates that states enact laws requiring state agencies to collect SSNs for child support enforcement purposes. Under PRWORA, SSNs are to be recorded when individuals apply for certain licenses such as commercial driver’s licenses, occupational and professional licenses, and marriage licenses. This provision also mandates placing SSNs in records related to divorce decrees, death certificates, child support orders, and paternity establishments. The Balanced Budget Act of 1997 expanded this requirement to include the collection of SSNs from applicants for all driver’s licenses—-commercial and noncommercial-—and also made it effective for applicants of recreational licenses. Additionally, the Balanced Budget Act initially made the effective date of this provision retroactive to October 1996, as if it had been included in PRWORA. In 1998, however, the effective date of this provision was extended to October 1, 2000. This provision only required that SSNs be collected, not that they be displayed on driver’s licenses. A second provision of PRWORA requires that states enact laws requiring procedures to suspend licenses of noncustodial parents who owe past- due child support. Licenses subject to suspension include commercial and noncommercial driver’s licenses, and occupational and professional licenses. Additionally, as part of their CSE plans, states are required to provide OCSE with information on how they will implement the procedures prescribed in their laws. CSE programs use SSNs to help locate noncustodial parents and enforce support orders. SSNs are important in these endeavors because, by virtue of being unique numbers, they help ensure that the correct person has been identified as the noncustodial parent. This accurate identification is essential in situations in which databases contain several individuals with the same or similar names and birthdates. When SSN data are not available, child support officials said that it is more likely that the wrong person will be identified as the noncustodial parent. Efforts to confirm identity by other means can be labor-intensive and time-consuming. When SSNs are available, child support programs use them as one component in their efforts to identify the whereabouts, income and assets of noncustodial parents by matching them against those in state and federal databases. For example, child support programs use these matches to obtain address information to locate noncustodial parents, to obtain employment information to enforce support orders, and to identify the driver’s licenses of noncustodial parents who are candidates for license suspension. Although CSE programs obtain SSNs from a variety of sources, including MVAs, CSE programs themselves are not generally a source of SSNs for other agencies. Generally, CSE programs may disclose SSNs only to other CSE programs or social service agencies. While MVAs’ use of SSNs varies, some MVAs accept a valid Social Security card as one form of identification to issue a driver’s license. MVAs also use SSNs to control fraudulent driver’s license applications, for internal administrative purposes, or to track fines or fees. For these reasons 35 of the MVAs collected SSNs from all drivers before being required to do so by the federal government. Most MVAs Are Collecting SSNs from Driver’s License Applicants but OCSE Actions to Track and Promote Compliance Have Been Limited: Most MVAs (47 out of 53) collect SSNs from all applicants for driver’s licenses, but OCSE has taken limited or no steps to promote such collection in states not currently doing so. Almost two-thirds of the MVAs collecting SSNs collected them from all driver’s license applicants prior to the passage of the Social Security Act’s requirement to do so. Of the 6 states that are not collecting SSNs from all applicants for driver’s licenses, the legislatures in 5 (Georgia, Kansas, Maryland, Minnesota, and Oregon) have not introduced laws requiring collection of SSNs in this manner, and, although the remaining state (Michigan) has passed such a law, the MVA has not implemented it. OCSE did not take any action against 1 state (Michigan) because of a lawsuit, did not take formal action against 2 states (Georgia, and Minnesota), and did not know that 3 states were not collecting SSNs from all applicants for driver’s licenses. Most MVAs Collect SSNs from All Driver’s License Applicants: Table 1 shows that almost two-thirds of the MVAs were collecting SSNs from all driver’s license applicants before the date of the legislation requiring this practice, August 5, 1997.[Footnote 6] There are two opportunities for MVAs to collect SSNs on all applicants, at license issuance and renewal. Of the 6 states not collecting SSNs from all driver’s license applicants at the time of our review, 2 performed such collections during the 1980s or 1990s.[Footnote 7] Table 1: SSN Collection Practices at MVAs Prior to SSN Requirement Becoming Law: Type of SSN collection at MVAs: Collected from all applicants; MVAs collecting SSNs as of August 5, 1997 (prior to law): 35; MVAs collecting SSNs as of December 2001: 47. Type of SSN collection at MVAs: Collected from some applicants; MVAs collecting SSNs as of August 5, 1997 (prior to law): 13; MVAs collecting SSNs as of December 2001: 3. Type of SSN collection at MVAs: Not collected from any applicants; MVAs collecting SSNs as of August 5, 1997 (prior to law): 4; MVAs collecting SSNs as of December 2001: 3. Type of SSN collection at MVAs: Total; MVAs collecting SSNs as of August 5, 1997 (prior to law): 52[A]; MVAs collecting SSNs as of December 2001: 53[B]. [A] Data not received from 2 MVAs. [B] Data not received from 1 MVA. Source: GAO’s survey of MVAs and interviews with MVA officials. [End of table] MVA-collected SSNs are used in at least one of two ways by CSE programs in all but 2[Footnote 8] of the 47 states that adhere to this federal requirement. The first way that CSE programs use MVA-collected SSNs, along with SSNs from other sources, is to help initially establish or verify the SSNs of noncustodial parents. CSE programs consult a variety of sources simultaneously when doing this, often through electronic networks that link state agencies, including MVAs, or federal agencies. The second way that MVA-collected SSNs are used in most states is to identify the driver’s licenses of noncustodial parents who are candidates for suspension. This is normally done through computer matches, where the SSN from the CSE program, the SSN from the MVA, and several other pieces of information must match prior to suspending the driver’s license of a particular noncustodial parent. CSE officials from 44 of the 47 states that are collecting SSNs found them useful, while 3 did not find them useful. The officials who found them useful said that the SSN is one of many sources that their programs consult and some of these officials elaborated on factors that make MVA-collected SSNs useful. Several explained that MVA- collected SSNs were helpful because this source included SSNs on almost everyone in the CSE system. This is presumably because MVAs have access to a wide range of people—-everyone who wants a driver’s license. Others added that MVAs were particularly helpful for obtaining the SSNs of noncustodial parents who were self-employed, unemployed, or working for cash because the SSNs of these individuals tend not to be found in other more commonly used SSN sources, such as state and federal agencies that maintain employment or tax records. Finally, others explained that MVAs were particularly important for identifying the driver’s licenses of noncustodial parents who were candidates for license suspension. CSE officials in the 3 states that did not find SSNs useful, as well as in other states, cited various drawbacks to MVA-collected SSNs. First, in states where MVAs only recently began collecting SSNs, they often do not have SSNs from enough individuals for them to be of much use to the CSE program. Second, MVA SSNs can be unreliable because most MVAs do not have procedures in place for verifying that drivers are providing their correct SSN. Only 14 of the 49 MVA survey respondents who answered this question reported that they verify the SSNs that they collect with the agency that issues SSNs, the Social Security Administration. Third, in two states, CSE program officials prefer to use other sources. Six States Not in Compliance with Social Security Act Requirements: As of the time of our survey, six states were not complying with the Social Security Act’s requirements that they pass and implement laws mandating SSN collection on all drivers’ license applications. Three of these states—-Georgia, Michigan, and Oregon-—were not collecting SSNs from any applicants. Three states—-Kansas, Maryland, and Minnesota—-were doing so for some, but not all, applicants. The legislatures in all of the states, except Michigan, did not pass laws requiring the collection of SSNs from all applicants for driver’s licenses. Officials from the MVAs and CSE programs in these five states indicated that this noncompliance occurred, at least in part, because their programs either did not bring the need for such laws to their legislatures’ attention or did not sufficiently highlight the need. For example, a CSE official in Oregon told us that the state legislature was required to pass various laws to comply with the Social Security Act’s requirements and the need to pass a law requiring collection of SSNs on driver’s license applications was simply overlooked until sometime in 2000 or 2001. CSE officials in Maryland and Kansas told us that they mistakenly thought that the MVAs in their states were collecting SSNs from all driver’s license applicants and thus never proposed that their legislatures pass such legislation. CSE and MVA officials from these five states stated that their legislatures would most likely debate the privacy implications[ Footnote 9] of this requirement should legislation be proposed. However, privacy was not characterized as the overriding reason for not trying to get such legislation passed. Other reasons included the concern that proposing SSN legislation might detract from pursuing other child support priorities, a belief that the MVA already had the authority to collect SSNs in this manner, and concerns about the cost of implementing this requirement. Michigan differs from the other five states that were not collecting SSNs in that its legislature passed a law in 1998 requiring its MVA to collect SSNs from all driver’s license applicants. However, the secretary of state, who oversees the state’s MVA, did not want to implement this law for some of the same reasons cited in other states—- cost and privacy. Michigan’s attorney general filed suit against the federal government in early 2001 challenging the constitutionality of the act’s requirement. The court ruled against Michigan in October of 2001 and as a result the MVA is now planning to implement the state law. OCSE Actions to Track and Promote Compliance Have Been Limited: OCSE is responsible for overseeing the states’ adoption and implementation of federally mandated requirements related to child support enforcement. This includes tracking state passage and implementation of conforming laws and taking formal action when necessary to promote compliance with such requirements. OCSE has not fulfilled these responsibilities in regard to the six states not in compliance with the Social Security Act’s requirements regarding the collection of SSNs. This is largely because OCSE officials did not know about the noncompliance in four states and did not take formal actions against the other two states. State plans describe the nature and scope of a state’s CSE program. Child support staff located in the regional offices of OCSE’s parent agency, HHS, review and approve these plans, and approval is a condition for federal funding of state CSE programs. As part of the state plan approval process, OCSE and regional offices track whether states have passed federally mandated laws. CSE programs are required to update these plans at various times, including when their states pass new laws to comply with federal requirements. HHS regional office staffs are responsible for reviewing these updates to ensure that they comply with all federal requirements. One tool that regional staff use for reviews is the legislative analysis checklist, a list of federally mandated laws that states are required to follow. OCSE learned from us about the noncompliance in three (Kansas, Maryland, and Oregon) of the six states at the end of November 2001, well after the implementation deadline. This was more than 4 years after the SSN collection requirement was made part of the Act (August 5, 1997) and nearly 14 months after the deadline for implementation (October 1, 2000). With regard to two other states, OCSE became aware that one (Georgia) was not in compliance sometime prior to September 2000 and the other (Minnesota),[Footnote 10] in December of 2000. For the remaining state (Michigan) we were unable to determine when OCSE learned that it was noncompliant. Because regional staff were unaware of state noncompliance at the time that they were reviewing state plans, they erroneously approved four of the six state plans.[Footnote 11] One HHS regional staff member mistakenly believed that MVAs’ collecting SSNs from some, but not all, driver’s license applicants was in accordance with the act. Thus, this staff member, although responsible for monitoring this state, did not know that the state was not in compliance with this requirement until we raised this issue in July 2001. Regional staff responsible for three other states were unaware that the states were not collecting SSNs from all licensed drivers. Regional staff for these four states may not have been closely reviewing the SSN requirement because the Act established many new requirements and OCSE senior officials indicated that the requirement for MVAs to collect SSNs was not their highest priority. Once OCSE officials and regional staff learn about noncompliant states, they are responsible for taking action to try to bring the states into compliance. They can take informal action—-discussing the situation with state CSE program officials and other relevant parties—-or, in the case of OCSE, formal action. OCSE officials take two types of formal actions. The first is to disapprove a state plan, which will result in a state losing all federal funds for its CSE program until it brings the program into compliance with federal requirements. The second is to conduct targeted audits focused on specific areas of noncompliance, which could result in a state being subjected to graduated monetary penalties based on how long it takes for the state to address the problem. As of December 2001, OCSE officials had not taken formal action against the two states that they knew were not complying with the federal requirement that states pass and implement laws requiring collection of SSNs. Regional staff took informal actions, including sending a letter in April 2001 to a CSE program in one state indicating that it may receive a Notice of Intent to Disapprove State Plan in the future if it does not comply with the SSN requirement. When asked why formal action has not yet been initiated in these two states, officials responded that OCSE’s strategy is to first try to bring about compliance through informal discussions. One senior official also informed us in December 2001 that OCSE has asked HHS regional staff to determine the extent to which the states that they are responsible for overseeing are complying with the MVA requirement as well as the requirement that other licensing agencies collect SSNs from licensees. Once such determinations are complete, OCSE in conjunction with HHS will decide what formal actions, if any, to take against noncomplying states. OCSE officials were not able to tell us when such determinations would be made. Few Privacy Concerns Expressed about MVAs Collecting SSNs, Yet Potential Weaknesses in Safeguarding SSNs May Compromise Privacy: State officials and privacy experts we spoke with generally did not express privacy concerns regarding the policy that MVAs collect SSNs for child support enforcement. Although many of these individuals did express concern about the increased dissemination of SSNs throughout society, most did not extend this concern to MVA-collected SSNs. This low level of concern may reflect the facts that CSE programs are widely viewed as having a legitimate need for SSNs and that federal and state laws greatly limit the extent to which MVAs can provide SSNs to others. Privacy, however, can be compromised if SSNs are not properly safeguarded. Our survey of MVAs indicates potential weaknesses in this area. Few Privacy Concerns Expressed about MVAs Collecting SSNs: Generally, state officials and privacy experts we spoke with did not express privacy concerns related to MVAs collecting SSNs for child support enforcement. Most state child support enforcement officials, MVA officials, attorney general officials, and state legislators did not view this requirement as one that raised privacy concerns, reported no widespread objections to the requirement from members of the public, or did not consider this requirement one of the current major threats to privacy in their states. Additionally, privacy experts we contacted tended not to identify this requirement as an issue of concern. Many of these same individuals, however, expressed general privacy concerns related to the increased dissemination of SSNs throughout society because such dissemination increases opportunities for their unauthorized use and disclosure. These concerns focused on the dissemination of SSNs in the private sector and the belief that SSNs are too easily accessible. For example, concerns were expressed about the use of SSNs in commercial transactions, as a student identification number, or as a library card number. Concerns were also expressed about how easily SSNs can be obtained from the Internet or through companies that collect and sell personal information. The low level of concern about MVAs collecting SSNs for child support enforcement on the part of those we spoke with may be because SSNs are being collected in support of a federal program and federal law restricts how MVAs can use and share them. For example, officials of the Texas and Georgia attorney general’s offices and MVA officials in Texas and North Carolina pointed to government’s purpose in collecting SSNs to facilitate the payment of child support as a reason why they are not concerned about privacy. Children’s advocacy groups echoed this belief, and noted that SSNs are particularly important for facilitating the collection of payments when noncustodial parents or their income and assets are not in the same state as the child. Furthermore, federal law greatly restricts the extent to which MVAs can provide SSNs to other entities. Federal law protects individual privacy by affirming the principle that the individual has a right to control personal information released about oneself to others, by giving consent to such disclosures. The Driver’s Privacy Protection Act of 1994 (DPPA)[Footnote 12] explicitly defines SSNs as “highly restricted personal information,” a category of information that may not be disclosed without “express consent” of the individuals affected by the requests, except for certain “permissible uses.”[Footnote 13] According to MVA officials, the DPPA’s consent provision has led MVAs to discontinue the bulk disclosure and sale of personal information, including SSNs, to private-sector entities. Additionally, entities authorized to receive data under the DPPA must also comply with the law’ s provisions—that is, generally, they may not redisclose SSNs without the driver’s consent. Moreover, MVAs are free to adopt policies that are more restrictive than those in the DPPA. For example, the Texas MVA only shares SSNs with two other entities,[Footnote 14] both of which are government agencies, and places redisclosure restrictions on these agencies. Additionally, according to responses to our survey, when asked to identify entities that receive SSN data from their agencies, MVA officials in 30 states identified only other government agencies as receiving such data. States can also enact laws or require written agreements to further restrict the extent to which entities that receive SSNs from MVAs can disclose those SSNs to other entities. Based on survey responses, 33 MVAs operate under such laws, written agreements, or both. State officials in the six states not collecting SSNs from all driver’s license applicants expressed the most concern about the SSN requirement. Although privacy was not the only nor the overriding reason these individuals cited for not complying with this requirement, it was one factor.[Footnote 15] These individuals mentioned that privacy concerns have been expressed within their own agencies, by members of the public in their states, or in their state legislatures. Such concerns were linked to the belief that government use of SSNs can intrude on privacy, for example, by exposing people to the risk of identity theft or by allowing government agencies access to personal information that some people would rather not provide to them. Potential Weaknesses in Safeguarding SSNs May Exist at Some MVAs: Privacy can be compromised if there are computer security weaknesses because they raise the possibility that SSNs and other data stored in MVA computers could be improperly accessed and misused. The federal government has established guidelines for effective computer security programs in federal agencies; however, there are no uniform guidelines for MVAs. While most MVA officials believe that their agencies are adequately protecting the SSNs that they collect, our survey, which asked about several of the components included in the federal guidelines, points to potential weaknesses in the computer security programs at these agencies. The federal government has established guidelines identifying practices essential to effective computer security. These guidelines have emphasized the need to continually assess and mitigate risk. The Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) have issued standards for federal agency computer security. Further, in 1999, we issued the Federal Information System Controls Audit Manual (FISCAM)[Footnote 16], a comprehensive guide to conducting computer security audits that is consistent with the OMB and NIST standards. In 2000, the Congress passed Government Information Security Reform (GISRA) provisions [Footnote 17] that codified existing federal computer security guidance. GISRA provisions include requirements for risk assessment, agencywide security plans, independent audits, and appropriate control techniques. This last category includes techniques such as monitoring external access and appropriate policies for the selection and use of passwords. GISRA requires federal agencies to adopt computer security programs, but it does not require that state agencies do so. Furthermore, although computer security standards have been established for state child support agency systems, there are no nationwide standards or guidelines for MVA computer security programs and computer security was not addressed in the federal laws related to SSNs at the MVAs. MVAs as a group have not developed computer security standards. Moreover, officials from the American Association of Motor Vehicle Administrators (AAMVA) told us that the association did not have a program to promote computer security standards or best practices among MVAs. AAMVA officials said, however, that AAMVA would be willing to do so if the Congress decides that such standards are needed. Furthermore, although the Social Security Act requires MVAs to collect SSNs for child support enforcement purposes and restricts their use to those purposes, the law did not address computer security at MVAs. Similarly, while the DPPA addressed the disclosure of SSNs by MVAs, it did not address computer security practices that MVAs should adopt to safeguard SSNs on their systems. Nearly all MVA officials we spoke with believed that the SSNs stored on their agencies’ computers are safe from unauthorized access. Our survey asked MVA officials how easy or difficult it would be for MVA employees or outside individuals to improperly access SSNs in their agencies’ computer systems. Of the 48 MVA officials responding, only 4 said that such access would be easy for MVA employees and none said such access would be easy for individuals not employed by MVAs. We obtained more detailed information on the security programs during site visits at five MVAs. Officials at these sites described the computer policies and procedures that they believe make unauthorized access of MVA-collected SSNs difficult. These included firewalls to detect and prevent individuals not employed by MVAs from accessing MVA computer systems. We did not perform any audit tests to verify MVA responses. When asked about their computer security programs, MVA officials in 40 states said at least one of five components of computer security in our survey was missing in their programs. This number included the 4 officials who said that unauthorized access was easy at their agencies and most of those who said that it was difficult. These elements are important for protecting all personal information on driver’s license applicants that MVAs collect, not just SSNs. Other types of personal information include names, addresses, and telephone numbers. In MVA programs, at least one of the following elements was missing: * risk assessments to identify and explore how to mitigate potential vulnerabilities; * agencywide security plans to describe an agency’s overall security program; * audits to evaluate an agency’s security program; * access monitoring of an agency’s computer system; and; * appropriate password selection and use.[Footnote 18] GISRA specifically established a requirement for risk assessments and agencywide security plans, among others. Periodic risk assessments provide the foundation for other aspects of computer security management. These risk assessments not only help an agency identify risks and determine which controls will most effectively mitigate them, but they also increase awareness and support for adopted policies and controls. Such policies and controls should be described in agencywide security plans. These written plans are important, according to government and private security experts, to clearly and comprehensively describe all of the security policies and procedures that an agency must follow. These plans also serve as the primary mechanism by which management communicates such requirements to an agency. It is important to have both risk assessments and agencywide security plans because each of these components influences the other. That is, security plans should include policies and procedures about when and how to conduct risk assessments and conducting risk assessments can lead to revising security plans. Table 2 shows, however, that fewer than half of the MVA officials responding to our survey reported that their agencies conduct risk assessments or have agencywide security plans. Moreover, seven officials reported that their agencies did not conduct risk assessments nor have agencywide security plans. Table 2: MVA Risk Assessments and Agencywide Security Plans: Risk assessments and agencywide security plans: MVAs with both; Number of MVAs: 21; Percentage of MVAs: 43%. Risk assessments and agencywide security plans: MVAs with neither; Number of MVAs: 7; Percentage of MVAs: 14%. Risk assessments and agencywide security plans: MVAs lack one: Number of MVAs: 22; Percentage of MVAs: 44%. Risk assessments and agencywide security plans: Risk assessments; Number of MVAs: 5[A] Percentage of MVAs: 10%. Risk assessments and agencywide security plans: Agencywide security plans; Number of MVAs: 17; Percentage of MVAs: 34%. Risk assessments and agencywide security plans: Total; Number of MVAs: 50; Percentage of MVAs: 100%. Note: Data not received from 4 MVAs. Note: Numbers do not total 100 due to rounding. [A] Includes one MVA where respondent reported an agencywide security plan but did not specify whether his agency had a risk assessment. Source: GAO survey sent to MVAs in 54 states. [End of table] GISRA and FISCAM call for computer security audits, which are also important to an agency’s computer security program. Such audits can help agencies obtain objective assessments of their computer security risks and provide information for agencies to use in developing their risk assessments and agencywide security plans. According to our survey, officials at 21 MVAs reported that they have not obtained any independent audits, reviews, or studies. Moreover, of the seven MVAs that lack both risk assessments and security plans, six have never obtained independent audits. GISRA and the FISCAM also include two components of computer security that are part of a broader category, known as control techniques or access controls. These two components are monitoring who is accessing computerized data and adherence to appropriate policies for password selection and use. These are important because they can provide reasonable assurance that computerized data are protected against unauthorized disclosure. Monitoring consists of procedures to detect unusual access activity, such as access by an unauthorized individual or repeated failed attempts to log into a computer system. Passwords are reportedly used by almost all MVAs to distinguish users from one another. Policies about their selection and use ensure that they cannot be easily guessed, copied, or overheard by someone attempting unauthorized access. FISCAM includes nine typical policies for protecting passwords. These typical policies for protecting passwords include changing them periodically and setting a minimum length of characters or numbers.[Footnote 19] Table 3 shows that officials in 31 MVAs reported that their agencies monitor access to their computer systems and adhere to five or more of the nine typical policies on password selection and use. Officials at 19 other MVAs reported that their agencies do not monitor access, do not adhere to at least five of the nine password policies, or do not do either. (See table 4.)[Footnote 20] The password policies that MVA officials reported most often as not being followed were requiring that passwords consist of both numbers and letters and encrypting passwords. Table 3: MVA Monitoring Access and Adherence to Password Policies: Monitor access and adhere to at least five of nine typical password policies: MVAs do both; Number of MVAs: 31; Percentage of MVAs: 62%. Monitor access and adhere to at least five of nine typical password policies: MVAs do neither; Number of MVAs: 5; Percentage of MVAs: 10%. Monitor access and adhere to at least five of nine typical password policies: MVAs lack one: Number of MVAs: 14; Percentage of MVAs: 28%. Monitor access and adhere to at least five of nine typical password policies: Monitor access; Number of MVAs: 8[A,B]; Percentage of MVAs: 16%. Monitor access and adhere to at least five of nine typical password policies: Adhere to at least five of the nine password standards; Number of MVAs: 6; Percentage of MVAs: 12%. Monitor access and adhere to at least five of nine typical password policies: Total; Number of MVAs: 50; Percentage of MVAs: 100%. Note: Data not received from 4 MVAs. [A] Our survey did not assess the extent to which an agency, other than the MVA, may be monitoring access to an MVA’s computer system. [B] Includes one MVA where respondent reported that his agency was not monitoring access but did not answer the question about standards for passwords. Source: GAO survey to MVAs in 54 states. [End of table] Although MVA officials reported that their computer security programs lacked at least one of five basic components of information security included in our survey, we are not recommending specific action because at this time, no federal agency has responsibility related to computer security at state MVAs. Driver’s License Suspension Is Not Fully Used in All States Even Though It Can Result in Collecting Payments: CSE officials in 35 states told us that their programs use driver’s license suspension extensively and our work shows that, when used, this process can result in collecting payments. All CSE programs have policies and procedures in place for driver’s license suspension, including criteria specifying the level of delinquency noncustodial parents must attain before a CSE program begins the driver’s license suspension process. Although CSE officials in most states said that their programs use this tool extensively, CSE officials in 16 states told us that their programs were not using this tool in all cases that met their state’s delinquency criteria for use. When used, the driver’s license suspension process can result in collecting child support payments in some cases. Our analysis of the use of this tool in four states, for example, found that it led to collecting payments in 29 percent of the cases for which it was used. States Have Varying Policies and Procedures for Driver’s License Suspension: All states have driver’s license suspension policies and procedures in place. Driver’s license suspension is the end result of a process that starts with the identification of potential noncustodial parents who are candidates for suspension because they are delinquent in their child support payments. After initial identification, a warning letter is usually issued notifying the noncustodial parent who is delinquent in paying child support that his or her driver’s license may be suspended within a specified number of days unless the noncustodial parent pays the delinquent amount, establishes a payment plan, or requests a hearing to appeal the suspension. If noncustodial parents do not respond within this time period, they become candidates for driver’s license suspension. One key difference in driver’s license suspension among states is the level of delinquency that qualifies a noncustodial parent for suspension. Such delinquency criteria is based on the amount of past- due support owed, the length of time in which a payment has not been made, or a combination of the two. Among the states with a delinquency criteria of past-due support owed the amount ranges from $500 to $5,000 or the amount of support that would accumulate in 1 to 12 months. The criteria also may specify a length of time in which a payment has not been made, and it ranges from 1 to 6 consecutive months. A second key difference in driver’s license suspension among states is the agency that has authority to initiate and carry out this process. In 13 states, suspending a driver’s license because of nonpayment of child support is a judicial process in which courts can order a license suspension after holding a hearing. In 31 states, it is an administrative process in which the CSE program can suspend the license, usually after the program has given the noncustodial parent an opportunity to contest the suspension. Finally, 10 states use both judicial and administrative processes, meaning that both CSE programs and courts can initiate and order driver’s license suspension. Most But Not All States Use Driver’s License Suspension Fully: CSE officials we spoke with in 35 states indicated that their programs are using driver’s license suspension extensively. Officials in more than half of these states said their programs initiate the driver’s license suspension process in all cases that meet their states’ delinquency criteria. The remaining officials in these 35 states characterized their programs’ use of driver’s license suspension as routine or frequent or, as in the case of one state, provided us with data on use of license suspension indicating that it is used in many cases. CSE officials we spoke with in 16 states told us that their programs were not using driver’s license suspension to its full extent. These officials said that, although their states use driver’s license suspension, it is not used in all cases that meet their states’ delinquency criteria primarily due to factors related to the discretionary nature of judges’ authority and to cumbersome administrative processes. Almost all of these officials indicated that the child support programs in their states could benefit from increased use of this tool and characterized driver’s license suspension as an effective tool for obtaining payments from noncustodial parents who are delinquent in paying child support. In 11 of the 16 states in which CSE officials reported that driver’s license suspension is not used fully, licenses are suspended through a judicial process and, according to CSE officials, many judges are reluctant to order it. The CSE officials from judicial states who believed that some judges were not fully using driver’s license suspension characterized such judges as being reluctant about suspension in general, as opposed to deciding that it was inappropriate on a case-by-case basis. The main reason CSE officials cited for judges’ reluctance to use driver’s license suspension was concern that suspending driver’s licenses would deny noncustodial parents transportation to and from work, making it more difficult for the parents to generate earnings and pay child support. Driver’s license suspension is an administrative process in 5 of the 16 states, and CSE officials in these 5 states said that they would like their programs to use it more often for the collection of child support payments. These officials said that their programs were not fully using license suspension primarily because the process for suspending licenses was cumbersome. For example, as officials from 2 states reported, the monitoring of noncustodial parents’ responses to the initial warning letter can be time-consuming and can make CSE staff reluctant to initiate the license suspension process. Even when a noncustodial parent responds to the warning letter by making payments, CSE staff must monitor the payments for years after sending the letter because the driver’s license can be suspended at any time that the parent stops making payments. In addition, officials in other states reported that difficulties working with MVAs made the license suspension process cumbersome and limited its use. In 1 state, for example, officials said that the MVA’s computer system matches delinquent parents with their driver’s license primarily by first and last name, and the system cannot identify the correct driver’s license to suspend if the delinquent parent has a common name. Consequently, the CSE program may not be able to suspend the driver’s licenses of those noncustodial parents with common names. In the remaining 3 states it was not possible to gauge CSE program use of driver’s license suspension at the time of our review. One state has recently relaxed its delinquency criteria, and the CSE official in that state believes the program will use driver’s license suspension more extensively as a result. The CSE program in the second state was in the process of implementing this tool. Finally, in the third state, the CSE officials said they were making major changes to its implementation procedures that should result in driver’s license suspension being used frequently. Driver’s License Suspension Results in Collecting Some Child Support Payments: Driver’s license suspension alone, or in conjunction with other enforcement actions, does lead some noncustodial parents with past-due support to make their child support payments. We obtained data on driver’s license suspension in calendar year 2000 in four states-— Colorado, Maryland, Pennsylvania, and Washington. We found that in nearly one out of every three cases, parents who were subjected to this action made at least one child support payment after being notified that their licenses could be, or were being, suspended for nonpayment of child support.[Footnote 21] In calendar year 2000, 104,608 noncustodial parents in the four states we examined had their driver’s licenses threatened or suspended and the total amount of child support collected from these parents was $48 million. In three of these states, the CSE programs were able to break their suspension data into two groups: cases in which noncustodial parents were warned of a possible suspension and cases in which the noncustodial parents’ licenses were actually suspended. Table 4 shows that in 80 percent of the cases, the states threatened suspension but did not actually suspend the license. Moreover, in 28 percent of the cases, noncustodial parents who were threatened with suspension made at least one payment, resulting in $35 million in support payments. In addition, in 25 percent of the cases, noncustodial parents whose licenses were suspended made at least one payment, resulting in payments totaling $6 million. Table 4: Outcome of Driver’s License Suspension in Three States in 2000 Type of action: Warning letters issued; Amount of driver’s license actions: Number of actions: 71,000; Percentage of total actions: 80%; Payments from driver’s license actions: Number of actions with payments: 19,700; Percentage of actions with payments: 28%; Amount of payments collected: $35,179,500. Type of action: Driver’s licenses suspended; Amount of driver’s license actions: Number of actions: 17,200; Percentage of total actions: 20%; Payments from driver’s license actions: Number of actions with payments: 4,400; Percentage of actions with payments: 25%; Amount of payments collected: $6,110,500. Type of action: Total; Amount of driver’s license actions: Number of actions: 88,200[A]; Percentage of total actions: 100%; Payments from driver’s license actions: Number of actions with payments: 24.1%; Amount of payments collected: $41,290,000. [A] As stated in footnote 21, threatening or suspending driver’s licenses was not always the sole action that may have led noncustodial parents to make payments. In the case of the three states in this table, 46 percent of the cases had at least one other action taken near the time that a noncustodial parent’s license was under the threat of suspension or suspended. Source: GAO analysis of case data from CSE programs in Colorado, Pennsylvania, and Washington. [End of table] Although no one tool is always effective in collecting payments in all cases, CSE officials in 51 states believe, and our data analysis shows, that suspension does result in some noncustodial parents paying the support they owe. Specifically, many CSE officials characterized driver’s license suspension as effective for reaching one or both of the following types of noncustodial parents: (1) those who have a source of income from which CSE programs cannot directly collect payments and (2) those who need their license for work or transportation. Examples of noncustodial parents in the first category are those who are self-employed, informally employed, or are paid in cash. In these situations, CSE programs cannot withhold wages directly through the noncustodial parent’s employer either because the parent does not have an employer or the CSE program is not able to identify the employer.[Footnote 22] Examples of noncustodial parents in the second category are those in jobs requiring a driver’s license and those residing in areas in which automobiles are the primary means of transportation. CSE officials also described circumstances in which driver’s license suspension was not effective in motivating noncustodial parents to pay the support they owe. The most common circumstance cited by officials for suspension not being effective was that some noncustodial parents may not be concerned about losing their driver’s licenses. Such parents may, for example, already be driving with expired licenses, or their licenses may have been suspended for reasons unrelated to child support enforcement. In addition, several officials noted that some noncustodial parents do not pay the child support they owe regardless of the enforcement action used against them. For example, some CSE officials reported that their programs have tried using every tool available against certain noncustodial parents, and none of these efforts have resulted in child support payments. Furthermore, CSE officials stated that some noncustodial parents do not have the money to make their support payments so that any action taken, including driver’s license suspension, would be ineffective. Conclusions: While most MVAs collect SSNs from all drivers and most CSE programs use them, CSE programs in states where MVAs are not collecting SSNs as required by federal law are not receiving the benefit of SSNs from this source. SSNs from MVAs are particularly valuable because they include the SSNs of noncustodial parents that CSE programs may have had difficulty obtaining from other sources. As the oversight office for state CSE programs, OCSE should know whether MVAs are collecting SSNs from all driver’s license applicants and take action, which may result in state monetary penalties, when they are not. Recommendation for Executive Action: To ensure that all states are following the federal requirements that states enact and implement laws requiring the collection of SSNs from all driver’s license applicants for child support enforcement purposes, we recommend that OCSE more effectively track compliance with this requirement and take formal action, when necessary, against states that are not in compliance. OCSE should, for example, ensure that staff effectively use the legislative analysis checklist that is designed to track the adoption and implementation of state laws. The agency should also take formal actions, when necessary, such as disapproving state plans or conducting targeted audits, in an effort to promote compliance with this federal requirement. Agency Comments: We received written comments on a draft report from the Department of Health and Human Services’ Administration for Children and Families. These comments are presented and evaluated in appendix III. The department agreed with our findings and said that the Office of Child Support Enforcement will strengthen its efforts to monitor and oversee state plan compliance with regard to SSNs and licenses. Additionally, the department asked that we include more information on OCSE’s approach for ensuring state compliance, which we did. The department said that we incorrectly stated that its OCSE learned about noncompliance in Michigan at the end of November 2001 and the department disagreed strongly with the statement that it did not view MVAs collecting SSNs as a high priority. We dropped this reference to November 2001 and revised the report to reflect that the officials indicated that collecting SSNs was not their highest priority. In addition, the department provided technical comments, which we incorporated in the report as appropriate. As agreed with your offices, unless you publicly release its contents earlier, we will make no further distribution of this report until 30 days after its issue date. At that time, we will send copies of this report to appropriate congressional committees, the secretary of HHS and other interested parties. We will also make copies available to others on request. If you or your staff have questions concerning this report, please call me on (202) 512-8403. Key contributors are listed in appendix IV. Signed by: Cornelia M. Ashby: Director, Education, Workforce, and Income Security Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: Objectives: The objectives of our review were to (1) determine the extent to which states have implemented the federal requirement that MVAs collect SSNs from all licensed drivers and what OCSE has done to promote compliance in states not adhering to this requirement, (2) identify privacy concerns associated with MVA efforts to collect and safeguard SSNs that are used for child support enforcement purposes, and (3) determine the extent to which state CSE programs use driver’s license suspension to collect past-due child support and whether this tool has resulted in collections. We conducted our review from November 2000 through December 2001 in accordance with generally accepted government auditing standards. Scope and Methodology: To accomplish the above objectives, we mailed a survey to 54 MVAs, conducted telephone interviews with 54 CSE programs, conducted site visits in five states, analyzed data on driver’s license suspension from CSE programs in four states, and interviewed officials from HHS’s OCSE and regional offices. Survey of MVAs: We mailed a survey to 54 MVAs—-one in each of the 50 states, the District of Columbia, and three of the U.S. territories[Footnote 23]-— and received 53 completed surveys from the MVAs. The intent of the survey was to obtain information about (1) the extent to which MVAs collect SSNs from licensed drivers and (2) their policies and procedures regarding the collection, sharing, and safeguarding of SSNs. We took steps during survey design and data analysis to minimize errors. For example, we pretested the survey in 3 states prior to mailing it to all survey respondents to ensure that we were phrasing questions in the best way. We also contacted respondents to clarify information when needed. Telephone Interviews with State CSE Programs: We telephoned CSE officials in the 50 states, the District of Columbia, and the same three U.S. territories that received our MVA survey. The overall objectives of these interviews were to obtain information on how CSE programs use MVA-collected SSNs and driver’s license suspension and whether they find them helpful in locating noncustodial parents and getting them to pay the support they owe. Our questions about the use of MVA-collected SSNs focused on (1) whether and how CSE programs use MVA-collected SSNs; (2) the importance attached to this SSN source; and (3) whether privacy concerns were expressed about the requirement that MVAs collect SSNs from all licensed drivers and, if so, whether and how such concerns were addressed. Our questions about the use of driver’s license suspension focused on (1) the policies and procedures that CSE programs follow for driver’s license suspension, (2) the extent to which CSE programs use driver’s license suspension, and (3) whether driver’s license suspension is effective in getting noncustodial parents to pay the support that they owe. Site Visits to Five States: We visited five states—-California, Georgia, Michigan, North Carolina, and Texas-—and held face-to-face meetings with officials from CSE programs, MVAs, and offices of attorney general. In addition, we met with state legislators involved with privacy or child support enforcement issues and privacy experts. We discussed in more detail the topics covered in the CSE program telephone interviews and the questions contained in the MVA survey focusing on computer security and use of SSNs (see appendix II). We selected these five states because they are geographically diverse and because they have differing practices with regard to MVA-collected SSNs and use of driver’s license suspension. Specifically, we wanted a mix of states with respect to whether MVAs were collecting SSNs from all licensed drivers and whether driver’s license suspension was a judicial process or an administrative process. Of the five states, three were collecting SSNs from all drivers and two were not and two used administrative procedures to suspend driver’s licenses, two used judicial procedures, and one used both. Analysis of States’ Data on Driver’s License Suspension Actions: We analyzed data from CSE programs in four states to determine how often these programs used the driver’s license suspension process in calendar year 2000 and the extent to which this process resulted in collecting payments. The states were Colorado, Maryland, Pennsylvania, and Washington, and we chose them because they had the type of automated data that we required for this analysis and were willing to provide it to us. CSE program personnel extracted the data we requested from their files. We did not verify the accuracy of the data; however, we did review the data for reasonableness, consistency, and suitability for our analysis. The objective of our data analysis was to identify child support payments that could reasonably be attributed to driver’s license suspension. For 56 percent of the cases in which we attributed payments to suspension, this identification was straightforward. That is, the data were sufficient to indicate that these payments were the result of either the threat of driver’s license suspension or an actual suspension. In the other 44 percent of the cases, it was not possible to conclude that the payments were solely the result of driver’s license suspension. This is because the data showed that the CSE programs took other enforcement actions at about the same time as driver’s license suspensions and the data did not indicate which actions were responsible for the payment. In these cases, we concluded that driver’s license suspension, in conjunction with other actions, resulted in payments. The most common action taken in these situations was reporting delinquent payment information to credit bureaus. Other, less common actions included conducting computer matches to identify bank accounts and suspending professional licenses. We counted all payments that were solely or partially attributable to driver’s license suspension in calendar year 2000. Our starting point for counting these payments was the first payment made after a noncustodial parent received a letter stating that his or her driver’s license could be, or was being, suspended. We stopped counting payments at the end of 2000 or when another enforcement action was taken. New enforcement actions would only have been taken if the noncustodial parent had stopped making payments. Because driver’s license suspension is a process that starts with a warning letter and may end with a suspension, we counted the entire process as one action. Thus, if a noncustodial parent received one or more warning letters regarding a possible suspension, but never had his or her license suspended, we counted this as a single action. If a noncustodial parent did not respond to warning letters and had his or her license suspended, we counted this entire process—=warning through suspension=—as a single action. Finally, if a noncustodial parent went through the driver’s license suspension more than once in 2000, we counted each time as a separate action. For Colorado, Pennsylvania, and Washington, we obtained data on all driver’s license suspension actions occurring during calendar year 2000 and whether these actions were warnings or actual suspensions. Thus, for these states, we could distinguish when actions were warning actions and when they were suspension actions and the amount of payments that resulted from each. For Maryland, however, we could only obtain information on the last driver’s license suspension action taken in a case and could not tell if this action was a warning letter or an actual suspension. Interviews With Officials from HHS’ OCSE and Regional Offices: We interviewed officials from OCSE and HHS regional offices about federal oversight of the Social Security Act’s requirement about MVA- collected SSNs. We discussed (1) the extent to which states are complying with the SSN requirement, (2) whether OCSE and the regional offices were aware that certain states were not in compliance, (3) what OCSE is doing to promote compliance in these noncompliant states, and (4) OCSE’s role in driver’s license suspension. We also reviewed OCSE program documents, OCSE official communications, and selected states’ laws regarding MVAs collecting SSNs. Finally, we talked with officials from the CSE programs and MVAs in each noncompliant state about why their states were not complying with this federal requirement. [End of section] Appendix II: Survey to MVAs: U.S. General Accounting Office: Questionnaire to State Driver's Licensing Agency Officials Concerning the Use of Drivers' Social Security Numbers: The U.S. General Accounting Office (GAO), an agency of the Congress, is studying how State Driver's Licensing Agencies (DLAs) use drivers' social security numbers (SSNs) to help the state Child Support Enforcement Office (CSE) locate, and collect payments from, non- custodial parents. We are also examining how drivers' SSNs are safeguarded. As part of this study, we are surveying Driver's Licensing Agency officials in the 50 states and the District of Columbia. To assist us, we ask that you complete and return this questionnaire to us within the next 2 weeks. When responding, you may consult with others who are also familiar with these topics, if you think it will help you give a more accurate answer. The questionnaire asks you to provide information about the ways in which your office: * uses drivers' social security numbers generally, * shares clients' SSNs with other organizations, * safeguards drivers' SSNs, and, * uses SSNs to help the state Child Support Enforcement Agency locate, and collect child support payments from, non-custodial parents who have failed to make those payments. Either return the questionnaire to us in the enclosed pre-addressed business reply envelope or fax your completed questionnaire to us to the attention of Chris Morehouse on (202) 512-6825. In the event that the business reply envelope is misplaced, or your fax fails to get through, please return the questionnaire to: U.S. General Accounting Office: Attn: Chris Morehouse: 441 G Street, NM., Room 5928: Washington, D.C. 20548: If you have any questions or comments about this questionnaire, please call Nancy Cosentino on (415) 904-2117 or Chris Morehouse on (202) 512- 7214. Paste ID # Here: 1. Please enter the name, title, and telephone number of the principal person, or persons, completing this questionnaire. Name: Title: (Area Code) Number: Name: Title: (Area Code) Number: All of the questions below regarding drivers' licenses and the records of drivers' licenses kept by your agency are referring exclusively to non-commercial licenses. Practices Regarding SSNs: 2. Does your Driver's Licensing Agency maintain any records that identify the social security numbers of drivers with non-commercial licenses? (Check One.) (N=53) 1. [3] No; (Stop! Please Return This Questionnaire); 2. [50] Yes. 3. Does your agency verify the SSNs it has for its non-commercial drivers by comparing those SSNs to the ones on file for those drivers at the Social Security Administration? (Check One.) (n=49) 1. [14] Yes; 2. [35] No. Agency Records: 4. Is it your agency's practice to include in its records the SSN of every licensed non-commercial driver, of only those drivers who give permission to have their SSNs included, or of only those drivers who do not ask that their SSNs be omitted from the records? (Check One.) (N=50) 1. [44] of every licensed driver; 2. [5] of only those drivers who give permission to have their SSNs included; 3. [1] of only those drivers who do not ask that their SSNs be omitted; 4. [0] Other (Please Specify.) 5. Consider all of the licensed non-commercial drivers in your state as of today. For about what percentage of those licensed drivers does your agency have an SSN? (Enter The Percentage.) (N=46) Range = 30% - 100%; Median = 90%. 6. Consider your agency's current practice concerning the inclusion of drivers' SSNs in its records, that is, your answer to Question 4 above. Was that your agency's practice before August 5, 1997? (Check One.) (N=50) 1. [39] Yes (If "Yes," Go To Question 8.) 2. [1] No, because we didn't maintain any records with SSNs at that time (If Checked, Go To Question 8); ; 3. [9] No, we had a different practice; 4. [1] Don't know (If Checked, Go To Question 8.) 7. Before August 5, 1997, was it your agency's practice to include in its records the SSN of every licensed non-commercial driver, of only those drivers who gave permission to have their SSNs included, or of only those drivers who did not ask that their SSNs be omitted from the records? (Check One.) (n=9) 1. [0] of every licensed driver; 2. [8] of only those drivers who gave permission to have their SSNs included; 3. [14] of only those drivers who did not ask that their SSNs be omitted; 4. [0] Other (Please Specify.) Drivers' Licenses: 8. Now we would like to know if drivers' SSNs appear on the licenses themselves as a recognizable nine-digit number, rather than as a bar code or magnetic strip. Is it your agency's practice to display drivers' SSNs as recognizable nine digit numbers on all non-commercial licenses, on all licenses except those for which the driver asked that it be omitted, on only those licenses for which they were requested by the driver, or on none of the licenses? (Check One.) (n=50) 1. [1] On all licenses; 2. [9] On all licenses except those for which the driver asked that it be omitted; 3. [14] On only those licenses for which they were requested by the driver; 4. [26] On none of the licenses; 5. [0] Other (Please Specify.) 9. Was that your agency's practice before August 1, 1997? (Check One.) (n=50) 1. [33] Yes (IF "Yes," Go To Question 11 On The Next Page.) 2. [15] No; 3. [2] Don't know (If Checked, Go To Question 11 On The Next Page). 10. Before August 1, 1997, was it your agency's practice to display drivers' SSNs on all non-commercial licenses, on all licenses except those for which the driver asked that it be omitted, on only those licenses for which they were requested by the driver, or on none of the licenses? (Check One.) (n=15) 1. [9] On all licenses; 2. [3] On all licenses except those for which the driver asked that it be omitted; 3. [3] On only those licenses for which they were requested by the driver; 4. [0] On none of the licenses; 5. [0] Other (Please Specify.) Sharing Information Identifying SSNs: 11. Does your agency share information identifying drivers' SSNs with any other organizations or professionals? (Check One.) (N=50) 1. [49] Yes (If "Yes," Go To Question 13); 2. [1] No. 12. Is it your agency's policy not to share information identifying individuals' SSNs with other organizations, or is it that your agency is just not sharing such information with other organizations at present? (Check One.) (n=1) 1. [1] Agency's policy is not to share SSNs; 2. [0] Agency is not sharing with other organizations at present. (After Completing This Question, Go To Question 33 On Page 7.) 3. Does your agency only check the accuracy of SSNs that are submitted to your agency by other organizations, only provide drivers' SSNs to other organizations, or both check and provide SSNs? (Check One.) (n=41) 1. [6] Only check the accuracy of SSNs; 2. [31] Only provide SSNs; 3. [11] Both check and provide SSNs. 14. In Part A below, please indicate whether or not your agency provides drivers SSNs to, or checks drivers' SSNs for, each of the types of organizations or professionals listed. For each type for which you answered "Yes," in Part B please tell us whether or not your agency charges a fee for providing SSNs to, or checking SSNs for, that type of organization or professional. Part A: Does your agency provide drivers' SSNs to, or check SSNs for, each of the types of organizations or professionals listed below? 1. State Child Support Enforcement office; Number: (n=49); No: 2; Yes: 47. 2. State Attorney General's Office; Number: (n=46); No: 13; Yes: 33. 3. State Temporary Assistance for Needy Families (TANF) office; Number: (n=43); No: 30; Yes: 13. 4. State tax agency; Number: (n=42); No: 12; Yes: 30. 5. Other state agency (Please Specify); Number: (n=29); No: 6; Yes: 23. 6. Courts; Number: (n=47); No: 12; Yes: 35. 7. Driver's licensing agencies in other states; Number: (n=48); No: 6; Yes: 42. 8. Local police departments; Number: (n=46); No: 9; Yes: 37. 9. Insurance companies; Number: (n=44); No: 34; Yes: 10. 10. Motor vehicle manufacturers or dealerships; Number: (n=43); No: 38; Yes: 5. 11. American Association of Motor Vehicle Administrators' Problem Drivers Point System; Number: (n=45); No: 8; Yes: 37. 12. Attorneys in private practice or other firms that collect child support for custodial parents; Number: (n=44); No: 37; Yes: 7. 13. Marketing companies; Number: (n=46); No: 44; Yes: 2. 14. Credit bureaus; Number: (n=46); No: 39; Yes: 7. 15. Private investigators; Number: (n=43); No: 36; Yes: 7. 16. Other (Please Specify); Number: (n=13); No: 4; Yes: 9. Part B: Does your agency charge that organization or professional a fee for the information? 1.State Child Support Enforcement office; Number: (n=45); No: 45; Yes: 0. 2. State Attorney General's Office; Number: (n=33) No: 33; Yes: 0. 3. State Temporary Assistance for Needy Families (TANF) office; Number: (n=13) No: 13; Yes: 0. 4. State tax agency; Number: (n=30) No: 30; Yes: 0. 5. Other state agency (Please Specify); Number: (n=22) No: 22; Yes: 0. 6. Courts; Number: (n=34) No: 34; Yes: 0. 7. Driver's licensing agencies in other states; Number: (n=42) No: 42; Yes: 0. 8. Local police departments; Number: (n=37) No: 37; Yes: 0. 9. Insurance companies; Number: (n=10) No: 2; Yes: 8. 10. Motor vehicle manufacturers or dealerships; Number: (n=5) No: 2; Yes: 3. 11. American Association of Motor Vehicle Administrators' Problem Drivers Point System; Number: (n=36) No: 36; Yes: 0. 12. Attorneys in private practice or other firms that collect child support for custodial parents; Number: (n=7) No: 2; Yes: 5. 13. Marketing companies; Number: (n=2) No: 2; Yes: 0. 14. Credit bureaus; Number: (n=6) No: 2; Yes: 4. 15. Private investigators; Number: (n=7) No: 2; Yes: 5. 16. Other (Please Specify); Number: (n=8) No: 6; Yes: 2. [End of table] 15. Regarding the state Child Support Enforcement office (CSE) listed in item 1 of Question 14 above, did you check "Yes" to that item for Part A of Question 14? (Check One.) (n=49) 1. [3] No (IF "No," Go To Question 24 On The Next Page); 2. [46] Yes. 16. Listed below are some methods that could be used to identify drivers whose licenses might be suspended because they owe child support. Which one, if any, of those methods does either your agency or CSE typically use to identify drivers whose licenses might be suspended? (Check One.) (n=46) 1. [8] SSNs of drivers' whose licenses might be suspended are transmitted orally or in hard copy by one agency and the agency receiving them matches those SSNs to the ones it has in its files (If Checked, Go To Question 19.) 2. [13] A computer is used by one agency to match the SSNs in a computer file sent by the other agency. 3. [17] Drivers' SSNs that are stored on this agency's computer can be accessed by CSE through an online query (If Checked, Go To Question 18.) 4. [2] Other (Please Specify.) (If This Choice Is Selected, Go To Question 19.) 5. [6] SSNs are not used to identify drivers whose licenses might be suspended. (If This Choice Is Selected, Go To Question 20 On The Next Page.) 17. Which of the processes listed below best describes the way in which SSNs are obtained and matched by either your agency or CSE to identify drivers whose licenses might be suspended? (Check One.) (n=13) 1. [5] A computer file containing drivers' SSNs is transmitted by this agency to CSE's computer system and CSE matches the SSNs in that database to its file of parents who owe child support. 2. [8] This agency receives a computer file from CSE containing the SSNs of parents who owe child support and matches the SSNs hi that file to the drivers' SSNs that are stored on this agency's computer system. (After Completing This Question, Go To Question 19.) 18. What kind of computer line does CSE use to conduct an online query to gain access to drivers' SSNs that are stored on your agency's computer to identify drivers whose licenses might be suspended because they owe child support? (CHECK ONE.) (n=17). 1. [16] A dedicated line belonging either to this agency or to CSE; 2. [1] A commercial or public line. 19. Consider your answers to Questions 16 and 17 or 18 above. In what month and year did the state CSE begin working with your agency in that way to see that the licenses of parents owing child support were suspended? (Enter Date.) (n=35). Month: Year: Range: 1991-2001. Mode: 1996 and 1997 (2 modes). 20. Listed below are some methods that could be used to determine the location of parents who owe child support. Which one, if any, of those methods does either your agency or CSE typically use to determine the location of parents who owe child support? (Check One.) (n=46). 1. [4] SSNs of parents who need to be located are transmitted orally or in hard copy by CSE and your agency matches those SSNs to the ones it has in its files to determine the parents' location (If Checked, Go To Question 23.) 2. [12] A computer is used by one agency to match the SSNs in a computer file sent by the other agency. 3. [23] Drivers' SSNs that are stored on this agency's computer can be accessed by CSE through an online query (If Checked, Go To Question 22.) 4. [1] Other (Please Specify.) (If This Choice Is Selected, Go To Question 23.) 5 [6] SSNs are not used to determine the location of parents who owe child support. (If This Choice Is Selected, Go To Question 24.) 21. Which of the processes listed below best describes the way in which SSNs are obtained and matched by either your agency or CSE to locate parents who owe child support? (Check One.) (n=12) 1. [4] A computer file containing drivers' SSNs is transmitted by this agency to CSE's computer system and CSE matches the SSNs in that database to its file of parents who need to be located. 2. [8] This agency receives a computer file from CSE containing the SSNs of parents who need to be located and matches the SSNs in that file to the drivers' SSNs that are stored on this agency's computer system. 22. What kind of computer line does CSE use to conduct an online query to gain access to drivers' SSNs that are stored on your agency's computer to determine their location? (Check One.) (n=26) 1. [25] A dedicated line belonging either to this agency or to CSE. 2. [1] A commercial or public line. 23. Consider your answers to Questions 20 and 21 or 22 above. In what month and year did the state CSE begin working with your agency in that way to locate parents who owe child support? (Enter Date.) (n=33) Month: Year: Range: 1986-2001. Mode: 1995. 24. Is there a law in your state that addresses whether or not entities that receive SSNs from your agency may share that information with other organizations? (Check One.) (n=47) 1. [22] No (IF "No," Go To Question 27.) 2. [25] Yes. 25. Does that law prohibit entities receiving drivers' SSNs from your agency from providing those SSNs to other entities? (Check One.) (n=25) 1. [21] Yes (If "Yes," Go To Question 27.) 2. [4] No. 26. Does that law prohibit entities receiving drivers' SSNs from your agency from charging a fee to provide those SSNs to other entities? (Check One.) (n=4) 2. [0] Yes. 2. [4] No. 27. At present, does your agency have any written agreements with an entity that receives drivers' SSNs from your agency that addresses the sharing of those SSNs by that entity with other organizations? (Check One.) (n=47) 1. [24] No (IF "No," Go To Question 32 On The Next Page.) 2. [23] Yes. 28. Does your agency currently have such an agreement with all of the entities that receive drivers' SSNs from your agency, most of the entities, some of the entities, or just a few? (Check One.) (n=24) 1. [14] All entities; 2. [3] Most entities; 3. [5] Some entities; 4. [2] Just a few entities. 29. Do any of those agreements prohibit entities receiving drivers' SSNs from your agency from providing those SSNs to other entities? (Check One.) (n=23) 1. [16] Yes (IF "Yes," Go To Question 32.) 2. [7] No. 30. Consider those agreements addressing the sharing of drivers' SSNs by entities receiving those SSNs from your agency. Do any of those agreements require that those entities comply with the conditions of the Driver's Privacy Protection Act (DPPA) when providing drivers' SSNs to other entities? (Check One.) (n=7) 1. [7] Yes. 2. [0] No. 31. Do any of those agreements prohibit entities receiving drivers' SSNs from your agency from charging a fee to provide those SSNs to other entities? (Check One.) (n=7) 1. [0] Yes. 2. [7] No. 32. Is the governor's office or legislature in your state considering passing any laws that would impose new restrictions on the sharing of drivers' SSNs by entities receiving those SSNs from your agency? (Check One.) (n=48) 1. [5] Yes. 2. [19]No. 3. [24] Don't know. Computer Security: 33. How often, if ever, does your agency examine the computer system in which drivers' SSNs are stored to identify potential weaknesses that could threaten its security, that is, conduct what might be referred to as a risk assessment of that system? (Check One.) (n=49) 1. [11] Never conducted such an examination (If Checked, Go To Question 35.) 2. [5] Only once when the current system was installed. 3. [11] Less often than once every two years. 4. [5] Once every two years. 5. [10] Once a year. 6. [7] More often than once a year. 34. Has such an examination been conducted since January 1, 1997? (Check One.) (n=38) 1. [8] No; 2. [30] Yes. 35. Does your agency have a written plan that describes in detail how computer security is to be maintained throughout the agency, that is, a plan that might be referred to as an entity-wide security plan? (Check One.) (n=50) 1. [24]No (If "No," Go To Question 39 On The Next Page.) 2. [26] Yes. 36. Does that plan include procedures for safeguarding the privacy of drivers' personal information stored on the computer, including their SSNs? (Check One.) (n=25) 1. [3] No (IF "No," Go To Question 39 On The Next Page.) 2. [22] Yes. 37. Since the initial computer security plan was developed at Computer Environment the time the system was designed and implemented, how often has that plan been updated? (Check One.) (n=22) 1. [4] Plan has not been updated; 2. [7] More often than once a year; 3. [4] Once a year; 4. [3] Once every two years; 5. [4] Less often than once every two years. 38. Has a computer security plan been written since January 1, 1997? (Check One.) (n=22) 1. [4] No; 2. [18] Yes. 39. Has an audit, review, or study assessing the security of your agency's computer system ever been conducted by an organization other than your agency? (Check One.) (n=50) 1. [20] No (If "No," Go To Question 42.) 2. [30] Yes. 40. Were any of those audits, reviews or studies assessing the security of your agency's computer system conducted since January 1, 1997? (Check One.) (n=28) 1. [5] No (If "No," Go To Question 42.) 2. [23] Yes. 41. Did any of those audits, reviews or studies that were conducted since January I, 1997 examine the security of those parts of the computer system in which drivers' SSNs are stored? (Check One.) (n=23) 1. [5] No. 2. [18] Yes. 42. On which one of the operating systems, or processing platforms, listed below are drivers' SSNs primarily located in your agency's computer system? (Check One.) (n=49) 1. [31] OS/390; 2. [3] UNIX (Any Type); 3. [1] Windows (Any Type); 4. [1] AS/400; 5. [13] Other (Please Specify.) 43. Which one of the software products listed below does your agency use most often to manage the drivers' SSNs stored in your computer system? (Check One.) (n=49) 1. [9] DB2; 2. [3] Oracle; 3. [1] SQL Server; 4. [36]Other (Please Specify.) 44. Through which of the networks listed below can users connect to the systems in your agency's computer where drivers' SSNs are located? (Check All That Apply.) 1. [37] SNA Network; 2. [35] Local Area Network; 3. [39] Wide Area Network; 4. [29] Dial-up Network; 5. [14]Internet; 6 [4] Other (Please Specify.) Monitoring the Computer System: 45. Does your agency monitor its computer system to try to detect unauthorized users who may have entered those areas where drivers' SSNs are located? (Check One.) (n=50) 1 [14] No (If "No," Go To Question 50.) 2. [36] Yes. 46. Has your agency ever detected an unauthorized user entering the computer system in the areas where drivers' SSNs are located? (Check One.) (n=36) 1. [29] No (If "No," Go To Question 50.) 2. [7] Yes. 47. Did your agency investigate any of those unauthorized entries? (Check One.) (n=7) 1. [0] No (If "No," Go To Question 50.) 2. [7] Yes. 48. How many, if any, of those investigations has your agency conducted since January 1, 1995? (Enter Number.) (n=4) investigations: Range: 1-100. or: [1] None (If "None," Go To Question 50.) 49. Consider those employees of private firms, other state agencies, or local agencies that contract with your agency to help process drivers' license applications, and, who must have access to records identifying drivers' SSNs in order to do their jobs. How many, if any, of those investigations of unauthorized users were of that type of employee? (Enter Number. If None, Enter "0.") (n=6) investigations: Range: 0-7; Or [2] Not applicable; Or [2] Don't know. Security Regarding Employees of Your Agency: 50. Does a staff member(s) in your agency have responsibility for determining which of your agency's employees have access to the drivers' SSNs stored on your computer? (Check One.) (n=50) 1. [46] Yes; 2. [4] No. 51. Does your agency keep a list of the employees working for your agency who have access to the drivers' SSNs stored on your computer? (Check One.) (n=50) 1. [10] No (If "No," Go To Question 53.) 2. [40] Yes. 52. How often, if at all, is that list of your agency's employees with access to drivers' SSNs updated? (Check One.) (n=40) 1. [7] Daily; 2. [2] Weekly; 3. [0] Once a month; 4. [1] Twice a year; 5. [1] Once a year; 6. [0] Once every two years; 7. [0] Less often than once every two years; 8. [29] As needed to reflect changes in employee assignments; 9. [0] Has not been updated. 53. Does your agency offer training, or training materials, to its employees who have access to drivers' SSNs on your computer that are intended to clarify their responsibilities to safeguard the privacy of that data? (Check One.) (n=50) 1. [2] No; 2. [12] Yes, training only; 3. [5] Yes, training materials only; 4. [31] Yes, both training and training materials. 54. Is it your agency's policy to penalize employees who are found to have revealed drivers' SSNs to persons who are not authorized to see them? (Check One.) (n=50) 1. [2] No (If "No," Go To Question 56.) 2. [48] Yes. 55. Which, if any, of the penalties listed below are imposed upon employees of your agency who are found to have revealed drivers' SSNs to persons who are not authorized to see them? (Check All That Apply.) 1. (40] Counseling; 2. [25] Probationary period; 3. [41] Termination of employment; 4. [30] Referral to law enforcement authorities; 5. [14] Other (Please Specify.) 56. Does your agency require that its employees who have access to drivers' SSNs on its computer sign a statement to acknowledge their responsibilities to safeguard the privacy of that data? (Check One.) (n=49) 1. [18] No; 2. [31] Yes. 57. Which, if any, of the methods of identification listed below does your program use to try to prevent unauthorized users from gaining access to your computer system? (Check All That Apply.) 1. [2] Biometrics; 2. [5] ID cards or tokens; 3. [43] None of the above. 58. Does your program use passwords or personal identification numbers (PINS) to try to prevent unauthorized users from gaining access to your computer system? (Check One.) (n=50) 1. [0] Yes, PINS; 2. [33] Yes, passwords; 3. [16] Both PINS and passwords; 4. [1] No (If "No," Go To Question 60.) 59. Listed below are some practices agencies might use to protect the secrecy of authorized users' passwords or PINS. Which, if any, of those practices does your agency employ to protect the secrecy of authorized users' passwords or PINS? (Check All That Apply.) 1 [42] Users select their own passwords or PINS; 2. [35] PINS or passwords are changed at least 4 times a year; 3. [32] PINS or passwords have to be at least 6 characters long; 4. [20] PINS or passwords must consist of letters and numbers; 5. [31] Retired passwords cannot be reused for at least 6 months; 6. 1371 Group passwords are not permitted; 7 [29] Only a few employees have access to all passwords; 8. [19] The passwords are encrypted; 9. [44] Attempts to log on to the system with an Invalid password are limited to a specific number. Security Regarding External Users: 60. Do employees from other organizations have access electronically to drivers' SSNs stored on your agency's computer system? (Check One.) (n=49) 1. [10] No (If "No," Go To Question 76 On Page 12.) 2. [39] Yes. 61. Consider those organizations whose employees have access to drivers' SSNs stored on your agency's computer system. Does your agency have a written agreement with any of those organizations that states that their employees have the same responsibilities as MVA employees to safeguard the privacy of drivers' SSNs? (Check One.) (n=40) 1. [10] No (If "No," Go To Question 65.) 2. [30] Yes. 62. Does your agency currently have such an agreement with all of the organizations whose employees have access to drivers' SSNs on your agency's computer system, most of the organizations, some of the organizations, or just a few? (Check One.) (n=30) 1. [20] All organizations (If Checked, Go To Question 65.) 2. [5] Most organizations; 3. [3] Some organizations; 4. [21 Just a few. 63. Is the state CSE one of the organizations your agency has such an agreement with? (Check One.) (n=10) 1. [8] Yes; 2. [2] No. 64. Consider those types of organizations that have written agreements with your agency that state that their employees have the same responsibilities as DLA employees to safeguard the privacy of drivers' SSNs. With which, if any, of the types of organizations listed below does your agency have such an agreement concerning employees who help process drivers' license applications and must have access to drivers' SSNs? (Check All That Apply.) 1. [4] State agencies that contract with your agency; 2. [3] Local agencies that contract with your agency; 3. [4] Private firms that contract with your agency. 65. Does a staff member(s) in your agency have responsibility for determining which employees in other organizations will have access to the drivers' SSNs stored on your agency's computer system? (Check One.) (n=40) 1. [23] Yes; 2. [17] No. 66. Does your agency keep a list of the employees working for other organizations who have electronic access to drivers' SSNs stored on your agency's computer system? (Check One.) (n=40) 1. [22] No (If "No," Go To Question 68.) 2. [18] Yes. 67. How often, if at all, is that list of other organization's employees with access to your agency's computer system updated? (Check One.) (n=18) 1. [2] Daily; 2. [0] Weekly; 3. [0] Once a month; 4. [0] Twice a year; 5. [0] Once a year; 6. [0] Once every two years; 7. [0] Less often than once every two years; 8. [16] As needed to reflect changes in employee assignments; 9. [0] Has not been updated. 68. Are employees of other organizations who have access to drivers' SSNs on your agency's computer system offered training, or training materials, that are intended to clarify their responsibilities to safeguard the privacy of that data? (Check One.) (n=37) 1. [19 ]No (If "No," Go To Question 71 On The Next Page.) 2. [3] Yes, training only; 3 [4] Yes, training materials only; 4. [11] Yes, both training and training materials. 69. Are any employees of the state CSE among those employees receiving that training or those training materials? (CHECK ONE.) (n=19) 1. [16] Yes; 2. [3] No. 70. Are any employees of private firms, other state agencies, or local agencies that might contract with your agency to help process drivers' license applications among those employees receiving that training or those training materials? (Check One.) (n=18) 1. [13] Yes; 2. [5] No. 71. Can your agency penalize other organizations whose employees are found to have revealed drivers' SSNs to persons who are not authorized to see them? (Check One.) (n=40) 1. [15] No (If "No," Go To Question 73.) 2. [25] Yes. 72. Which, if any, of the penalties listed below can be imposed upon other organizations whose employees are found to have revealed drivers' SSNs to persons who are not authorized to see them? (Check All That Apply.) 1. [20] A warning can be issued stating that SSNs will not be provided if further violations occur; 2. [12] SSNs are not provided for a temporary period of time; 3. [12] SSNs are no longer provided; 4. [15] Legal remedies; 5. [11]Other (Please Specify.) 73. Does your agency require that employees working for other organizations who have access to drivers SSNs on your computer system sign a statement to acknowledge their responsibilities to safeguard the privacy of that data? (Check One.) (n=40) 1. [26] No (If "No," Go To Question 76.) 2. [14] Yes. 74. Are any employees of the state CSE among the employees who sign those statements? (Check One.) (n=14) 1. [11] Yes; 2. [3] No. 75. Are any employees of private firms, other state agencies, or local agencies that might contract with your agency to help process drivers' license applications among those employees who sign those statements? (Check One.) (n=12) 1. [8] Yes; 2. [4] No. Concluding Questions: 76. How easy or difficult do you think it would be for an unauthorized employee of your agency to acquire drivers' SSNs from your agency's paper records? (Check One.) (n=48) 1. [5] Very easy; 2. [5] Somewhat easy; 3. [9] Neither easy nor difficult; 4. [11] Somewhat difficult; 5. [18] Very difficult. 77. How easy or difficult do you think it would be for an unauthorized employee of your agency to electronically acquire drivers' SSNs that are stored on your agency's computer? (Check One.) (n=48) 1. [2] Very easy; 2. [2] Somewhat easy; 3. [4] Neither easy nor difficult; 4. [14] Somewhat difficult; 5. [26] Very difficult. 78. How easy or difficult do you think it would be for an unauthorized person who is not employed by your agency to acquire drivers' SSNs from your agency's paper records? (Check One.) (n=48) 1. [0] Very easy; 2. [1] Somewhat easy; 3. [3] Neither easy nor difficult; 4. [14] Somewhat difficult; 5. [30] Very difficult. 79. How easy or difficult do you think it would be for an unauthorized person who is not employed by your agency to electronically acquire drivers' SSNs that are stored on your agency's computer? (Check One.) (n=48) 1. [0] Very easy; 2. [0] Somewhat easy; 3. [2] Neither easy nor difficult; 4. [8] Somewhat difficult; 5. [38] Very difficult. 80. Overall, how easy or difficult do you think it would be for an unauthorized person(s) to acquire individuals' SSNs from the paper records of the organizations for whom your agency provides or checks drivers' SSNs? (Check One.) (n=42) 1. [1] Very easy; 2. [1] Somewhat easy; 3. [6] Neither easy nor difficult; 4. [11] Somewhat difficult; 5. [23] Very difficult. 81. Overall, how easy or difficult do you think it would be for an unauthorized person(s) to electronically acquire individuals' SSNs that are stored on the computers of the organizations for whom your agency provides or checks drivers' SSNs? (Check One.) (n=43) 1. [0] Very easy; 2. [0] Somewhat easy; 3. [7] Neither easy nor difficult; 4. [10] Somewhat difficult; 5. [26] Very difficult. 82. If you have any comments about the topics mentioned in this questionnaire, please write them below. Thank you for your cooperation. [End of section] Appendix III: Comments From the Department of Health and Human Services: Note: GAO comments supplementing those in the report text appear at the end of this appendix. Department of Health & Human Services: Office of Inspector General Washington, DC 20201: February 6, 2002: Ms. Cornelia M. Ashby: Director, Education, Workforce, and Income Security Issues: United States General Accounting Office: Washington, D.C. 20548: Dear Ms. Ashby: Enclosed are the Department's comments on your draft report, "Child Support Enforcement: Most States Collect Drivers' SSNs and Use Them to Enforce Child Support." The comments represent the tentative position of the Department and are subject to reevaluation when the final version of this report is received. The Department also provided two technical comments directly to your staff. The Department appreciates the opportunity to comment on this draft report before its publication. Sincerely, Signed by: Janet Rehnquist: Inspector General: Enclosure: The Office of Inspector General (OIG) is transmitting the Department's response to this draft report in our capacity as the Department's designated focal point and coordinator for General Accounting Office reports. The OIG has not conducted an independent assessment of these comments and therefore expresses no opinion on them. [End of letter] Comments Of The Department Of Health And Human Services' Administration For Children And Families On The General Accounting Office (GAO) Draft Report: "Most States Collect Drivers' Social Security Numbers And Use Them To Enforce Child Support"(GAO-02-239): General Comments: The Department of Health and Human Services (Department) Administration for Children and Families (ACF) appreciates the opportunity to comment on this draft report, which addresses an important topic. The Office of Child Support Enforcement (OCSE), a component within ACF has reviewed this report and agrees, in general, with the findings. GAO Recommendation: To ensure that all states are following the Federal requirements that states enact and implement laws requiring the collection of Social Security Numbers (SSNs) from all driver's license applicants for child support enforcement purposes, we recommend that OCSE more effectively track compliance with this requirement and take formal action, when necessary, against states that are not in compliance. OCSE should, for example, ensure that staff effectively use the legislative analysis checklist that is designed to track the adoption and implementation of state laws. The agency should also take formal actions, when necessary, such as disapproving state plans or conducting targeted audits, in an effort to promote compliance with this Federal requirement. Department Comments: The Department tracks state law compliance through the State plan approval process. Tracking compliance with this provision was particularly difficult because the statutory provision requiring SSNs on drivers' licenses has a complicated legislative history. The Personal Responsibility and Work Opportunity Reconciliation Act (PRWORA) of 1996 mandated an expansive new provision requiring the recording of SSNs on applications for commercial drivers' licenses, occupational and professional licenses and marriage licenses. The provision also mandated placing SSNs in records related to divorce decrees, death certificates, child support orders and paternity establishments. The Balanced Budget Act of 1997 expanded the requirement further to include the collection of SSNs from applicants for all drivers' licenses and for recreational licenses and made October 1, 1996, the effective date of the provision. In 1998, the effective date of the provision requiring SSNs on drivers' license applications was extended to October 1, 2000. The Department agrees that the six States were out of compliance with the requirement to collect SSNs on drivers' licenses during the GAO study. Michigan is now in compliance. Four other States (Kansas, Maryland, Minnesota and Oregon) submitted and received approval from OCSE for State plan pages. These State plans were certified that they have laws requiring that SSNs be collected on drivers' license applications. The sixth State, Georgia has not submitted a State plan page for this requirement. In October 2001, Minnesota submitted an exemption request from the requirement to include SSNs on drivers' license applications. The Department reviewed the exemption request and requested additional information from Minnesota in order to make a determination. The Department's OCSE will strengthen our efforts to monitor and oversee State plan compliance with regard to SSNs on licenses. In light of the complicated history of this provision, the OCSE will focus specifically on tracking and ensuring that the remaining five states promptly come into compliance. The Department's OCSE would like to clarify our approach for ensuring State compliance with this provision. The requirement to include SSNs on drivers' license applications has been in effect for over one year. All States were required to submit State plan pages certifying compliance with this provision by December 31, 2000, of which forty- nine states are in compliance. The Department's OCSE has elected to work closely with the States that are not in compliance through informal mechanisms to ensure that States pass the required laws and develop the necessary policies and procedures to collect SSNs on drivers' license applications. The Department's OCSE works collaboratively with States as much as possible before proceeding with the State plan disapproval process to avoid the possibility of dire consequences to children from terminating funding for a State child support program. We think it is appropriate to include these facts in the "Results in Brief" section of the report. [See comment 1] Additional Comments: The report incorrectly states that Department's OCSE learned about the noncompliance in Michigan from GAO at the end of November 2001. The OCSE was fully informed of the circumstances in Michigan, as discussed on page 10, because Michigan differs from the other five States. Michigan passed a law in 1998 requiring its Motor Vehicle Administration (MVA) to collect SSNs from all drivers' license applicants and subsequently filed suit against the Federal government in early 2001 challenging the constitutionality of the Act's requirements. [See comment 2] The Department's OCSE disagrees strongly with the statement in the report that says, "... and OCSE senior officials indicated that the one about MVAs collecting SSNs was not a high priority." We feel this statement should be removed from the report because we feel that SSNs are one of the most effective tools for locating delinquent obligors. Also, as noted in the GAO report, license suspension programs have proven very successful in generating child support collections for America's children. Monitoring and ensuring compliance with the requirement to collect SSNs on drivers' licenses has been and continues to be a high priority for the Department. [See comment 3] The report states that, "OCSE officials take two types of formal actions. The first is to disapprove a state plan, which may result in a state losing all Federal funds for its child support enforcement program if it does not bring its program into compliance with Federal requirements." This sentence is incorrect. Disapproval of a IV-D state plan will result in the loss of all Federal funding for a IV-D program until the program comes into compliance. [See comment 4] Technical Comments: Page 5 - The report refers to activities that may take place through judicial action or an expedited administrative process depending on the state in which the custodial parent lives. Because parents may apply for services in any state and activities may occur in states other than where the applicant for services lives, we suggest revising the sentence to read: "These activities may take place through judicial action or an expedited administrative process, depending on the state where the action takes place." Page 6, first paragraph - The report also states that PRWORA is known as the Personal Responsibility and Work Reconciliation Act of 1996. hi fact, PRWORA is the Personal Responsibility and Work Opportunity Reconciliation Act of 1996. [See comment 6] GAO Comments: The following are GAO’s comments on the Department of Health and Human Services’ Administration for Children and families letter dated February 6, 2002. 1. We note in the body of the report that OCSE’s strategy for ensuring state compliance is to first work with states through informal mechanisms. 2. We deleted the reference to the November date in regard to Michigan. 3. After further review of the information, we revised the report to reflect that OCSE officials said that collecting SSNs was not their highest priority. 4. We revised the text to clarify that disapproving a state plan will result in a state losing all federal funds for its child support enforcement program until the program comes into compliance. 5. We revised the statement to reflect that it depends on the state where the action takes place. 6. We corrected the title of the act. [End of section] Appendix IV: GAO Contacts and Staff Acknowledgments: GAO Contacts: Carolyn Taylor (202) 512-2974: Nancy Cosentino (415) 904-2117: Staff Acknowledgments: In addition to those named above, the following individuals made important contributions to this report: Christopher Morehouse, Cathy Pardee, Kate Kousser, and Yunsian Tai. [End of section] Footnotes: 1. Noncustodial parents are parents who do not live with and provide day-to-day care for their children. 2. In this report the term license suspension also includes withholding or restricting a driver’s license. Withholding a license includes not allowing a person to obtain an initial license. Restricting a license means limiting when a noncustodial parent may drive, such as only to and from work. All three of these procedures are permissible under the act. 3. This report uses the word “states” to refer to those areas where we did our work. That is, the 50 states, the District of Columbia, and U.S. territories. The territories were Guam, the Virgin Islands, and Puerto Rico. The remaining U.S. territory, American Samoa, was not included because it does not have a formal CSE program. 4. 42 U.S.C. sec. 651 et seq. 5. Public Law 104-193 (Aug. 22, 1996). 6. From this point forward, the term “drivers” will refer to noncommercial drivers and the term “driver’s licenses” will refer to noncommercial driver’s licenses. We are not discussing commercial drivers and driver’s licenses because all states are collecting SSNs on commercial drivers. This is required by the Commercial Motor Vehicle Safety Act of 1986 and, according to the American Association of Motor Vehicle Administrators (AAMVA), all states are complying with this law. 7. Both of these states ceased such collections prior to August 5, 1997, for reasons unrelated to the passage of this requirement. 8. The 2 states that did not use the SSNs in one of two ways are New Jersey and Pennsylvania. 9. See the next section for a discussion on the privacy implications of this requirement. 10. In October 2001, the Minnesota CSE program requested that OCSE exempt its MVA and Department of Natural Resources from collecting SSNs on drivers and holders of recreational licenses. OCSE officials told us that it would take at least 6 to 8 weeks to study the exemption request. This process was not complete at the time of our review. 11. The states with erroneously approved state plans were Maryland, Kansas, Oregon, and Minnesota. The two states with unapproved state plans were Georgia and Michigan. Georgia’s state plan was not approved because OCSE was aware of its lack of legislation on the SSN requirement. Approval of Michigan’s state plan was suspended until the lawsuit discussed earlier in the report was resolved. 12. P.L 103-322 (Sept. 13, 1994). 13. Permissible uses include requests and inquiries from other government agencies, including courts and law enforcement agencies, as well as insurance companies and employers of commercial drivers. 14. The other entities are the offices of the attorney general (where the child support agency is housed) and the secretary of state (for election purposes). 15. See pages 9 through 10 for a discussion of these six states and for a summary of the other concerns that these states had about this requirement. 16. [hyperlink, http://www.gao.gov/products/GAO/AIMD-12.9.6], Jan., 1999. 17. Public Law 106-398, Division A, Title X, Subtitle G (Oct. 30, 2000). 18. Passwords refer to both passwords and personal identification numbers. 19. Seven other typical password policies are users selecting their own passwords, requiring that passwords consist of letters and numbers, preventing the reuse of retired passwords for a reasonable period, prohibiting the use of group passwords, requiring that only a few employees have access to all passwords, encrypting passwords, and limiting the number of attempts to log on to the system with an invalid password. 20. For simplicity of reporting, the table shows those states that reported adherence to just over half of the nine FISCAM password policies—-i.e., any five of the nine policies. Four states reported using all nine, and three reported using three policies. 21. In 44 percent of these cases, threatening or suspending the driver’s licenses of noncustodial parents may not have been the only action that influenced these parents to make payments. In these cases, noncustodial parents were subjected to other actions at the same time that their driver’s licenses were threatened or suspended and the data did not indicate which action, or combination of actions, motivated these parents to make payments. The most common action was reporting parents to credit bureaus for nonpayment of support. Other less common actions were conducting computer matches to identify bank accounts and professional license suspension. 22. CSE agencies can directly withhold the wages of noncustodial parents once they identify their source of employment. This is frequently done through a database called the National Directory of New Hires. This database contains employment information on all individuals whose wages are reported to the state and on all federal employees. 23. The territories were Guam, the Virgin Islands, and Puerto Rico. The remaining U.S. territory, American Samoa, was not included because it does not have a formal child support enforcement program. [End of section] GAO’s Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO’s Web site [hyperlink, http://www.gao.gov] contains abstracts and fulltext files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as “Today’s Reports,” on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to [hyperlink, http://www.gao.gov] and select “Subscribe to daily E-mail alert for newly released products” under the GAO Reports heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov: (202) 512-4800: U.S. General Accounting Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: [End of document]