This is the accessible text file for GAO report number GAO-02-352 entitled 'Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards' which was released on May 31, 2002. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States General Accounting Office: GAO: Report to Congressional Requesters: May 2002: Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards: GAO-02-352: Contents: Letter: Results in Brief: Background: All Levels of Governments Use SSNs Extensively for a Wide Range of Purposes: Governments Are Taking Some Steps to Safeguard SSNs but Important Measures Not Universally Employed: Open Nature of Certain Government Records Results in Wide Access to SSNs: Some Governments and Agencies Are Taking Innovative Actions to Limit Use and Display of SSNS in Public Records: Conclusions: Recommendations: Matter For Congressional Consideration: Agency Comments: Appendix I: Scope and Methodology: Appendix II: Federal Laws That Restrict SSN Disclosure: Appendix III: Federal, State, and County Departments That Reported Maintaining Public Records With SSNs: Appendix IV: GAO Contacts and Staff Acknowledgments: GAO Contacts: Staff Acknowledgments: Tables: Table 1: Examples of Federal Statutes That Authorize or Mandate the Collection and Use of Social Security Numbers: Table 2: Comparison of Key Provisions Concerning Disclosure of SSNs: Table 3: Of Program Agencies That Share SSNs, Percentage That Share Them with Specific NonGovernment Entities: Table 4: Percentage of Government Entities That Provide Individuals with Required Information When Collecting SSNs: Table 5: Percentage of Program Agencies That Report Imposing Selected Requirements on Outside Entities When Sharing SSNs: Table 6: Of Courts, County Recorders, and State Licensing Agencies; and of Program Agencies That Maintain Public Records, Percentage That Maintain Public Records That Contain SSNs: Table 7: Number of Programs within Federal Agencies That Responded to Our Survey and Maintain Public Records, Identify SSNs on Those Public Records, and Permit Access to Those Records on Their Web Sites: Table 8: Number and Type of State Departments and Agencies That Maintain Public Records, Identify SSNs on Those Public Records, and Permit Access to Those Records on Their Web Sites: Table 9: Number and Type of County Departments and Agencies that Maintain Public Records, Identify SSNs on Those Records, and Permit Access to Those records on Their Web Sites: Figures: Figure 1: Percentage of Program Agencies Using SSNs for Each Reason Listed: Figure 2: Percentage of Government Personnel Departments That Display SSNs on Different Types of Documents: Figure 3: Percentage of State and County Entities that Display SSNs on Each of the Types of Public Records Listed: Figure 4: Percentage of State and County Entities that Display SSNs on Each of the Types of Public Records Listed: Abbreviations: DOD: Department of Defense: FOIA: Freedom of Information Act: FTC: Federal Trade Commission: IRS: Internal Revenue Service: OMB: Office of Management and Budget: SSA: Social Security Administration: SSI: Supplemental Security Insurance: SSN: social security number: TANF: Temporary Assistance for Needy Families: [End of section] United States General Accounting Office: Washington, DC 20548: May 31, 2002: The Honorable E. Clay Shaw, Jr. Chairman: Subcommittee on Social Security: Committee on House Ways and Means: House of Representatives: The Honorable Dianne Feinstein: Chair: The Honorable Jon Kyl: Ranking Member: Subcommittee on Technology, Terrorism, and Government Information: Committee on the Judiciary: United States Senate: The Honorable Charles Grassley: Ranking Member: Subcommittee on Crime and Drugs: Committee on the Judiciary: United States Senate: The Social Security number (SSN) was created in 1936 as a means to track workers' earnings and eligibility for Social Security benefits. Since that time, the number has been used for myriad non-Social Security purposes. Private sector use of the SSN has grown exponentially. For example, businesses may ask individuals to provide their SSNs when they apply for credit, seek medical or other insurance coverage, rent an apartment, or place an order for merchandise. In addition, many federal, state, and local government agencies also use the SSN. In some cases, these government agencies use SSNs as they administer their programs to deliver services or benefits to the public. Individuals who provide SSNs to receive these services and benefits may expect the SSNs to be considered confidential and thus protected from public disclosure. In other cases, government agencies serve as the repository for records or documents that are routinely made available to the public for inspection. These public records may contain SSNs.[Footnote 1] This use of SSNs by the private sector and government agencies has raised public concern over how this personal information is being used and protected. Further, the growth in electronic record keeping and the explosion of the availability of information over the Internet, combined with an apparent rise in identity theft, have heightened this concern. We have previously reported that certain public and private sector officials told us that SSNs play an important role in their ability to deliver services or conduct business.[Footnote 2] In this report, you asked us to delve deeper into the government uses of SSNs. Specifically, we studied (1) the extent and nature of federal, state, and county government agencies' use of SSNs as they administer programs to provide benefits and services; (2) the actions government agencies take to safeguard these SSNs from improper disclosure and use when they are used to administer programs; (3) the extent and nature of federal, state, and county governments' use of SSNs when they are contained in public records; and (4) the options available to better safeguard SSNs that are found in these public records. To address these issues we interviewed knowledgeable federal, state, and county officials to identify government programs or activities that frequently use SSNs. To develop information on the nature and extent of governments' use of SSNs and their actions to protect individuals' privacy when using SSNs, we mailed surveys to 18 federal agencies and those departments that typically use SSNs in all 50 states, the District of Columbia, and the 90 most populous counties. [Footnote 3] We also conducted site visits and in-depth interviews at six selected federal programs, three states, and three counties. We met with officials responsible for programs, agencies, or departments (hereinafter referred to generically as agencies) and courts that make frequent use of SSNs. We report on only those government entities that obtain, receive, or use SSNs. The information they provided was self- reported, and we did not verify it. We conducted our work between February 2001 and March 2002 in accordance with generally accepted government auditing standards. For additional information on our approach, please see appendix 1. Results in Brief: When federal, state, and county government agencies administer programs that deliver services and benefits to the public, they rely extensively on the SSNs of those receiving the benefits and services. Because SSNs are unique identifiers and do not change, the numbers provide a convenient and efficient means of managing records. They are also particularly useful for data sharing and data matching because agencies can use them to check or compare their information quickly and accurately with that from other agencies. In so doing, these agencies can better ensure that they pay benefits or provide services only to eligible individuals and can more readily recover delinquent debts individuals may owe. Using SSNs for these purposes can save the government and taxpayer hundreds of millions of dollars each year and help make sure programs are achieving their goals. In addition to using SSNs to deliver services or benefits, agencies also use or share SSNs to conduct statistical programs, research, and program evaluations. Moreover, all government departments or agencies use their employees' SSNs to varying extents to perform some of their responsibilities as employers, such as paying their employees and providing health and other insurance benefits. In the course of using SSNs to administer their programs and as employers, agencies sometimes display these SSNs on documents, such as program eligibility cards or employee badges, that can be seen by others who may have no need for the SSN. While government agencies are making wide use of SSNs, they are also taking some steps to safeguard the numbers; however, certain measures that could help protect SSNs are not uniformly in place at any level of government. First, when requesting SSNs, government agencies are not consistently providing individuals with information required by federal law. This information, such as how the SSNs will be used and whether individuals are required to provide their SSNs, is the first line of defense against improper disclosure because it allows SSN holders to make informed decisions about whether to provide their SSN to obtain the services in question. Second, although agencies that use SSNs to provide benefits and services are taking steps to safeguard the numbers from improper disclosure, our survey identified potential weaknesses in the security of information systems at all levels of government. Similarly, regarding the display of SSNs by these agencies, we found numerous examples of actions taken to limit the presence of SSNs on documents that are not intended to be public but are nonetheless seen by others; however, these changes are not systematic and many government agencies continue to display SSNs on a variety of documents. Regarding public records, many of the state and county agencies responding to our survey reported maintaining records that contain SSNs; however, federal program agencies maintain public records less frequently. At the state and county levels, certain offices, such as state professional licensing agencies and county recorders' offices, have traditionally been repositories for public records that may contain SSNs. These records chronicle the various life events and other activities of individuals as they interact with the government, such as birth certificates, professional licenses, and property title transfers. Officials who maintain these records told us their primary responsibility is to preserve the integrity of the record rather than protect the privacy of the individual SSN holder. In addition, courts at all three levels of government maintain public records that may contain SSNs, such as divorce decrees and child support orders. In some cases, government agencies and the courts create these documents containing SSNs themselves. In other cases, the documents are submitted by others, such as when title companies submit documents to support property title transfers and when attorneys submit evidence for the record. Traditionally, the general public has gained access to public records by visiting the office that maintains the records, which offers at least some practical limitations on the volume of SSNs any one person can collect. However, the growth of electronic record keeping has made it easier for a few agencies to provide or even sell their data in bulk. Moreover, although few entities report making SSNs available on the Internet, several officials told us they are considering expanding the volume and type of public records available on their Web site. When SSNs have been found in public records, some government agencies are trying to better safeguard the SSN by trying innovative approaches to protect the SSNs from public display. For example, some agencies and courts are modifying their processes or their forms so that they can collect SSNs but prevent the number from becoming part of the publicly available record. This is most effective when the agency or court prepares the document. When others submit the document to become part of the public record, it is more difficult to limit the appearance of the SSN unless the individual or business submitting the document takes the initiative to omit the SSN or include it only when absolutely necessary. Regarding placing public records containing SSNs on Web sites, some agencies and courts have decided to limit this practice as well; however, some have not. Overall, the most far- reaching efforts we identified took place in states where there was a statewide initiative that established a policy and procedures designed to protect individuals' personal information, including SSNs, in all of the different circumstances that governments collect, store, and use it. We are making recommendations in this report that the Office of Management and Budget (OMB) direct federal agencies to review their practices for securing SSNs and providing SSN holders with information required by federal law and that OMB take steps to better inform state and local government agencies that they are required to provide this information when they request an individual's SSN. We are also presenting a matter for congressional consideration, suggesting that the Congress, in consultation with the president, convene a representative group of federal, state, and local officials to develop a unified approach to safeguarding SSNs used in government and particularly those displayed in public records. The Social Security Administration (SSA) and OMB generally agreed with our recommendations. Background: Since the creation of the SSN, the number of federal agencies and others that rely on it has grown beyond the original intended purpose, in part because a number of federal laws authorize or require SSN use. Additionally, the advent of computerized records further increased reliance on SSNs. This growth in use and availability of SSNs is important because SSNs are often the "identifier" of choice among thieves who steal another individual's identity. Although no single federal law regulates overall use and disclosure of SSNs by governments, when federal government agencies use SSNs, several federal laws limit the use and disclosure of the number in certain circumstances.[Footnote 4] Also, state laws may vary in terms of the restrictions imposed on SSN use and disclosure. Moreover, some records that contain SSNs are considered part of the public record and, as such, are routinely made available to the public for review. Use of SSN Has Grown, in Part, Because of Federal Requirements SSA is the federal agency responsible for issuing SSNs, which are used to track workers' earnings and eligibility for Social Security benefits. Legislation enacted in 1935 created the SSA and made the agency responsible for implementing a social insurance program designed to pay benefits to retired workers to ensure a continuing portion of income after retirement.[Footnote 5] The amount of these benefits was based, in part, on the amount of the workers' earnings. As a result, SSA needed a system to keep track of earnings by individual worker and for employers to report these earnings. In 1936, SSA created a numbering system designed to provide a unique identifier, the SSN, to each individual. Workers are now required by law to provide SSA their number when they apply for benefits from SSA. As of December 1998, SSA had issued 391 million SSNs. Since the creation of the SSN, other entities in both the private and public sectors have begun using SSNs, in part because of federal requirements. Widespread SSN use in government began with a 1943 Executive Order issued by President Franklin D. Roosevelt requiring that all federal agencies use the SSN exclusively when agencies need to use identification systems for individuals, rather than set up a new identification system. In later years, the number of federal agencies and others relying on the SSN as a primary identifier escalated dramatically, in part, because a number of federal laws were passed that authorized or required its use for specific activities as shown in table 1. In many instances, the laws required that SSNs be used to determine individuals' eligibility for certain federally funded program services or benefits, or they served as a unique identifier for such government-related activities as paying taxes or reporting wages earned. In some cases these statutes require that state and local governmental entities collect SSNs. Table 1: Examples of Federal Statutes That Authorize or Mandate the Collection and Use of Social Security Numbers: Federal statute: Tax Reform Act of 1976; 42 U.S.C. 405(c)(2)(c)(i); General purpose for collecting or using SSN: General public assistance programs, tax administration, driver's license, motor vehicle registration; Government entity and authorized or required use: Authorizes states to collect and use SSNs in administering any tax, general public assistance, driver's license, or motor vehicle registration law. Federal statute: Food Stamp Act of 1977; 7 U.S.C. 2025(e)(1); General purpose for collecting or using SSN: Food Stamp Program; Government entity and authorized or required use: Mandates the secretary of agriculture and state agencies to require SSNs for program participation. Federal statute: Deficit Reduction Act of 1984; 42 U.S.C. 1320b-7(1); General purpose for collecting or using SSN: Eligibility benefits under the Medicaid program; Government entity and authorized or required use: Requires that, as a condition of eligibility for Medicaid benefits, applicants for and recipients of these benefits furnish their SSNs to the state administering program. Federal statute: Housing and Community Development Act of 1987; 42 U.S.C. 3543(a); General purpose for collecting or using SSN: Eligibility for the Department of Housing and Urban Development programs; Government entity and authorized or required use: Authorizes the secretary of the Department of Housing and Urban Development to require program applicants and participants to submit their SSNs as a condition of eligibility. Federal statute: Family Support Act of 1988; 42 U.S.C. 405(c)(2)(C)(ii); General purpose for collecting or using SSN: Issuance of birth certificates; Government entity and authorized or required use: Requires states to obtain parents' SSNs before issuing a birth certificate unless there is good cause for not requiring the number. Federal statute: Technical and Miscellaneous Revenue Act of 1988; 42 U.S.C. 405(c)(2)(D)(i); General purpose for collecting or using SSN: Blood donation; Government entity and authorized or required use: Authorizes states and political subdivisions to require that blood donors provide their SSNs. Federal statute: Food, Agriculture, Conservation, and Trade Act of 1990; 42 U.S.C. 405(c)(2)(C); General purpose for collecting or using SSN: Retail and wholesale businesses participation in food stamp program; Government entity and authorized or required use: Authorizes the secretary of agriculture to require the SSNs of officers or owners of retail and wholesale food concerns that accept and redeem food stamps. Federal statute: Omnibus Budget Reconciliation Act of 1990; 38 U.S.C. 510(c); General purpose for collecting or using SSN: Eligibility for Veterans Affairs compensation or pension benefits programs; Government entity and authorized or required use: Requires individuals to provide their SSNs to be eligible for Department of Veterans Affairs' compensation or pension benefits programs. Federal statute: Social Security Independence and Program Improvements Act of 1994; 42 U.S.C. 405(c)(2)(E); General purpose for collecting or using SSN: Eligibility of potential jurors; Government entity and authorized or required use: Authorizes states and political subdivisions of states to use SSNs to determine eligibility of potential jurors. Federal statute: Personal Responsibility and Work Opportunity Reconciliation Act of 1996; 42 U.S.C. 666(a)(13); General purpose for collecting or using SSN: Various license applications, divorce and child support documents, death certificates; Government entity and authorized or required use: Mandates that states have laws in effect that require collection of SSNs on applications for driver's licenses and other licenses; requires placement in the pertinent records of the SSN of the person subject to a divorce decree, child support order, paternity determination; requires SSNs on death certificates; creates national database for child support enforcement purposes. Federal statute: Debt Collection Improvement Act of 1996; 31 U.S.C. 7701(c); General purpose for collecting or using SSN: Persons doing business with a federal agency; Government entity and authorized or required use: Requires those doing business with a federal agency (i.e., lenders in a federal guaranteed loan program; applicants for federal licenses, permits, right-of-ways, grants, or benefit payments; contractors of an agency and others) to furnish SSNs to the agency. Federal statute: Higher Education Act Amendments of 1998; 20 U.S.C. 1090(a)(7); General purpose for collecting or using SSN: Financial assistance; Government entity and authorized or required use: Authorizes the secretary of education to include the SSNs of parents of dependent students on certain financial assistance forms. Federal statute: Internal Revenue Code (various amendments); 26 U.S.C. 6109; General purpose for collecting or using SSN: Tax returns; Government entity and authorized or required use: Authorizes the commissioner of the Internal Revenue Service to require that taxpayers include their SSNs on tax returns. Source: GAO review of applicable federal laws. [End of table] Private businesses, such as financial institutions and health care service providers, also frequently ask individuals for their SSNs. In some cases, they require the SSN to comply with federal laws but at other times, these businesses routinely choose to use the SSNs to conduct business. SSNs are a key piece of identification in building credit bureau databases, extracting or retrieving data from consumers' credit histories, and preventing fraud. Businesses routinely report consumers' financial transactions, such as charges, loans, and credit repayments to credit bureaus. A representative for the credit bureaus estimated that 80 percent of these transactions include SSNs. Although the representative reported that credit bureaus use other identifiers, such as names and addresses, to build and maintain individuals' credit histories, credit bureaus view the SSN as one of the most important identifiers for ensuring that correct information is associated with the right individual because the SSN does not change as would a name or address. The credit bureaus' representative told us that without the SSN, or a similar stable identifier, such as a biometric identifier,[Footnote 6] credit bureaus could still conduct business but the level of accuracy of individuals' credit records would be greatly reduced. The fundamental goal of credit bureaus is ensuring that the credit information provided to those who grant consumers credit is accurate. The less accurate the information, the less value that information is to those who grant credit. The credit bureaus' representative told us that until other stable identifiers like biometrics gain widespread use, credit bureaus view the SSN as the key tool for ensuring the accuracy of consumer credit histories. The advent of computerized record keeping has implications for the availability of SSNs and other sensitive data. Government entities are beginning to make their records electronically available over the Internet. Moreover, the Government Paperwork Elimination Act of 1998 requires that, where practicable, federal agencies provide by 2003 for the option of the electronic maintenance, submission, or disclosure of information. State government agencies have also initiated Web sites to address electronic government initiatives. Moreover, continuing advances in computer technology and the ready availability of computerized data have spurred the growth of new business activities that involve the compilation of vast amounts of personal information about members of the public, including SSNs, that businesses sell. Identity Thieves Often Use Others’ SSNs: This growth in the use of SSNs is important to individual SSN holders because these numbers, along with names and birth certificates, are among the three personal identifiers most often sought by identity thieves.[Footnote 7] Identity theft is a crime that can affect all Americans. It occurs when an individual steals another individual's personal identifying information and uses it fraudulently. For example, SSNs and other personal information are used to fraudulently obtain credit cards, open utility accounts, access existing financial accounts, commit bank fraud, file false tax returns, and falsely obtain employment and government benefits. SSNs play an important role in identity theft because they are used as breeder information to create additional false identification documents, such as drivers' licenses. Most often, identity thieves use SSNs belonging to real people rather than making one up; however, on the basis of a review of identity theft reports, victims usually (75 percent of the time) did not know where or how the thieves got their personal information.[Footnote 8] In the 25 percent of the time when the source was known, the personal information, including SSNs, usually was obtained illegally. In these cases, identity thieves most often gained access to this personal information by taking advantage of an existing relationship with the victim. The next most common means of gaining access were by stealing information from purses, wallets, or the mail. In addition, individuals can also obtain SSNs from their workplace and use them or sell them to others. Finally, SSNs and other identifying information can be obtained legally through Internet sites maintained by both the public and private sectors and from records routinely made available to the public by government entities and courts. Because the sources of identity theft cannot be more accurately pinpointed, it is not possible at this time to determine whether SSNs that are used improperly are obtained most frequently from the private sector or the government. Recent statistics collected by federal and consumer reporting agencies indicate that the incidence of identity theft appears to be growing. [Footnote 9] The Federal Trade Commission (FTC), the agency responsible for tracking identity theft, reports that complaint calls from possible victims of identity theft grew from about 445 calls per week in November 1999, when it began collecting this information, to about 3,000 calls per week by December 2001. However, FTC noted that this increase in calls might also, in part, reflect enhanced consumer awareness. In addition, SSA's Office of the Inspector General, which operates a fraud hotline, reports that allegations of SSN misuse increased from about 11,000 in fiscal year 1998 to more than 65,200 in fiscal year 2001. Additionally, SSA reported that almost 39,000 other allegations of program fraud also include an element of SSN misuse during fiscal year 2001. Most of these allegations relate to identity theft. However, some of the reported increase may be a result of a growth in the number of staff SSA assigned to field calls to the Fraud Hotline during this period. SSA staff increased from 11 to over 50 during this period, which allowed personnel to answer more calls. Also, officials from two of the three national consumer reporting agencies report an increase in the number of 7 year fraud alerts placed on consumer credit files, which they consider to be reliable indicators of the incidence of identity theft.[Footnote 10] Finally, it is difficult to determine how many individuals are prosecuted for identity theft because law enforcement entities report that identity theft is almost always a component of other crimes, such as bank fraud or credit card fraud, and may be prosecuted under the statutes covering those crimes. In Some Instances SSNs are to Be Protected from Public Disclosure: No single federal law regulates the overall use or restricts the disclosure of SSNs by governments; however, a number of laws limit SSN use in specific circumstances. Generally, the federal government's overall use and disclosure of SSNs are restricted under the Freedom of Information Act (FOIA) and the Privacy Act. Broadly speaking, the purpose of the Privacy Act is to balance the government's need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy by federal agencies. Also, the Social Security Act Amendments of 1990 also provide some limits on disclosure, and these limits apply to state and local governments as well. In addition, a number of federal statutes impose certain restrictions on SSN use and disclosure for specific programs or activities.[Footnote 11] At the state and county level, each state may have its own statutes addressing the public's access to government records and privacy matters; therefore, states may vary in terms of the restrictions they impose on SSN use and disclosure. Table 2 shows key laws that may affect SSN disclosure at the federal, state, and county level. For more information on the specific provisions in the federal laws, including a summary of the privacy principles that underlie the Privacy Act, see appendix II. Table 2: Comparison of Key Provisions Concerning Disclosure of SSNs: Federal: The Freedom of Information Act of 1966: presumes government records are available upon formal request, but exempts certain personal information, such as SSNs; State: Open records laws or "sunshine" laws—vary by state but all 50 states and the District of Columbia have such statutes; County: Governed by state and/or local laws. Federal: The Privacy Act of 1974: regulates certain types of federal recordkeeping; generally prohibits disclosure of personal information, such as SSNs, with exceptions; State: A number of states have enacted their own privacy laws or they rely on other guidance; at least 17 states have statutes that specifically address SSN use or disclosure; County: Governed by state and/or local laws. Federal: The Social Security Act Amendments of 1990: bars disclosure of SSNs collected because of laws enacted on or after October 1, 1990; State: The Social Security Act Amendments of 1990; County: The Social Security Act Amendments of 1990. Source: GAO review of federal laws, and The Privacy Journal, Compilation of State and Federal Laws, 1997 edition with updates in a 1999 Supplement and a 2000 Supplement. [End of table] In addition, a number of laws provide protection for sensitive information, such as SSNs, when maintained in computer systems and other government records. Most recently, the Government Information Security Reform provisions of the Fiscal Year 2001 Defense Authorization Act require that federal agencies take specific measures to safeguard computer systems that may contain SSNs.[Footnote 12] For example, federal agencies must develop agency-wide information security management programs, establish security plans for computer systems, and conduct information security awareness training for employees. These laws do not apply to state and local governments; however, in some cases state and local governments have developed their own statutes or put requirements in place to similarly safeguard sensitive information, including SSNs, kept in their computer systems. SSNs Are Found in Some Public Records: In some cases, government entities, particularly at the state and county levels, maintain public records that are routinely made available to the public for inspection. For state and county executive branch agencies, state law generally governs whether and under what circumstances these records are made available to the public, and they vary from state-to-state. Records may be made available for a number of reasons. These include the presumption that citizens need government information to assist in oversight and ensure that government is accountable to the people. In addition, some government agencies, such as county clerks or recorders, exist primarily to create or maintain records to assist the public and private sector in the conduct of business, legal, or personal affairs. These records may contain SSNs. Certain records maintained by the federal, state, and county courts are also made available to the public. In principle, these records are open to aid in preserving the integrity of the judicial process and to enhance the public trust and confidence in the judicial process. Courts are generally not subject to FOIA or other open record laws. At the federal level, access to court documents generally has its grounding in common law and constitutional principles. In some cases, public access is also required by statute, as is the case for papers filed in a bankruptcy proceeding. As with federal courts, requirements regarding access to state and local court records may have a state common law or constitutional basis or may be based on state laws. Although states' laws may vary, generally, custodians of court records must identify a statute, court rule, or a case law or common law basis to preclude public access to a particular record; otherwise the record is presumed to be accessible to the public and must be disclosed to the public upon request. All Levels of Governments Use SSNs Extensively for a Wide Range of Purposes: SSNs are widely used by federal, state, and county government agencies when they provide services and benefits to the public. These agencies use SSNs both to manage their records and to facilitate data sharing with others. They share SSNs and other personal information to verify eligibility for benefits, collect debts owed the government, and conduct or support research and evaluation. In addition to using SSNs for program purposes, many of these agencies also reported using their employees' SSNs for activities such as payroll, wage reporting, and providing employee benefits. As a result of this widespread SSN usage, these agencies occasionally display SSNs on documents that may be viewed by others who do not have a need for this personal information. Agencies Use SSNs to Administer Programs That Provide Benefits or Services to Individuals: Most of the agencies we surveyed at all levels of government reported using SSNs extensively to administer their programs. As shown in figure 1, more agencies reported using SSNs for internal administrative purposes, that is, they use them to identify, retrieve, and update their records, than for any other purpose. SSNs are so widely used for this purpose, in part, because each number is unique to an individual and does not change, unlike some other personal identifying information, such as names and addresses. For this reason, SSNs can provide a convenient and efficient means to manage records, particularly electronic records, that catalog services or benefits government agencies provide individuals or families. Figure 1: Percentage of Program Agencies Using SSNs for Each Reason Listed: [Refer to PDF for image: vertical bar graph] Internal administrative purposes: Federal (N = 55): 82%; State (N = 44): 90%; County (N = 197): 89%. Verify applicants' eligibility; monitor accuracy of information individuals provide: Federal (N = 55): 73%; State (N = 44): 83%; County (N = 197): 82%. Collect debts individuals owe agency/government: Federal (N = 55): 40%; State (N = 44): 34%; County (N = 197): 25%. Conduct internal research or program evaluation: Federal (N = 55): 53%; State (N = 44): 44%; County (N = 197): 26%. Provide data to outside researchers: Federal (N = 55): 4%; State (N = 44): 18%; County (N = 197): 7%. Legend: N is the number of respondents upon which the percentage is based. Source: GAO surveys of federal, state, and county departments and agencies. Figure includes departments and agencies that administer programs and excludes courts, county clerks and recorders, and state licensing agencies. [End of figure] Many agencies also use SSNs to share information with other entities to bolster the integrity of the programs they administer. For example, individuals are often asked to report their income, citizenship status, and household composition to determine their eligibility for government benefits or services. To avoid paying benefits or providing services or loans to individuals who are not really eligible for them, agencies use applicants' SSNs to match the information they provide with information in other data bases, such as other federal benefit paying agencies, state unemployment agencies, the Internal Revenue Service (IRS), or employers. As unique identifiers, SSNs help ensure that the agency is obtaining or matching information on the correct person. As shown in figure 1, the majority of agencies at all three levels of government reported sharing information containing SSNs for the purpose of verifying an applicant's eligibility for services or benefits. These data-sharing activities can help save the government and taxpayers hundreds of millions of dollars. In some cases, the Congress has recognized the benefits of this data sharing for federally funded programs and has either explicitly permitted or required agencies to share data for these purposes. Examples of SSN use for verifying and monitoring eligibility include the following: * Individuals confined to a correctional facility for at least 1 full month are ineligible to continue receiving federal Supplemental Security Income (SSI) program benefits.[Footnote 13] SSA, the federal agency that administers this program, uses SSNs to match records with state and local correctional facilities to identify individuals for whom the agency should terminate benefit payments. We reported that between January and August 1996, the sharing of prisoner data between SSA and state and local correctional facilities helped SSA identify about $151 million overpayments already made and prevented about $173 million in additional overpayments to ineligible prisoners.[Footnote 14] * When individuals apply for Temporary Assistance for Needy Families (TANF), a program designed to help low-income families, the law requires them to provide program administrators their SSNs and information about their income and resources.[Footnote 15] Some agencies that administer this program use SSNs to share data to determine the applicants' and current recipients' eligibility and to verify self-reported information. The state of New York alone estimated that by checking state wage data records, it saved about $72 million in unpaid benefits between January and September 1999. [Footnote 16] SSNs Are Used to Collect Debt: SSNs can also help ensure program integrity when they are used to collect delinquent debts, and some agencies at each level of government reported sharing data containing SSNs for this purpose. Individuals may owe such debts to government agencies when they fall behind in loan repayments, have underpaid taxes, or are found to have fraudulently received benefits. For example: * The Department of Education uses SSNs to match data on defaulted education loans with the National Directory of New Hires. This database, which was implemented in October 1997, contains the names and SSNs, among other information, of individuals that employers reported hiring after implementation.[Footnote 17] As a result of this matching, which was implemented in fiscal year 2001, the department reported collecting $130 million from defaulted student loans borrowers in 2001. * The Department of the Treasury, as the federal government's lead agency for debt collection, also uses the SSN. For example, when an individual falls behind in payments owed the federal government, the agency owed the debt provides Treasury with the debtors' SSN and debt information. Treasury then uses the SSN to determine whether individuals owe the federal government money before making certain payments, such as tax refunds. If Treasury finds the individual is delinquent in paying a debt to the government, the agency will offset certain payments due the individual to satisfy the debt. Using this approach, Treasury used tax refund offsets to collect over $1 billion in federal nontax debt in 2001. SSNs Are Used for Statistics, Research, and Evaluation: Certain statistical agencies, which are responsible for collecting and maintaining data for statistical programs that are required by statute, make use of SSNs. In some cases, these data are compiled using information provided for another purpose. For example, the Bureau of the Census prepares annual population estimates for states and counties using individual income tax return data linked over time by SSN to determine migration rates between localities.[Footnote 18] For its Survey of Income and Population Participation, the bureau asks survey participants for various demographic characteristics and types of incomes received. The bureau also asks participants to provide their SSNs, informing them that the SSNs will be used to obtain information from other government agencies to avoid asking for information already reported to the government. As is the case for all government information collections, OMB must approve the collection of data for such statistical and research purposes. In addition, SSNs along with other program data, are sometimes used for research and evaluation. SSNs provide government agencies and others with an effective mechanism for linking data on program participation with data from other sources to help evaluate the outcomes or effectiveness of government programs.[Footnote 19] This information can prove invaluable to program administrators as well as policymakers. As shown in table 3, more than one-third of federal, state, and county agencies combined reported using SSNs to conduct internal research or program evaluation, and almost one-fifth of state agencies provide data containing SSNs to outside researchers. Examples of SSN use for evaluation and research include the following: * As one of its many uses, Census may match the Survey of Income and Population Participation responses with data contained in records for programs such as TANF, Supplemental Security Income, and food stamp programs. Linking various data by SSN helps policymakers assess the extent to which these federal programs together assist low-income individuals. * Health departments may provide SSN information to outside researchers, including universities or foundations, or provide SSN information to other organizations such as the National Center for Health Statistics, which compile national data on subjects such as infant birth and mortality data. Other Program Uses: In addition to the above reasons for sharing data that focus primarily on program integrity and research, some agencies use SSNs as a means of sharing data to improve services. For example, in light of major changes to the nation's welfare program in 1996, welfare agencies are focusing on moving needy families toward economic independence and are drawing on numerous federal and state programs to provide a wide array of services, such as child care, food stamps, and employment and training. Sharing data can help them identify what services beneficiaries have received and what additional services are available or needed. Agencies Are Most Likely to Share SSNs with Other Government Agencies and Contractors: All government agencies that administer programs and share records containing individuals' SSNs with other entities reported sharing SSNs with at least one other government agency.[Footnote 20] Aside from sharing with other government agencies, the largest percentage of federal and state program agencies report sharing SSNs with contractors, and a relatively large percentage of county program agencies report sharing with contractors as well, as shown in table 3. Agencies across all levels of government use contractors to help them fulfill their program responsibilities. Contractors most frequently determine eligibility for services, provide services, conduct data processing activities, and perform research and evaluation. In addition to sharing SSNs with contractors, government agencies also share SSNs with private businesses, such as credit bureaus and insurance companies, as well as debt collection agencies, researchers, and, to a lesser extent, with private investigators. Table 3: Of Program Agencies That Share SSNs, Percentage That Share Them with Specific NonGovernment Entities: Entities That Receive SSNs from Government agencies: Contractors; Government Agencies Reporting Sharing SSNs, Federal: 54%; (39); Government Agencies Reporting Sharing SSNs, State: 39%; (149); Government Agencies Reporting Sharing SSNs, County: 28%; (138). Entities That Receive SSNs from Government agencies: Credit bureaus; Government Agencies Reporting Sharing SSNs, Federal: 31%; (32); Government Agencies Reporting Sharing SSNs, State: 17%; (145); Government Agencies Reporting Sharing SSNs, County: 10%; (138). Entities That Receive SSNs from Government agencies: Insurance companies; Government Agencies Reporting Sharing SSNs, Federal: 24% (33); Government Agencies Reporting Sharing SSNs, State: 28% (147); Government Agencies Reporting Sharing SSNs, County: 31%; (139). Entities That Receive SSNs from Government agencies: Debt collection agencies; Government Agencies Reporting Sharing SSNs, Federal: 29%; (31); Government Agencies Reporting Sharing SSNs, State: 16%; (140); Government Agencies Reporting Sharing SSNs, County: 10%; (136). Entities That Receive SSNs from Government agencies: Researchers; Government Agencies Reporting Sharing SSNs, Federal: 12%; (34); Government Agencies Reporting Sharing SSNs, State: 33%; (147); Government Agencies Reporting Sharing SSNs, County: 14%; (135). Entities That Receive SSNs from Government agencies: Private investigators; Government Agencies Reporting Sharing SSNs, Federal: 0%; (0); Government Agencies Reporting Sharing SSNs, State: 7%; (141); Government Agencies Reporting Sharing SSNs, County: 7%; (138). Entities That Receive SSNs from Government agencies: Marketing companies Government Agencies Reporting Sharing SSNs, Federal: 0%; (0); Government Agencies Reporting Sharing SSNs, State: 2%; (139); Government Agencies Reporting Sharing SSNs, County: 1%; (137). Legend: The number in parentheses is the number of respondents upon which the percentage is based. Source: GAO survey of federal, state, and county agencies, using responses from those that reported sharing SSNs. Table includes departments and agencies that administer programs for the public and excludes courts, county clerks and recorders, and state licensing agencies. [End of table] Governments Use Employees' SSNs for Employer-Related Activities: All government personnel departments we surveyed reported using their employees' SSNs to fulfill at least some of their responsibilities as employers. As with many of the program-related SSN uses described earlier, these employer uses involve data sharing among governments and other agencies. Personnel departments responding to our questionnaire said they use SSNs to help them maintain internal records and provide employee benefits. To provide these benefits, employers often share data on employees with other entities, such as health care providers or pension plan administrators. As an example, employers submit employees' SSNs along with certain information about employees to health insurers and retirement plan administrators. Health insurers may use the SSNs to identify enrollment in health plans and verify eligibility for payments for health services. Retirement plan administrators use the SSN to record the contribution in the correct employee account, and when they make payments to individuals, they are required to report the payments using the individuals' SSNs to the IRS. In addition, employers are required by law to use employees' SSNs when reporting wages. Wages are reported to SSA, and the agency uses this information to update earnings records it maintains for each individual. These earnings ultimately determine eligibility for and the amount of Social Security benefits. After processing these reported wages, SSA provides the information to the IRS, which uses it to monitor individuals' compliance with the federal personal income tax rules. The IRS uses SSNs to match these employer wage reports with amounts individuals report on personal income tax returns. Finally, federal law requires that states maintain employers' reports of newly hired employees, identified by SSNs. States must forward this information to a national database that is used by state child support agencies to locate parents who are delinquent in child support payments. Government Agencies Occasionally Display SSNs on Documents That May Be Viewed by Others: In the course of delivering their services or benefits, many government agencies occasionally display SSNs on documents that may be viewed by others, some of whom may not have a need for this personal information. Figure 2 shows a variety of ways SSNs are displayed, as reported in our survey by federal, state, and county personnel departments. When SSNs appear on payroll checks, rather than on the more easily safeguarded pay stub, any number of individuals can view the employee's SSN depending on where the check is cashed. To receive services at government rates, government employees may be required to provide hotel employees and others documents such as travel orders or tax exemption forms that display their SSNs. Figure 2: Percentage of Government Personnel Departments That Display SSNs on Different Types of Documents: [Refer to PDF for image: vertical bar graph] Document type: Payroll or other reimbursement checks; Federal (N = 55): 67%; State (N = 44): 59%; County (N = 197): 57%. Document type: Vouchers/authorizations for dependent childcare credits; Federal (N = 55): 33%; State (N = 44): 27%; County (N = 197): 20%. Document type: Vouchers/authorizations for public transportation subsidies; Federal (N = 55): 53%; State (N = 44): 5%; County (N = 197): 9%. Document type: Promotion lists; Federal (N = 55): 13%; State (N = 44): 32%; County (N = 197): 24%. Document type: Travel orders/authorizations; Federal (N = 55): 100%; State (N = 44): 41%; County (N = 197): 9%. Document type: Authorizations for training outside of the agency; Federal (N = 55): 73%; State (N = 44): 27%; County (N = 197): 2%. Document type: Employees' badges/identification cards; Federal (N = 55): 27%; State (N = 44): 5%; County (N = 197): 9%. Legend: N is the number of respondents upon which the percentage is based. Source: GAO surveys of federal, state, and county personnel administrators. [End of figure] Some federal agencies and a few state and county personnel departments reported displaying employees' SSNs on their employee badges. Notably, the Department of Defense (DOD), which has over 2.7 million active and reserve military personnel, displays SSNs on its identification cards for these personnel. According to DOD officials, the Geneva Convention suggests that military personnel have an identification number displayed on their identification card, and DOD has chosen to use the SSN for this purpose. On the state level, the Department of Criminal Justice in one state, which has about 40,000 employees, displays SSNs on all employee identification cards. According to that state's Department of Criminal Justice officials, some of their employees have taken actions such as taping over their SSNs so that prison inmates and others cannot view this personal information. SSNs are also displayed on documents that are not employee-related. For example, some benefit programs display the SSN on the benefit checks and eligibility cards, and over one-third of federal respondents reported including the SSN on official letters mailed to participants. Further, some state institutions of higher education display students' SSNs on identification cards. Finally, SSNs are sometimes displayed on business permits that must be posted in public view at an individual's place of business. Governments Are Taking Some Steps to Safeguard SSNs but Important Measures Not Universally Employed: When agencies that deliver services and benefits use SSNs to administer programs, they are taking some steps to safeguard SSNs, but certain measures that could provide more assurances that these SSNs are secure are not universally in place at any level of government. First, when federal, state, and county agencies request SSNs, they are not consistently informing the SSN holders of whether they must provide the SSN to receive benefits or services and how the SSN will be used. In addition, although some agencies are using identifiers other than the SSNs in their records, most report it would be difficult to stop using SSNs. When agencies do use the SSN, we found weaknesses in their information systems security at all levels of government, which indicate SSNs may be at risk of improper disclosure. Finally, although some agencies are taking action to limit the display of SSNs on documents that are not intended to be public but may be viewed by others, these actions are sometimes taking place in a piecemeal manner rather than as a result of a systematic effort. Many Government Entities Collect SSNs without Providing Required Information: When a government agency requests an individual's SSN, the individual needs certain information to make an informed decision about whether to provide their SSN to the government agency or not. Accordingly, section 7 of the Privacy Act requires that any federal, state, or local government agency, when requesting an SSN from an individual, provide that individual with three key pieces of information. [Footnote 21] Government entities must: * tell individuals whether disclosing their SSNs is mandatory or voluntary, * cite the statutory or other authority under which the request is being made, and, * state what uses government will make of the individual's SSN. This information, which helps the individual make an informed decision, is the first line of defense against improper use. Although nearly all government entities we surveyed collect and use SSNs for a variety of reasons, many of these entities reported they do not provide individuals the information required under section 7 of the Privacy Act when requesting their SSNs. As shown in table 4, federal agencies were more likely to report that they provided the required information to individuals when requesting their SSNs than were states or local government agencies. Even so, federal agencies did not consistently provide this required information; 32 percent reported that they did not inform individuals of the statutory authority for requesting the SSN and 21 percent of federal agencies reported that they did not inform individuals of how their SSNs would be used. Table 4: Percentage of Government Entities That Provide Individuals with Required Information When Collecting SSNs: Informs Individuals: That providing SSN is voluntary; Federal: 90%; (10); State: 38%; (78); County: 42%; (74). Informs Individuals: Of legal authority to request SSNs; Federal: 68%; (37); State: 51%; (147); County: 39%; (161). Informs Individuals: How SSNs will be used; Federal: 79%; (57); State: 51% (270); County: 36%; (294). Legend: The number in parentheses is the number of respondents upon which the percentage is based. Source: Data from GAO surveys of federal, state, and county departments, using responses from all government entities. [End of table] For federal agencies, OMB is responsible for assisting with and overseeing the implementation of the Privacy Act. Although OMB has issued guidance for federal agencies to follow in implementing the act overall, OMB's guidance does not address section 7.[Footnote 22] However, there is another provision of the act that contains requirements similar to those of section 7, and OMB guidance does address this provision.[Footnote 23] This provision requires agencies to inform individuals from whom they request information (1) the legal authority that authorizes the collection and whether disclosure is voluntary or mandatory, (2) the purposes for which the information is intended to be used, (3) the routine uses to be made of the information, and (4) the effects on the individual of not providing all or any part of the information. Agencies must provide this information on the forms they use to collect the information or on a separate form that can be retained by the individual. However, this provision differs from section 7 in important ways. It applies only to federal agencies that maintain a system of records, as defined under the act, whereas section 7 applies to all agencies at the federal, state, and local level and contains no provision limiting its coverage to agencies maintaining a system of records.[Footnote 24] Regarding how OMB oversees implementation of the Privacy Act, OMB officials told us that they review certain federal agency actions related to the Privacy Act, such as notices placed in the federal register to inform the public of changes to agency systems of records; however it is not their role to monitor day-to-day federal agency compliance with the many provisions of the act.[Footnote 25] For this ongoing compliance monitoring, OMB officials said that they rely on agency privacy officers, general counsels, and inspector generals. [Footnote 26] In addition, under the Act, individuals can bring a civil action against a federal agency requesting the SSN if they believe that the agency has not complied with the section 7 requirements and if this failure to comply results in an adverse effect on the individual. At the state and county levels of government, it is not clear who has responsibility for overseeing the section 7 requirements placed on state and local governments. In fact, some state and local officials we spoke with were unaware of the requirements. Moreover, OMB officials told us that they have not issued any implementing regulations or guidance for section 7 for state and county government agencies, and no federal agency has assumed overall responsibility for monitoring these agencies and informing them of their obligations under section 7 of the Privacy Act.[Footnote 27] According to OMB officials, their role with respect to state and local governments is limited to advising state and county officials who raise questions about the act. In addition, OMB officials also work with the National Association of State Chief Information Officers and other organizations to discuss and share ideas on information management issues. Further, unlike the federal government, courts have disagreed on whether individuals have a right of civil action against state and county governments when these individuals believe state or county agencies are not complying with section 7 of the Privacy Act. For example, a Ninth Circuit Court of Appeals decision held that individuals do not have a right of action against state and local governments for violating the Privacy Act.[Footnote 28] Conversely, other courts have recognized implied remedies against state governments for violations of the act. For example, in Louisiana, a district court ordered that the state stop asking for SSNs as a prerequisite to voter registration, based partially on the court's determination that the Louisiana commissioner of elections was violating section 7 of the act.[Footnote 29] Similarly, a district court found that Virginia violated the act when collecting SSNs for voter registration because it did not provide required notice when requesting individuals' SSNs.[Footnote 30] More Can Be Done to Protect SSNs from Improper Public Disclosure: When government agencies collect SSNs that are not part of public records, they have a number of options available to them to limit the risk of improper disclosure. These agencies can: * use numbers other than SSNs for some program activities; * implement a number of controls to ensure that when they use SSNs, they are properly safeguarded; and; * limit the use of SSNs on documents that may be viewed by others who do not have a need to access this personal information. Some Agencies Use Alternate Numbers, but Most Report it Would Be Difficult to Stop Using SSNs: Despite the widespread use of SSNs at all levels of government, not all agencies use the SSN. Some respondents (19 from state departments and 33 from county departments) reported that they do not obtain, receive, or use the SSNs of program participants, service recipients, or individual members of the public. Moreover, of those who do use the SSN, not all use it as their primary identification number for record- keeping purposes. Of federal respondents, 65 percent use SSN as their primary identifier, while 50 percent of state and 38 percent of county agencies reported doing so. In addition, when agencies do use the SSN as their primary identification number, some agencies also maintain an alternative number that is used in addition to or in lieu of SSNs for certain activities. In fact, at least one-fourth of the respondents across all levels of government said they used SSNs as the primary identifier and also assigned alternative identifiers (38 federal, 30 state, and 25 percent county). There are a number of reasons why agencies use identification numbers other than SSNs. Officials from two county health departments told us that they do not require applicants for the Women, Infant, and Children Program to provide their SSNs because eligibility is determined based on client-provided information.[Footnote 31] Under these circumstances, program administrators do not need to use SSNs to match data to verify program eligibility. Two officials said that their county health departments use numbers the departments assign as the primary identifier. In such cases, however, health care providers may use SSNs to track patients' medical care across multiple providers or to coordinate benefit payments. Finally, law enforcement agencies we met with are less likely to consider SSNs as their primary identification number because criminals often have multiple or stolen identities and SSNs. We asked those agencies that used SSNs as their primary identifier and did not use alternate identification numbers how difficult it would be to change their procedures to permit using different identification numbers in place of SSNs. More than 85 percent of agencies in this category at all levels of government reported that it would be somewhat or very difficult to make this change (93 percent of federal agencies, 93 percent of state agencies, and 87 percent of county agencies). The top four reported reasons why programs might have difficulty making these changes, were (1) that it would prevent interfacing with the computer systems of other departments or programs that use SSNs, (2) it would be too costly, (3) the program's current software would not support the change, and (4) it would require a change in law. Many Agencies Using SSNs to Administer Programs Do Not Have in Place Uniform Information Security Controls: When government agencies collect and use SSNs as an essential component of their operations, they need to take steps to mitigate the risk of individuals gaining unauthorized access to SSNs or making improper disclosure or use of SSNs. As discussed earlier in this report, agencies at all levels of government use SSNs extensively for a wide range of purposes. Further, they store and use SSNs in varied formats. Over 90 percent of our survey respondents reported using both hard copy and electronic records containing SSNs when conducting their program activities. When using electronic media, many employ personal computers linked to computer networks to store and process the information they collect. This extensive use of SSNs, as well as the various ways in which SSNs are stored and accessed or shared, increase the risks to individuals' privacy and make it both important and challenging for agencies to take steps to safeguard these SSNs. Uniform guidelines that cut across all levels of government do not exist to specify what actions governments should take to safeguard personal information that includes SSNs. However, certain federal laws lay out a framework for federal agencies to follow when establishing information security programs to protect sensitive personal information, such as SSNs.[Footnote 32] The federal framework is consistent with strategies used by those private and public organizations that we previously reported have strong information security programs.[Footnote 33] The federal framework includes four principles that are important to an overall information security program. These are to periodically assess risk, implement policies and controls to mitigate risks, promote awareness of risks for information security, and continually monitor and evaluate information security practices. To gain a better understanding of whether agencies had in place measures to safeguard SSNs that are consistent with the federal framework, we selected eight commonly used practices found in information security programs—two for each principle. Use of these eight practices could give an indication that an agency has an information security program that follows the federal framework. [Footnote 34] We surveyed the federal, state, and county programs and agencies on their use of the following eight practices: Periodically assess risk: * Conduct risk assessments for computer systems that contain SSNs; * Develop written security plan for computer systems that contain SSNs. Implement policies and controls to mitigate risks: * Develop written policies for handling records with SSNs; * Control access to computerized records that contain SSNs, such as assigning different levels of access and using methods to identify employees (e.g., use ID cards, PINS, or passwords). Promote awareness of risks for information security: * Provide employees training or written materials on responsibilities for safeguarding records; * Take disciplinary actions against employees for noncompliance with policies, such as placing employees on probation, terminating employment, or referring to law enforcement. Continually monitor and evaluate information security practices: * Monitor employees' access to computerized records with SSNs, such as tracking browsing and unusual transactions; * Have computer systems independently audited. Responses to our survey indicate that agencies that administer programs at all levels of government are taking some steps to safeguard SSNs; however, potential weaknesses exist at all levels. Many survey respondents reported adopting some of the practices; however, none of the eight practices were uniformly adopted at any level of government. Of the eight practices, the largest percentage of agencies at all three levels of government combined reported controlling access to computerized records that contain SSNs and taking disciplinary actions against employees for noncompliance with policies. The smallest percentage of agencies at all three levels of government combined reported developing written policies for handling records with SSNs and having their information systems security independently audited. Overall, opportunities exist at all levels of government to increase protections against improper access, disclosure, or use of personal information, including SSNs. In general, when compared to state and county government agencies, a higher percentage of federal agencies reported using most of the eight practices. It is important to note that since 1996 we have consistently identified significant information security weaknesses across the federal government. In early 2002, based on a review of 24 of the largest federal agencies, we reported that federal agencies had not established information security programs consistent with legislative requirements.[Footnote 35] We found that significant information security weaknesses continued to exist in all major areas for information security programs. For example, (1) risk assessments had not been conducted for all computer systems, (2) polices may have been inadequate or excessive because risks had not been adequately assessed, (3) employees may have been unaware of their security responsibilities because agencies provided little or no training, and (4) effectiveness of security practices was unknown because of inadequate testing and evaluation of security controls. Further, in its February 2001 report to the Congress, OMB noted that many federal agencies have significant deficiencies in every important area of security.[Footnote 36] Although information security weaknesses may have been reported for certain states and counties, we are not aware of a comparable, comprehensive assessment of information security for either state or county government. Further, when SSNs are passed from a government agency to another entity, agencies need to take additional steps to continue protections for sensitive personal information that includes SSNs, such as imposing restrictions on the entities to help ensure that the SSNs are safeguarded. OMB guidance specifies a number of requirements federal agencies must follow for certain sharing of personal information. [Footnote 37] For example, the guidance specifies that federal agencies should prohibit recipient agencies from redisclosing data, except as allowed by law; employ effective security controls; and include mechanisms to hold recipients of data accountable for compliance. The guidance does not prescribe specific steps agencies should take when sharing information containing SSNs and other personal information. Moreover, although state and county governments may establish their own requirements, these would apply only to their respective jurisdiction. In the absence of uniform prescribed steps agencies should take when sharing data, we surveyed agencies on whether they implemented selected requirements when sharing information containing SSNs with outside entities. As shown in table 5, agency responses indicate that, although most include security requirements in contracts or data sharing agreements, many did not have a process in place to ensure compliance. Most agencies reported requiring those receiving personal data to restrict access to and disclosure of records containing SSNs to authorized persons and to keep records in secured locations. However, fewer agencies reported having provisions in place to oversee or enforce compliance. For example, only about half of the agencies at all levels of government combined reported using audits to monitor receivers' compliance with requirements. As a result, there is little assurance that entities receiving SSNs from government agencies have upheld their obligation to protect the confidentiality and security of SSNs. Table 5: Percentage of Program Agencies That Report Imposing Selected Requirements on Outside Entities When Sharing SSNs: Requirement imposed on receivers: SSNs must be safeguarded; Access to SSNs must be restricted to authorized persons: Government agencies sharing SSNs, Federal: 100% (33); Government agencies sharing SSNs, State: 90%; (134); Government agencies sharing SSNs, County: 84%; (76). Disclosure of SSNs must be restricted to authorized persons: Government agencies sharing SSNs, Federal: 88%; (33); Government agencies sharing SSNs, State: 92%; (135); Government agencies sharing SSNs, County: 81%; (78). Records with SSNs must be kept in secure location: Government agencies sharing SSNs, Federal: 97%; (33); Government agencies sharing SSNs, State: 88%; (135); Government agencies sharing SSNs, County: 78%; (78). Requirement imposed on receivers: Oversight provisions; Entity must self-report compliance; Government agencies sharing SSNs, Federal: 34%; (32); Government agencies sharing SSNs, State: 32%; (120); Government agencies sharing SSNs, County: 29%; (76). Entity must be independently audited for compliance: Government agencies sharing SSNs, Federal: 59%; (32); Government agencies sharing SSNs, State: 55%; (124); Government agencies sharing SSNs, County: 50%; (76). Agency imposes penalties for noncompliance; Government agencies sharing SSNs, Federal: 67%; (30); Government agencies sharing SSNs, State: 69%; (124); Government agencies sharing SSNs, County: 50%; (76). Legend: The number in parentheses is the number of respondents upon which the percentage is based. Source: GAO survey of federal, state, and county departments and agencies, using responses from those that reported sharing SSNs. Table includes departments and agencies that administer programs for the public and excludes courts, county recorders, and state licensing agencies. [End of table] Efforts are underway at the federal level to more closely review individual federal agencies' security practices. At the direction of the President's Council on Integrity and Efficiency, officials from 15 federal agencies' offices of the inspector general are reviewing their respective agency practices in using and safeguarding SSNs. At the state and county levels, opportunities exist for associations that represent these jurisdictions nationwide to conduct educational programs to highlight the importance of safeguarding SSNs, encourage agencies to strengthen how they safeguard SSNs, and develop recommended policies and practices for safeguarding SSNs.[Footnote 38] Some Agencies Are Beginning to Take Steps to Limit SSN Display on Documents That May Be Viewed by Others: We identified a number of instances where the Congress or governmental entities have taken or are considering action to reduce the presence of SSNs on documents that may be viewed by others who may not have a need to view this personal information. Examples of recent efforts to reduce display follow. * Treasury relocated the placement of SSNs on Treasury checks to a location that cannot be viewed through the envelope window. * The Defense Commissary Agency stopped requiring SSNs on checks written by members because of concerns about improper use of the SSNs and identity theft.[Footnote 39] * SSA has truncated individuals' SSNs that appear on the approximately 120 million benefits statements it mails each year. At the top of this statement, SSA has included a notice warning individuals to protect their SSNs. * A state comptroller's office changed its procedures so that it now offers vendors the option of not displaying SSNs on their business permits. * One state has a statute that prohibits display of SSNs on licenses issued by the state's health department. * Some states have passed laws prohibiting the use of SSNs as a student identification number. * Almost all states have modified their policies on placing SSNs on state drivers' licenses. Although it was common practice to find SSNs on licenses only a few years ago, today only ten states routinely display SSNs as a recognizable nine-digit number.[Footnote 40] It is important to note that these steps to limit the display of SSNs do not mean the agency has stopped collecting SSNs. In fact, in some cases, the agency may be required by law to collect the SSN but the number need not always be placed on a document or record that is seen by the public. Agencies are taking these actions even though it is not clear that the SSN displays we identified are, in fact, prohibited. Limitations on disclosing the SSN vary from use to use and among governmental entities. For example, on the federal level, the Privacy Act permits the disclosure of information in a record covered by the act if the agency can show that the use is compatible with the purpose for which it was collected. At the state level, depending on the state and applicable state laws, information about public employees may be considered public information and available upon request. Nonetheless, the efforts to reduce display suggest a growing awareness that SSNs are private information, and the risk to the individual of placing an SSN on a document that others can see may be greater than the benefit to the agency of using the SSN in this manner. However, despite this growing awareness and the actions cited above, many government agencies continue to display SSNs on a variety of documents that can be seen by others. In addition to the above actions taken by agencies at different levels of government, several bills have been introduced in the Congress that propose to more broadly limit or restrict the display of SSNs by all government entities. For example, some specifically prohibit SSN display on benefit checks or employee identity badges. Open Nature of Certain Government Records Results in Wide Access to SSNs: Many of the respondents to our survey reported maintaining public records that contain SSNs. Many of these records are maintained by county clerks or recorders and certain state agencies. In addition, courts at all three levels of government maintain records that contain SSNs and are available to the public. Some of the documents in these records that contain SSNs are created by the governmental entity itself, while others are submitted by members of the public, attorneys, or financial institutions. The public has traditionally gained access to these public records by visiting the offices where they are maintained and requesting certain documents or by browsing among hard copies or microfilm to find the desired information. This has served, at least in part, as a practical deterrent to the widespread collection and use of others' SSNs from public records. However, the growth of electronic record keeping has enabled a few agencies to provide or even sell their data in bulk. Moreover, although few entities report making SSNs available on the Internet, several officials told us they are considering expanding the volume and type of public records available on their Web site. Many State and County Public Records Contain SSNs: As shown in table 6, all of the federal courts and over two-thirds of the state and county courts, county recorders, and state licensing agencies that reported maintaining public records indicated that these records contained SSNs. In addition, some program agencies also reported maintaining public records that contain SSNs. (For more information on the types of federal programs and state and county agencies that reported maintaining public records, see appendix III). Table 6: Of Courts, County Recorders, and State Licensing Agencies; and of Program Agencies That Maintain Public Records, Percentage That Maintain Public Records That Contain SSNs: Courts, recorders, and licensing agencies that maintain public records with SSNs: Federal: 100%; (3)[A]; State: 68% (31); County: 77%; (95). Program agencies that maintain public records with SSNs: Federal: 23%; (22); State: 29%; (189); County: 33%; (140). [A] All three respondents were from federal courts. Legend: The number in parentheses is the number of respondents upon which the percentage is based. Source: Data from GAO survey of federal, state, and county departments and agencies. [End of table] County clerks or recorders (hereinafter referred to as recorders) and certain state agencies often maintain records that contain SSNs because these offices have traditionally been the repository for key information that, among other things, chronicles various life events and other activities of individuals as they interface with government.[Footnote 41] For example, they often maintain records on an individual's birth, marriage, and death. They maintain documentation that an individual has been licensed to work in certain professions, such as medical, legal, and public accounting. In addition, they may maintain documentation on certain transactions, such as property ownership and title transfer. This is done, according to recorders we met with, to make ownership known and detect any liens on a parcel of land before making a purchase. SSNs appear in these public records for a number of reasons. They may already be a part of a document that is submitted to a recorder for official preservation. For example, military veterans are encouraged to file their discharge papers with their local recorder's office to establish a readily available record of their military service, and these documents contain the SSN because that number is the individual's military identification number.[Footnote 42] Also, documents that record financial transactions, such as tax liens and property settlements, contain SSNs to help identify the correct individual. In other cases, government officials are required by law to collect SSNs. For example, to aid in locating noncustodial parents who are delinquent in their child support payments, the federal Personal Responsibility and Work Opportunity Reconciliation Act of 1996 requires that states have laws in effect to collect SSNs on applications for marriage, professional, and occupational licenses. Moreover, some state laws allow government entities to collect SSNs on voter registries to help avoid duplicate registrations. Again, although the law requires public entities to collect the SSN as part of these activities, this does not necessarily mean that the SSNs always must be placed on the document that becomes part of the public record. Figure 3 shows the percentage of state and county entities that display SSNs on each of the types of public records listed. Figure 3: Percentage of State and County Entities that Display SSNs on Each of the Types of Public Records Listed: [Refer to PDF for image: vertical bar graph] Record: Death certificates; State (N = 49): 41%; County (N = 92): 54%. Record: Property settlement documents; State (N = 49): 27%; County (N = 92): 42%. Record: Land ownership records; State (N = 49): 16%; County (N = 92): 41%. Record: Birth certificates; State (N = 49): 24%; County (N = 92): 33%. Record: Marriage permits/licenses; State (N = 49): 27%; County (N = 92): 30%. Record: Professional/occupational licenses; State (N = 49): 59%; County (N = 92): 26%. Record: Taxpayer records; State (N = 49): 18%; County (N = 92): 17%. Record: Jury lists; State (N = 49): 18%; County (N = 92): 17%. Record: Voter registries; State (N = 49): 2%; County (N = 92): 9%. Legend: N is the number of respondents upon which the percentage is based. Source: GAO surveys of state and county government agencies, using responses from those that reported maintaining at least one of the above listed public records containing SSNs. [End of figure] Courts at all three levels of government also collect and maintain records that are routinely made available to the public. Court records overall are presumed to be public; however, each court may have its own rules or practices governing the release of information.[Footnote 43] The rationale for making these records public is that keeping court activities open helps ensure that justice is administered fairly. In addition, the legal requirement that bankruptcy court documents remain open for public inspection is to ensure that bankruptcy proceedings take place in a public forum to best serve the rights of both creditors and debtors. As with recorders, SSNs appear in court documents for a variety of reasons. In many cases, SSNs are already a part of documents that are submitted by attorneys or individuals. These documents could be submitted as part of the evidence for a proceeding or could be included as part of a petition for an action, such as a judgment or a divorce. In other cases, courts include SSNs on documents they and other government officials create, such as criminal summonses, arrest warrants, and judgments, to increase the likelihood that the correct individual is affected (i.e., to avoid arresting the wrong John Smith). In some cases federal law requires that SSNs be placed in certain records that courts maintain. For example, the Personal Responsibility and Work Opportunity Reconciliation Act of 1996 requires that SSNs be placed in records that pertain to child support orders, divorce decrees, and paternity determinations. Again, this assists child support enforcement agencies in efforts to help parents collect money that is owed to them. These documents may also be maintained at county clerk or recorders' offices. Figure 4 shows percentage of state and county entities that display SSNs on each of the types of public records listed. Figure 4: Percentage of State and County Entities that Display SSNs on Each of the Types of Public Records Listed: Record: Judgments; State (N = 45): 58%; County (N = 86): 65%. Record: Child support orders; State (N = 45): 60%; County (N = 86): 50%. Record: Divorce petitions/decrees; State (N = 45): 53%; County (N = 86): 45%. Record: Child custody documents; State (N = 45): 47%; County (N = 86): 40%. Record: Paternity determinations; State (N = 45): 44%; County (N = 86): 31%. Legend: N is the number of respondents upon which the percentage is based. Source: GAO survey of state and county government agencies, using responses from state county courts and county recorders that report maintaining at least one of the above listed records containing SSNs. [End of figure] When federal, state, or county entities, including courts, maintain public records, they are generally prohibited from altering the formal documents. Officials told us that their primary responsibility is to preserve the integrity of the record rather than protecting the privacy of the individual named in the record. Officials told us they believe they have no choice but to accept the documents with the SSNs and fulfill the responsibility of their office by making them available to the general public. Traditional Access to Public Records Has Practical Limitations That Would Not Exist on the Internet: Traditionally, the public has been able to gain access to SSNs contained in public records by visiting the recorder's office, state office, or court house; however, the requirement to visit a physical location and request or search for information on a case-by-case basis offers some measure of protection against the widespread collection and use of others' SSNs from public records.[Footnote 44] Depending on the local practice, a member of the public may request specific documents from a clerk or may be able to browse through thousands of hard copies of documents, often dating back many decades or more. In addition, some counties make available documents that have been microfilmed or microfiched. Under these circumstances, it may be somewhat easier to find information on individuals; however, the information available would be limited to the type of record that is microfilmed (e.g., property settlement documents). In other words, the effort involved in obtaining documents by visiting local offices in effect helps insulate individuals from possible harm that could result from SSN misuse because of the time and effort required. A county recorder told us that the individuals willing to expend the time and effort to visit local offices to review public records generally have a business need to do so. However, this limited access to information in public records is not always the case. We found examples where members of the public can obtain easy access to larger volumes of documents containing SSNs. Some offices that maintain public records offer computer terminals set up where individuals can look up electronic files from a site-specific database. In one of the offices we visited, documents containing SSNs that are otherwise accessible to the public are also made available in bulk to certain groups. In one county we visited, title companies have an arrangement to scan court documents to add to their own databases before the documents are filed in the county recorder's office. When comparing the sharing practices of courts, state licensing agencies, and county recorders to program agencies that collect and use SSNs, a higher percentage of county recorders reported sharing information containing SSNs with credit bureaus, researchers, debt collection agencies, private investigators, and marketing companies. When courts, state licensing agencies, or county recorders share public records containing SSNs, they do not restrict receivers' use or disclosure of the data. Government offices may charge fees when providing copies of records in various formats that may contain SSNs and other personal information. More than 20 percent of county agencies and 25 percent of state agencies reported charging fees when providing SSNs to a contractor, researcher, individual, or other entity during the last 12 months. [Footnote 45] In most cases, the fees only covered costs for providing the information. However, 13 percent of the state respondents and 44 percent of the county respondents that charged fees reported making a profit from charging a fee. At the state level, the smallest profit reported from this sale of records over the last 12 months was $5,000, and the largest was $2,068,400. On the county level, the smallest profit reported over the same period was $200, and the largest was more than $2 million. The range in revenue may be partially explained by the fact that officials from these agencies may sell these records to individuals requesting one or a small number of documents, or they may sell these records in bulk. For example, one state sells its unclaimed property database, which often contains SSNs. Finally, few agencies reported that they place SSNs on their Internet sites; however, this practice may be growing. Of those agencies that reported having public records containing SSNs, only 3 percent of the state respondents and 9 percent of the county respondents reported that the public can access these documents on their Web site. In some cases, such as the federal courts, documents containing SSNs are available on the Internet only to paid subscribers. In other cases, large numbers of SSNs may be available to the general public. For example, one state's Office of the Comptroller of Public Accounts displays SSNs of business owners on their public web site embedded in Vendor/Taxpayer Identification Numbers. Moreover, increasing numbers of departments are moving toward placing more information on the Internet. We spoke with several officials that described their goals for having records available electronically within the next few years. Providing this easy access of records potentially could increase the opportunity to obtain records that contain SSNs that otherwise would not have been obtained by visiting the government agency. Some Governments and Agencies Are Taking Innovative Actions to Limit Use and Display of SSNS in Public Records: When SSNs are found in public records, some government entities are trying to strike a new balance between their responsibility to allow the general public access to documents that have traditionally been made available for public review and an increased interest in protecting the privacy of individuals. This is possible primarily for those records the agency or court creates. In these cases, the government entity may still collect SSNs, which may be required by law or important for record-keeping purposes, but the number itself need not be displayed. For those records and documents submitted by others, it is more difficult to exclude the SSN unless the individual or business preparing the document omits it before submission. Alternatives to Displaying SSNs in Public Records Exist: When government agencies create public documents or records, such as marriage licenses, some are trying new innovative approaches that protect SSNs from public display. Some agencies have developed alternative types of forms to keep SSNs and other personal information separate from the portion of a document that is accessible to the general public. In these cases, even if the government agency is required by law to record the SSN, the number does not always need to be displayed on the copy of the document that is made available to the public.[Footnote 46] Changing how the information is captured on the form can help solve the dilemma of many county recorders who, because they are the official record keepers of the county, are usually not allowed to alter an original document after it is officially filed in their office. For example, a county recorder told us that Virginia recently changed its three part marriage application and license form. Currently, only one copy of the form is routinely made available to the general public and that copy does not contain the SSN while the other two copies do contain the SSN. However, a county recorder told us that even this seemingly simple change in the format of a document can be challenging because, in some cases, the forms used for certain transactions are prescribed by the state. In addition to these efforts at recorders offices, courts at all three levels of government have made efforts to protect SSNs in documents that the general public can access through court clerk offices. For example, one state court offers the option of filing a separate form containing the SSN that is then kept separate from the part of the record that is available for public inspection. These solutions, however, are most effective when the recorder's office, state agencies, and courts prepare the documents themselves. In those many instances where others file the documents, such as individuals, attorneys, or financial institutions, the receiving agency has less control over what is contained in the document and, in many cases, must accept it as submitted. Officials told us that, in these cases, educating the individuals who submit the documents for the record may be the most effective way to reduce the appearance of SSNs. Such educational efforts could begin with informing individuals who submit documents to these offices that, once submitted, anything in that document is open to the public for review.[Footnote 47] For example, one individual who submitted his military discharge papers to his county recorder's office expressed concern about having done so after he found out that his document was available for anyone to review. Several officials suggested placing signs in offices where public records are maintained. Others suggested finding additional ways to notify the public of the nature of public records and the consequences of submitting documents with SSNs on them.[Footnote 48] In addition, financial institutions, title companies, and attorneys submit a large portion of the documents that become part of the public record in recorder's offices and the courts. These entities could begin to consider whether SSNs are required on the documents they submit. It may be possible to limit the display of SSNs on some of these documents or, where SSNs are deemed necessary to help identify the subject of the documents, it may be possible to truncate the SSN to the last four digits. While the above options are available for public records created after an office institutes changes, fewer options exist to limit the availability of SSNs in records that have already been officially filed or created. One option is redacting or removing SSNs from documents before they are made available to the general public. In our fieldwork, we found instances where departments redact SSNs from copies of documents that are made available to the general public, but these tended to be situations where the volume of records and number of requests were minimal, such as in a small county. Most other officials told us redaction was not a practical alternative for public records their offices maintain. Although redaction would reduce the likelihood of SSNs being released to the general public, we were told it is time-consuming, labor intensive, difficult, and in some cases would require change in law. In documents filed by others outside of the office, SSNs do not appear in a uniform place and could appear many times throughout a document. In these cases, it is particularly labor-intensive and a lengthy process to find and redact SSNs. In addition, especially in large offices that receive hundreds of requests for general public documents per day, we were told redacting SSNs from each document before giving it to a member of the general public would require significant staff resources. In one large urban county, the district clerk's office sells about 930,000 certified pages a year from family law cases. The district clerk estimates that it would cost his office an additional $1 million per year in staff time and related expenses to redact SSNs from all of those documents before they are made available to the general public. Moreover, redaction would be less effective in those offices where members of the general public can inspect and copy large numbers of documents without supervision from office staff. In these situations, officials told us that they could change their procedures for documents that they collect in the future, but it would be extremely difficult and expensive to redact SSNs on documents that have already been collected and filed. In several of these offices we visited, documents are available in hard copy, on microfilm, on microfiche, or in electronic format. Copies of thousands of documents, often dating back many decades or more, are kept in large rooms where anyone can browse through them. In addition, some counties have computer terminals set up where individuals can look up electronic files on their own. In these cases, the only way to prevent disclosure of SSNs would be to redact them from all of the past records, which officials told us would be extraordinarily costly and in some cases (e.g., on microfiche and electronically scanned documents) would be extremely difficult. Some of the bills currently before the Congress call for redacting SSNs from public records or otherwise ensuring that the public does not have access to the numbers. In some cases, the proposals would apply to all SSN displays originally occurring after 3 years from the date of their enactment. In other cases, the proposal calls for redacting all SSNs that are routinely placed in a consistent and predictable manner on a public record by the government entity, but it would not require redacting SSNs that are found in varying places throughout the record. Agencies Are Considering Limiting Information Placed on the Internet: To protect SSNs that the general public can access on the Internet, some courts and government agencies are examining their policies to decide whether SSNs should be made available on documents on their Web sites. In our fieldwork, we heard many discussions of this issue, which is particularly problematic for courts and recorders, who have a responsibility to make large volumes of documents accessible to the general public. On the one hand, officials told us placing their records on the Internet would simply facilitate the general public's ability to access the information. Furthermore, officials expressed concern that placing documents on the Internet would remove the natural deterrent of having to travel to the courthouse or recorder's office to obtain personal information on individuals. Again, we found examples where government entities are searching for ways to strike a balance. For example, the Judicial Conference of the United States recently released a statement on electronic case file availability and Internet use in federal courts. They recommended that documents in civil cases and bankruptcy cases should be made available electronically, but SSNs contained in the documents should be truncated to the last four digits. Also, we spoke to one county recorder's office that had recently put many of its documents on their web site, but had decided not to include categories of documents that were known to contain SSNs. In addition, some states are taking action to limit the display of SSNs on the Internet. Laws in Arizona and Rhode Island prohibit the display of students' SSNs on the Internet. Even though the incidence of SSNs on government Web sites is minimal right now, some officials told us they were considering or were in the process of making more documents available on the Internet. Without some kind of forethought about the inherent risk posed by making SSNs and other personal information available on the Internet, it is possible that SSNs will become increasingly available to the general public via the Internet. Statewide Efforts Have Had Far-Reaching Effects: The examples of efforts to limit the disclosure of SSNs cited above stem from initiatives taken by certain offices within states or from state laws that restrict specific types of SSN uses. By their nature, these efforts are limited only to the specific offices or types of use. However, efforts to protect individuals' privacy can be more far- reaching when the initiatives are statewide. For example, in April 2000, the governor of Washington signed an executive order intended to strengthen privacy protections for personal information held by state agencies on the citizens, as well as ensure that state agencies comply fully with state public disclosure and open government laws. Under Washington's executive order, state agencies are required to protect personal information to the maximum extent possible by (1) minimizing the collection, retention, and release of personal information by the state,(2) prohibiting the unauthorized sale of citizens' personal information by state government, and (3) making certain that businesses that contract with the state use personal information only for the contract purposes and cannot keep or sell the information for other purposes. A number of actions to limit SSN use and display resulted from this order. In response to the executive order, state agencies across Washington reviewed their forms and documents on which SSNs appeared and identified displays that were deemed unnecessary, that is, displays where the appearance of the SSN on the document was not deemed vital to the business of the agency. In these cases, agency officials removed the SSNs from the forms or documents. For example, the state Department of Natural Resources removed SSNs from employee performance evaluation notices and worklists, individual employee training profiles, and employee exit questionnaire forms. Officials told us that they have also discontinued requiring SSNs on leave requests, travel reimbursements, and training forms. The Washington Office of the Attorney General deleted SSNs from training and attendance forms, personnel questionnaires, employee separation forms, flexiplace work schedule forms, and others. In addition, the Washington Department of Labor and Industries separated information in personnel files that may be reviewed by supervisors from payroll documents. In addition, private information, such as SSNs, is being redacted from employee documents that can be viewed by others, and applicants for jobs in a county we visited are not required to provide their SSN until they are offered a job. Washington agencies also changed the format of certain public records to limit the disclosure of SSNs. For example, the SSN and other personal information are only included on the back of the marriage certificate form, which is not supposed to be copied or given to the general public. In certain Washington courts, SSNs and other personal information required in family law cases must be written on a separate form from the rest of the court document, and this form is then kept in a restricted access file. This means that the public does not have access to the information, and internal access is limited to judges, commissioners, other court personnel, and certain state administrative agencies that administer family law programs. Anyone else requesting access to these case records must petition the court and make a showing of good cause as to why access should be granted. Agencies for Washington state also reviewed and certified all contracts involving data sharing as having appropriate requirements to prevent and detect contractors' unauthorized SSN use. In fact, we were told of one case where the Washington state Department of Licensing monitored a contractor's compliance with maintaining the privacy of personal information by, in part, providing the contractor with certain easily identifiable information that other entities did not have. By tracing the flow if this information, officials discovered that the contractor had improperly disclosed personal information and terminated the contract. Minnesota is another example of a state where action on the state level, in this case in the form of a law, has made a difference in how SSNs are treated in public records. The Minnesota Government Data Practices Act, which predates the federal Privacy Act, regulates the handling of all government data that are created, collected, received, or released by a state entity, political subdivision, or statewide system, no matter what form the data are in, or how they are stored or used. Referred to as the nation's first privacy act, Minnesota's statute regulates what information can be collected, who can see or have copies of the information, and civil penalties for violation of the act. Minnesota uses a detailed approach to classifying data as not public. One statutory provision specifically classifies SSNs collected by state and local government agencies as not public. As a result of this law, individuals must be informed either orally or in writing of their privacy rights whenever the state collects sensitive information about them. In addition, individuals filing a civil court document can either put their personal information on a separate form or submit two copies of the document, only one of which contains SSNs. The information containing SSNs is then filed separately from the rest of the court document and is not open to the general public. Neither state tracked costs for making changes to better protect personal information, such as SSNs. Generally, state officials reported that the costs for implementing the initiative in Washington and carrying out the state statute in Minnesota are absorbed in the cost of the states' overall operations. Conclusions: SSNs are widely used in all levels of government and play a central role in how government entities conduct their business. As unique identifiers, SSNs are used to help make record keeping more efficient and are most useful when government entities share information about individuals with others outside their organization. The various benefits from sharing data help ensure that government agencies fulfill their mission and meet their obligation to the taxpayer by, for example, making sure that the programs serve only those eligible for services. However, as governments enjoy the benefits from using SSNs, they are not consistently safeguarding this personal information. They are not consistently providing individuals with required information about how their numbers will be used, thus depriving SSN holders of the basis to make a fully informed decision about whether to provide their SSN. Nor do governments have in place uniform information systems security measures. This suggests that these numbers and other sensitive information are at risk for improper disclosure and that more can be done to implement practices to help protect them. Further, when government agencies display the SSN on documents, such as employee identification badges and benefit eligibility cards, that are viewed by others who may not have a need for this personal information, the agency displaying the SSN increases the risk that the number may be improperly obtained and misused. In some cases, the risk for misuse may outweigh any benefit of its display. Safeguarding SSNs in public records offers an even greater challenge because of the inherent tension between the nature of public records, that is, the need for transparency in government activities, and the need to protect individuals' privacy. Plans to bring public records on- line and make them available over the Internet add urgency to this issue. Although the on-line access to such records will greatly increase convenience for those members of the public who use them, personal information like SSNs that is contained in some of these records will also be made readily available to the public. Addressing the issues of whether the traditional rules of public access should apply to electronic records, particularly those found on the Internet, is both urgent and vital. Without policies specifying ways to safeguard SSNs on the Internet, the potential for compromising individuals' privacy and the potential for SSN misuse will increase significantly. Further, although improving safeguards for government use of SSNs and other personal information is important, even the most successful efforts by government agencies cannot eliminate the risk to individuals that their SSNs will be misused because SSNs are so widely used in the private sector as well. Any effort to significantly reduce the risk of improper disclosure and misuse of SSNs would require added safeguards and limits on private sector use and display of the SSN as well. Nonetheless, measures to protect privacy by public sector entities could at least help minimize the risk of misuse. Under current law, weaknesses in the safeguards applied to SSNs can be more readily addressed in the federal government than in the state and local governments. Federal laws lay out a framework for information systems security programs to help protect sensitive information overall. More specific to the SSN, the Privacy Act places broad restrictions on federal government use and disclosure of personal information such as the SSN. Improved federal implementation of these requirements can be accomplished within current law. On the state and local level, the Privacy Act does have a provision that applies to state and local governments albeit more limited than the requirements on the federal government. This requirement—that all levels of government provide certain information to SSN holders, such as how their SSNs will be used—is not consistently applied. However, strengthening enforcement of this provision of the act, while important, will not address the more basic protection issues related to information security and public display. Doing so by mandating stronger state and local government safeguards for such personal information as the SSN, however, confronts questions of jurisdiction and policy that are beyond the scope of this report. Nonetheless, such questions should be addressed quickly, before public sector information is compromised and before public records become fully electronic. Accordingly, we are making recommendations to OMB to help strengthen safeguards in federal agencies, and we are presenting a matter for congressional consideration to facilitate intergovernmental collaboration in strengthening safeguards at the state and local levels. Recommendations: The Privacy Act and other federal laws prescribe actions federal departments and agencies must take to assure the security of SSNs and other personal information. Because these requirements may not be uniformly observed, we recommend that the administrator, Office of Information and Regulatory Affairs, OMB, direct federal agencies to review their practices for securing SSNs and providing required information. As part of this effort, agencies should also review their practices for displaying SSNs. To better inform state and local governments of their responsibilities under section 7 of the Privacy Act, we recommend that the administrator, Office of Information and Regulatory Affairs, OMB, direct his staff to augment the Privacy Act guidance by specifically noting that section 7 applies to all federal, state and local government agencies that request SSNs, or take other appropriate steps. To address SSN security and display issues in state and local government and in public records, including those maintained by the judicial branch of government at all levels, the Congress may wish to convene, in consultation with the president, a representative group of federal, state and local officials including, for example, state attorneys general, county recorders, and state and local chief information officers, selected members of the Congress, and state or local elected officials, to develop a unified approach to safeguarding SSNs used in all levels of government and particularly those displayed in public records. This approach could include recommendations for congressional consideration. GAO could assist in identifying representative participants and in convening the group. Agency Comments: We requested comments on a draft of this report from the director of OMB and the commissioner of SSA or their designees. We also requested that other officials review the technical accuracy of their respective agency or entity activities discussed in the draft, and we incorporated their changes where appropriate. SSA officials informed us that they would not provide written comments on the draft because the report does not make recommendations to the agency and comments were not required. However, we were told that the deputy commissioner shares the concerns expressed in the report and agrees with the conclusions. We did not receive written comments from the OMB director; however, other OMB officials provided us oral comments on the draft. They generally agreed with our recommendation that OMB direct federal agencies to review their practices for securing SSNs and providing the required information. In regard to our recommendation that OMB augment Privacy Act guidance or take other appropriate steps to better inform state and local governments of their responsibilities under section 7 of the Act, OMB officials told us that they are unsure of the need for additional OMB guidance in this area. They indicated that guidance on section 7 already exists in a publicly-available format on the Justice Department's Web site. In addition, they believe the section 7 provision is quite short and appears to be fairly self-explanatory. As the guidance in the Justice Web site indicates, some interpretive issues have arisen in litigation; however, OMB officials said the Justice guidance readily explains those issues. In addition, they said, the report does not indicate substantive areas where additional interpretive guidance is needed. However, they noted that the report does suggest that state and local officials may not be aware of section 7 provisions. In that case, they said increasing awareness of these legal requirements may warrant further consideration. Accordingly, OMB plans to consider, in consultation with other federal agencies, options for increasing state and local officials' awareness on this subject. Although OMB correctly points out that the overview of the Privacy Act on the Department of Justice Web site refers to the requirements of section 7, we believe our finding that a significant percentage of state and local agencies reported they do not routinely provide individuals with the information required under section 7 supports the need for additional action. We agree that state and local officials may not be aware of section 7 requirements, and we believe there is a need to increase the awareness both of state and local officials administering the programs and of those monitoring compliance at the state and local levels. Because OMB is the federal agency responsible for assisting with and overseeing the implementation of the Privacy Act, we believe it should take the lead on increasing state and local awareness of section 7. However, we recognize that OMB's role with respect to state and local governments is limited and support the agency's idea to act in consultation with other federal agencies to take other steps it deems appropriate to accomplish this increased awareness. We are sending copies of this report to the Honorable Jo Anne B. Barnhart, commissioner of SSA, Mr. Mitchell E. Daniels Jr., the director of OMB, and others who are interested. Copies will also be made available to others upon request. If you or your staff have any questions concerning this report, please call me on (202) 512-7215. The major contributors to this report are listed in appendix IV. Sincerely yours, Signed by: Barbara D. Bovbjerg: Director, Education, Workforce, and Income Security Issues: [End of section] Appendix I: Scope and Methodology: To complete the objectives for this assignment, we used a combination of in-depth interviews, site visits, and mail surveys. To gain a preliminary understanding of how governments use and protect SSNs and to help design our survey and site-visit questions, we met with a number of government agencies, associations, and privacy experts. At the federal level, we interviewed officials from OMB, the Office of Personnel Management, SSA, and the FTC. At the state level, we interviewed officials from the National Governors Association, the National Association of State Auditors, Comptrollers, and Treasurers, the American Association of Motor Vehicle Administrators, the National Conference of State Legislatures, and the National Association of State Chief Information Officers, which represents state chief information officers, and the state of Maryland. At the county level, we interviewed officials from the National Association of County Election Officials, Clerks, and Recorders, the National Association of Counties, and Fairfax and Fauquier Counties, Virginia. We also met with or contacted officials/organizations regarded as experts in the privacy area, which included a privacy consultant and an official from the Privacy Journal. In addition, we reviewed published reports and studies on SSN use and privacy issues. To gain an understanding of the requirements for both using and protecting SSNs, we reviewed pertinent federal legislation, federal guidance and directives regarding the use and handling of SSNs and other personal information, GAO reports, and various studies of state SSN use and privacy laws. To develop our criteria for assessing the actions government agencies take to protect SSNs, we drew from applicable federal laws, primarily the Government Information Security Reform provisions of the Fiscal Year 2001 Defense Authorization Act, OMB Circular A-130 and other guidance, and the Federal Information System Controls Audit Manual that specifies guidelines for federal agencies to safeguard sensitive information stored in computer systems. We also drew from our work on best practices used by private companies and public sector organizations identified in our Executive Guide: Information Security Management, Learning From Leading Organizations.[Footnote 49] Finally, we held a 1-day seminar on innovative practices used by the private sector to protect sensitive information. Attendees included officials from the Private Sector Council and member firms, including Kaiser Permanente, a health care provider; State Street Bank, a large commercial bank; and Allstate, an insurance company. Our surveys, site visits, and in depth interviews with officials of targeted federal, state, and county programs focused on the following areas: how SSNs are used (for both programmatic and personnel-related purposes), how and why SSNs are shared with other entities (including contractors), what information programs provide individuals when agencies collect and use their SSNs, how agencies maintain and safeguard SSNs and other personal data, and the cost for minimizing use or implementing alternatives to using SSNs. At the federal level, we surveyed all 14 cabinet-level agencies plus the Environmental Protection Agency, the Small Business Administration, SSA, and the federal court system. The latter three agencies and the federal court system were added for breadth of coverage to ensure that we covered regulatory agencies, independent agencies, and courts.[Footnote 50] We asked that each agency identify the five programs that maintain documents containing the SSNs of the largest number of individuals and then asked representatives of those programs to complete a questionnaire. To the extent that an agency had a program whose primary purpose was to conduct research that used records with individuals' SSNs as part of that research, we asked that it be substituted for one of the five programs. Finally, we distributed a different survey to agency personnel offices to determine how agencies used and protected the SSNs of their employees. The federal agency and the federal personnel questionnaires were each pretested at least twice. Because we don't know how many programs within the federal agencies we surveyed maintain records containing individuals' SSNs, we cannot calculate a response rate for the federal agency questionnaire. In total, 58 federal programs, agencies, or courts returned a completed questionnaire. Of the 18 federal agencies to which we sent a questionnaire, 15 returned a completed questionnaire for at least one program. We now know that one of the 18 agencies that received a questionnaire did not have any programs that maintained records containing SSNs. In addition, 18 federal personnel offices received our personnel questionnaire, and of those 15 returned completed questionnaires, for a response rate of 83 percent. At the state level, our work covered all 50 states and the District of Columbia. In each state, we distributed the surveys to seven preselected programs or functions that were identified by others as likely to be ones that maintained documents containing the SSNs of the largest number of individuals. These included the departments of (1) human services, (2) health services and vital statistics, (3) education, (4) labor and licensing, (5) judiciary, (6) public safety and corrections, and (7) law enforcement.[Footnote 51] Finally, we also surveyed each state's personnel office. The state department and personnel questionnaires were each pretested twice. In total, 424 state programs or functions were mailed a questionnaire, and of those 307 returned completed questionnaires, for a response rate of 72 percent. In addition, of the 51 state personnel offices that were mailed our state personnel questionnaire, 42 completed and returned it, for a response rate of 82 percent. At the local level, we selected 90 counties with the largest populations in the nation as our focus. Our goal was to choose areas with large numbers of persons that would be affected by the way local government agencies handled SSNs. We again focused on those preselected programs or functions that county officials reported as ones that maintained documents containing the SSNs of the largest number of individuals. These are, in general, the same programs or functions that we focused on in the states; we also surveyed the county clerk or recorder, which was identified as a place that maintained a large number of records containing individuals' SSNs. Finally, we surveyed each county's personnel office. The county department and personnel questionnaires were each pretested twice. In total, 488 county programs or functions were mailed a questionnaire, and of those 344 returned completed questionnaires, for a response rate of 70 percent. In addition, 90 county personnel offices were mailed our county personnel questionnaire, and of those 64 completed and returned it, for a response rate of 71 percent. In-depth interviews and site visits to federal agencies, states, and counties were used to supplement the survey data by providing more detailed information on the uses of SSNs, reasons for their use, and challenges encountered in protecting them. Interviews and site visits for federal programs were selected based on breadth of coverage, novel or innovative steps to protect SSNs, and special interest by the requestors. We conducted in-depth interviews with officials from the (1) Federal Court System - Administrative Office of the U.S. Courts; (2) Centers for Medicare and Medicaid Services; (3) Department of Education's Student Financial Assistance; (4) Department of Housing and Urban Development's Low Income Housing Programs; (5) DOD Commissaries; and (6) the U.S. Marshals Service. At the state level, we conducted site visits to the states of Texas, Washington, and Minnesota. We selected these states because their legal framework and practices regarding the openness of government records and the privacy of individuals varied. Texas has a strong open records tradition; Washington state has an executive order in place that has serves to limit the availability of certain personal information; and Minnesota has a privacy law that also serves to limit the availability of certain types of information. At the county level, we conducted site visits to Harris County, Texas; King County, Washington; and Aitkin County in Minnesota.[Footnote 52] We visited counties located in states we selected for site visits to help us understand how state policy affects local practices. Also, we selected Aitkin County, Minnesota to gain the perspectives of a smaller rural county. During our site visits, we met with officials from the departments or agencies that were considered heavy users of SSNs. We also met on two occasions with a group of county clerks and recorders from urban and smaller rural counties. To provide information on the role of government use of SSNs in identity theft, we incorporated information provided by GAO's Tax Administration and Justice group, which was obtained as part of a broader effort to describe the prevalence and cost of identity theft.[Footnote 53] The information we used from that effort is based on interviews with and documentation provided by the FTC, SSA's Office of Inspector General, IRS, Federal Bureau of Investigation, U.S. Secret Service, and credit bureaus among others. We performed our work at SSA headquarters in Baltimore, Maryland; at Maryland state offices in Annapolis, Maryland; Washington D.C.; and at selected locations including Austin, Texas; Harris County, Texas; Olympia, Washington; King County, Washington; St. Paul Minnesota; and Aitkin County Minnesota. We conducted our work between February 2001 and March 2002 in accordance with generally accepted government auditing standards. [End of section] Appendix II: Federal Laws That Restrict SSN Disclosure: The following federal laws establish a framework for restricting SSN disclosure: The Freedom of Information Act (FOIA) (5 U.S.C. 552) - This act establishes a presumption that records in the possession of agencies and departments of the executive branch of the federal government are accessible to the people. FOIA, as amended, provides that the public has a right of access to federal agency records, except for those records that are protected from disclosure by nine stated exemptions. One of these exemptions allows the federal government to withhold information about individuals in personnel and medical files and similar files when the disclosure would constitute a clearly unwarranted invasion of personal privacy. According to Department of Justice guidance, agencies should withhold SSNs under this FOIA exemption. This statute does not apply to state and local governments. The Privacy Act of 1974 (5 U.S.C. 552a) - The act regulates federal government agencies' collection, maintenance, use and disclosure of personal information maintained by agencies in a system of records. [Footnote 54] The act prohibits the disclosure of any record contained in a system of records unless the disclosure is made on the basis of a written request or prior written consent of the person to whom the records pertains, or is otherwise authorized by law. The act authorizes 12 exceptions under which an agency may disclose information in its records. However, these provisions do not apply to state and local governments, and state law varies widely regarding disclosure of personal information in state government agencies' control. There is one section of the Privacy Act, section 7, that does apply to state and local governments. Section 7 makes it unlawful for federal, state, and local agencies to deny an individual a right or benefit provided by law because of the individual's refusal to disclose his SSN. This provision does not apply (1) where federal law mandates disclosure of individuals' SSNs or (2) where a law existed prior to January 1, 1975 requiring disclosure of SSNs, for purposes of verifying the identity of individuals, to federal, state or local agencies maintaining a system of records existing and operating before that date. Section 7 also requires federal, state and local agencies, when requesting SSNs, to inform the individual (1) whether disclosure is voluntary or mandatory, (2) by what legal authority the SSN is solicited, and (3) what uses will be made of the SSN. The act contains a number of additional provisions that restrict federal agencies' use of personal information. For example, an agency must maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose required by statute or executive order of the president, and the agency must collect information to the greatest extent practicable directly from the individual when the information may result in an adverse determination about an individual's rights, benefits and privileges under federal programs. The Social Security Act Amendments of 1990 (42 U.S.C. 405(c)(2)(C)(viii)) - A provision of the Social Security Act bars disclosure by federal, state and local governments of SSNs collected pursuant to laws enacted on or after October 1, 1990. This provision of the act also contains criminal penalties for "unauthorized willful disclosures" of SSNs; the Department of Justice would determine whether to prosecute a willful disclosure violation. Because the act specifically cites willful disclosures, careless behavior or inadequate safeguards may not be subject to criminal prosecution. Moreover, applicability of the provision is further limited in many instances because it only applies to disclosure of SSNs collected in accordance with laws enacted on or after October 1, 1990. For SSNs collected by government entities pursuant to laws enacted before October 1, 1990, this provision does not apply and therefore, would not restrict disclosing the SSN. Finally, because the provision applies to disclosure of SSNs collected pursuant to laws requiring SSNs, it is not clear if the provision also applies to disclosure of SSNs collected without a statutory requirement to do so. This provision applies to federal, state and local governmental agencies; however, the applicability to courts is not clearly spelled out in the law. [End of section] Appendix III: Federal, State, and County Departments That Reported Maintaining Public Records With SSNs: The following tables provide additional information on the types of departments or agencies that reported maintaining records that are routinely made available to the public and, of those, the ones that reported that their public records contained SSNs. Table 7: Number of Programs within Federal Agencies That Responded to Our Survey and Maintain Public Records, Identify SSNs on Those Public Records, and Permit Access to Those Records on Their Web Sites: All federal programs: Maintain public records: Yes: 26; Maintain public records: No: 31; Public records identify SSNs: Yes: 7; Public records identify SSNs: No: 18; Public has access to records with SSNs via Web site: Yes: 3; Public has access to records with SSNs via Web site: No: 4. Agriculture: Maintain public records: Yes: 1; Maintain public records: No: 3; Public records identify SSNs: Yes: 0; Public records identify SSNs: No: 1; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 0. Commerce: Maintain public records: Yes: 0; Maintain public records: No: 1; Public records identify SSNs: Yes: 0; Public records identify SSNs: No: 0; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 0. Defense: Maintain public records: Yes: 1; Maintain public records: No: 2; Public records identify SSNs: Yes: 0; Public records identify SSNs: No: 1; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 0. Education: Maintain public records: Yes: 2; Maintain public records: No: 3; Public records identify SSNs: Yes: 0; Public records identify SSNs: No: 2; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 0. Health Human Services: Maintain public records: Yes: 0; Maintain public records: No: 2; Public records identify SSNs: Yes: 0; Public records identify SSNs: No: 0; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 0. Housing Urban Development: Maintain public records: Yes: 2; Maintain public records: No: 3; Public records identify SSNs: Yes: 0; Public records identify SSNs: No: 2; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 0. Interior: Maintain public records: Yes: 2; Maintain public records: No: 2; Public records identify SSNs: Yes: 1; Public records identify SSNs: No: 1; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 1; Justice: Maintain public records: Yes: 0; Maintain public records: No: 5; Public records identify SSNs: Yes: 0; Public records identify SSNs: No: 0; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 0. Labor: Maintain public records: Yes: 4; Maintain public records: No: 1; Public records identify SSNs: Yes: 0; Public records identify SSNs: No: 4; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 0. Transportation: Maintain public records: Yes: 1; Maintain public records: No: 3; Public records identify SSNs: Yes: 0; Public records identify SSNs: No: 1; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 1. Treasury: Maintain public records: Yes: 3; Maintain public records: No: 1; Public records identify SSNs: Yes: 1; Public records identify SSNs: No: 2; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 1. Veterans Administration: Maintain public records: Yes: 2; Maintain public records: No: 1; Public records identify SSNs: Yes: 1; Public records identify SSNs: No: 1; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 1. Small Business Administration: Maintain public records: Yes: 2; Maintain public records: No: 2; Public records identify SSNs: Yes: 0; Public records identify SSNs: No: 2; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 0. Social Security Administration: Maintain public records: Yes: 3; Maintain public records: No: 2; Public records identify SSNs: Yes: 1; Public records identify SSNs: No: 1; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 1. Federal Court System: Maintain public records: Yes: 3; Maintain public records: No: 0; Public records identify SSNs: Yes: 3; Public records identify SSNs: No: 0; Public has access to records with SSNs via Web site: Yes: 3; Public has access to records with SSNs via Web site: No: 0. Source: GAO survey of federal agencies. [End of table] Table 8: Number and Type of State Departments and Agencies That Maintain Public Records, Identify SSNs on Those Public Records, and Permit Access to Those Records on Their Web Sites: All state departments: Maintain public records: Yes: 241; Maintain public records: No: 36; Public records identify SSNs: Yes: 75; Public records identify SSNs: No: 145; Public has access to records with SSNs via Web site: Yes: 2; Public has access to records with SSNs via Web site: No: 70[A]. State Courts: Maintain public records: Yes: 26; Maintain public records: No: 5; Public records identify SSNs: Yes: 19; Public records identify SSNs: No: 5; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 17[A]. State Law Enforcement: Maintain public records: Yes: 26; Maintain public records: No: 3; Public records identify SSNs: Yes: 8; Public records identify SSNs: No: 16; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 8. State Human Services: Maintain public records: Yes: 31; Maintain public records: No: 4; Public records identify SSNs: Yes: 8; Public records identify SSNs: No: 20; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 8. State Health & Vital Statistics: Maintain public records: Yes: 28; Maintain public records: No: 4; Public records identify SSNs: Yes: 7; Public records identify SSNs: No: 17; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 7. State Labor: Maintain public records: Yes: 31; Maintain public records: No: 6; Public records identify SSNs: Yes: 7; Public records identify SSNs: No: 23; Public has access to records with SSNs via Web site: Yes: 1; Public has access to records with SSNs via Web site: No: 6. State Licensing: Maintain public records: Yes: 7; Maintain public records: No: 0; Public records identify SSNs: Yes: 2; Public records identify SSNs: No: 5; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 2. State Education (K-12): Maintain public records: Yes: 38; Maintain public records: No: 4; Public records identify SSNs: Yes: 11; Public records identify SSNs: No: 23; Public has access to records with SSNs via Web site: Yes: 1; Public has access to records with SSNs via Web site: No: 9. State Education (Higher Education): Maintain public records: Yes: 14; Maintain public records: No: 5; Public records identify SSNs: Yes: 1; Public records identify SSNs: No: 12; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 1. State Public Safety: Maintain public records: Yes: 25; Maintain public records: No: 5; Public records identify SSNs: Yes: 7; Public records identify SSNs: No: 15; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 7. State Corrections: Maintain public records: Yes: 34; Maintain public records: No: 4; Public records identify SSNs: Yes: 12; Public records identify SSNs: No: 18; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 12. [A] One state entity indicated a "not applicable" response because it did not have a Web site. Source: GAO survey of state agencies. [End of table] Table 9: Number and Type of County Departments and Agencies that Maintain Public Records, Identify SSNs on Those Records, and Permit Access to Those records on Their Web Sites: All county departments: Maintain public records: Yes: 251; Maintain public records: No: 46; Public records identify SSNs: Yes: 119; Public records identify SSNs: No: 116; Public has access to records with SSNs via Web site: Yes: 11; Public has access to records with SSNs via Web site: No: 105[A]. Social Services: Maintain public records: Yes: 35; Maintain public records: No: 24; Public records identify SSNs: Yes: 13; Public records identify SSNs: No: 19; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 13. Health Department: Maintain public records: Yes: 43; Maintain public records: No: 9; Public records identify SSNs: Yes: 10; Public records identify SSNs: No: 31; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 10. County Sheriff: Maintain public records: Yes: 55; Maintain public records: No: 7; Public records identify SSNs: Yes: 21; Public records identify SSNs: No: 28; Public has access to records with SSNs via Web site: Yes: 0; ; Public has access to records with SSNs via Web site: No: 20[A]. Court Clerks: Maintain public records: Yes: 39; Maintain public records: No: 3; Public records identify SSNs: Yes: 30; Public records identify SSNs: No: 7; Public has access to records with SSNs via Web site: Yes: 2; Public has access to records with SSNs via Web site: No: 28. County Recorders: Maintain public records: Yes: 61; Maintain public records: No: 2; Public records identify SSNs: Yes: 43; Public records identify SSNs: No: 15; Public has access to records with SSNs via Web site: Yes: 9; Public has access to records with SSNs via Web site: No: 32. Superintendent of Schools: Maintain public records: Yes: 18; Maintain public records: No: 1; Public records identify SSNs: Yes: 2; Public records identify SSNs: No: 16; Public has access to records with SSNs via Web site: Yes: 0; Public has access to records with SSNs via Web site: No: 2. [A] Two county departments answered "not applicable" because the departments did not have a Web site. Source: GAO survey of county agencies. [End of table] Appendix IV: GAO Contacts and Staff Acknowledgments: GAO Contacts: Kay Brown (202) 512-3674: Jacquelyn Stewart (202) 512-7232: Staff Acknowledgments: The following team members contributed to all aspects of this report throughout the review: Lindsay Bach, Jeff Bernstein, Jacqueline Harpp, Daniel Hoy, Raun Lazier, James Rebbe, Vernette Shaw, and Anne Welch. In addition, Richard Burkard, Patrick Dibattista, Joel Grossman, Debra Johnson, Carol Langelier, Minette Richardson, Robert Rivas, Ron Salo, Rich Stana, and William Thompson also made contributions to this report. [End of section] Footnotes: [1] We found no commonly accepted definition of public records. For the purposes of this report, when we use the term public record, we are referring to a record or document that is routinely made available to the public for inspection either by a federal, state, or local government agency or a court, such as those readily available at a public reading room, clerk's office, or on the Internet. [2] U.S. General Accounting Office, Social Security: Government and Commercial Use of the Social Security Number is Widespread, [hyperlink, http://www.gao.gov/products/GAO/HEHS-99-28] (Washington, D.C.: Feb. 16, 1999). [3] We did not survey state Departments of Motor Vehicles or state agencies that administer state tax programs because we have reported on these activities separately. Nor did we focus on the requirements for the use and dissemination of taxpayer information because they are distinct from many of the requirements covered in this report. See U.S. General Accounting Office, Child Support Enforcement: Most States Collect Drivers' SSNs and Use Them to Enforce Child Support, [hyperlink, http://www.gao.gov/products/GAO-02-239] (Washington, D.C.: Feb. 15, 2002) and Taxpayer Confidentiality: Federal, State, and Local Agencies Receiving Taxpayer Information, [hyperlink, http://www.gao.gov/products/GAO-GGD-99-164] (Washington, D.C.: Aug. 30, 1999). [4] In this review, we do not include criminal provisions that might apply to the improper use of SSNs. [5] The Social Security Act of 1935 created the Social Security Board, which was renamed the Social Security Administration in 1946. [6] Biometric identification uses automated methods of recognizing a person based on a physiological or behavioral characteristic including fingerprints, speech, face, retina, iris, handwritten signature, hand geometry, and wrist veins. [7] United States Sentencing Commission, Identity Theft Final Alert (Washington, D.C.: Dec. 15, 1999). [8] This information is based on a review of 39 cases involving SSN theft drawn from the Federal Trade Commission's fiscal year 1998 data files. [9] U.S. General Accounting Office, Identity Theft: Prevalence and Cost Appear to be Growing, [hyperlink, http://www.gao.gov/products/GAO-02-363] (Washington, D.C.: Mar. 1, 2002). [10] A fraud alert is a warning that someone may be using the consumer's personal information to fraudulently obtain credit. When a fraud alert is placed on a consumer's credit card file, it advises credit grantors to conduct additional identity verification before granting credit. The third consumer reporting agency offers fraud alerts that can vary from 2 to 7 years at the discretion of the individual. [11] For example, the Internal Revenue Code, which requires the use of SSNs for certain purposes, declares tax return information, including SSNs, to be confidential, limits access to specific organizations, and prescribes both civil and criminal penalties for unauthorized disclosure. For more information, see [hyperlink, http://www.gao.gov/products/GAO-GGD-99-164]. Also, the Personal Responsibility and Work Opportunity Act of 1996 explicitly restricts the use of SSNs to purposes set out in the Act, such as locating absentee parents to collect child support payments. [12] These provisions supplement information security requirements established in the federal Computer Security Act of 1987, the Paperwork Reduction Act of 1995, the Clinger-Cohen Act of 1996, and Office of Management and Budget guidance. [13] SSI provides cash assistance to needy individuals who are aged, blind, or disabled. [14] U.S. General Accounting Office, Supplemental Security Income: Incentive Payments Have Reduced Benefit Overpayments to Prisoners, [hyperlink, http://www.gao.gov/products/GAO/HEHS-00-2] (Washington, D.C.: Nov. 22, 1999). [15] TANF was created by the Personal Responsibility and Work Opportunity Reconciliation Act of 1996. The program has been implemented in the form of block grants to states and is designed to help low-income families with children reduce their reliance on welfare and move toward economic independence. [16] U.S. General Accounting Office, Benefit and Loan Programs: Improved Data Sharing Could Enhance Program Integrity, [hyperlink, http://www.gao.gov/products/GAO/HEHS-00-119] (Washington, D.C.: Sept. 13, 2000). [17] The Department of Health and Human Services' National Directory of New Hires is a national database containing new hire and wage data from every state and federal agency and unemployment insurance data from state unemployment security agencies. This directory was mandated by the Personal Responsibility and Work Opportunity Reconciliation Act of 1996 to help enforce child support obligations. At a minimum, the database includes the individual's name, address, and SSN, as well as the employer's name, address, and identification number. This data is also used for various program enforcement purposes by a limited number of state and federal agencies. [18] Census is authorized by statute to collect a variety of information, and the Bureau is also prohibited from making it available, except in certain circumstances. [19] In some cases, records containing SSNs are sometimes matched across multiple agency or program databases. The statistical and research communities refer to the process of matching records containing SSNs for statistical or research purposes as "record linkage." See U.S. General Accounting Office, Record Linkage and Privacy: Issues in Creating New Federal Research and Statistical Information, [hyperlink, http://www.gao.gov/products/GAO-01-126SP] (Washington, D.C.: Apr. 2001). [20] On the federal level, data sharing often involves computerized record matching. The Computer Matching and Privacy Protection Act of 1988, which amended the Privacy Act, specifies procedural safeguards affecting agencies' use of Privacy Act records in performing certain types of computerized matching program, including due process rights for individuals whose records are being matched. These due process rights were further clarified in the Computer Matching and Privacy Protection Amendments of 1990. [21] Section 7 of the Privacy Act is not codified with the rest of the act, but rather is found in the note section to 5 U.S.C. 552a. [22] The Department of Justice has on its Web site an overview of the Privacy Act that references section 7. This information was prepared in coordination with OMB. [23] 5 U.S.C. 552a(e)(3). [24] Of the 58 federal programs that responded to our survey, 39 reported that some portion of their records were covered by the Privacy Act, 3 reported that no portion of their records were covered by the act, and the remaining 16 agencies did not know if their records were covered by the Privacy Act. [25] Under the Paperwork Reduction Act, OMB is, however, responsible for reviewing and approving all collections of information including forms, surveys, telephonic requests, or various other formats used by federal agencies when requesting SSNs and other information from an SSN holder, state or local governments, and others. Thus the agency also has this opportunity to influence the collection of SSNs. [26] According to OMB officials, all federal agencies have an officer responsible for implementing the Privacy Act. [27] When federal agencies provide states with funding for specific programs, they could include requirements that the entities implementing the program comply with section 7 of the Privacy Act. [28] Dittman v. California, 191 F.3d 1020 (9th Cir. 1999) (citing Unt v. Aerospace Corp, 765 F.2d 1440 (9th Cir. 1981)). The Ninth Circuit Court of Appeals covers California, Oregon, Washington, Arizona, Montana, Idaho, Nevada, Alaska, Hawaii, Guam, and the Northern Mariana Islands. [29] McKay v. Altobello, No. 96-3458, 1997 WL 266717 (E.D. La. May 16, 1997). [30] Griedinger v. Davis, 782 F. Supp. 1106 (E.D. Va. 1992), reversed and remanded on other grounds, 988 F.2d 1344 (4th Cir.1993). [31] However, state auditors in one state told us that when programs do not require an SSN, such as the Women, Infants, and Children Program, it is more difficult to audit the program for compliance because they have to rely on matching data on individuals using name, address, and wage records to ensure that the appropriate people are receiving services. They said this process is time consuming and is not 100 percent accurate. They believe that the use of SSNs for the program would speed up and improve the accuracy of data matches. [32] See federal Government Information Security Reform provisions of the fiscal year 2001 Defense Authorization Act, the federal Computer Security Act of 1987, the Paperwork Reduction Act of 1995, the Clinger- Cohen Act of 1996, and OMB guidance. [33] U.S. General Accounting Office, Executive Guide: Information Security Management, Learning From Leading Organizations, GAO/AIMD-98- 68 (Washington, D.C.: May 1998) reported on strategies used by private and public organizations—a financial services corporation, a regional utility, a state university, a retailer, a state agency, a nonbank financial institution, a computer vendor, and an equipment manufacturer—that were recognized as having strong information security programs. The information security strategies discussed in the report were only a part of the organizations' broader information management strategies. [34] States may also require any number of the eight practices, but the requirements would vary from state to state. [35] U.S. General Accounting Office, Information Security: Additional Actions Needed to Fully Implement Reform Legislation, [hyperlink, http://www.gao.gov/products/GAO-02-470T] (Washington, D.C.: Mar. 6, 2002). [36] Office of Management and Budget, FY 2001 Report to Congress on Federal Government Information Security Reform (Washington, D.C.: February 2002). [37] OMB Memorandum 01-05 applies to federal data sharing activities covered by the Computer Matching and Privacy Protection Act, as amended. The covered activities are computer-matching for purposes such as verifying program eligibility for federal benefits or recovering delinquent debt. The memorandum states that federal agencies should consider applying the concepts to other data sharing arrangements. [38] In some cases, where federal agencies administer programs that provide federal funds to states and counties, the federal agency has spelled out program-specific requirements for information security that state and county government agencies are expected to follow when they use federal funds to operate these programs. [39] As of March 2002, the Navy Exchange System still requires SSNs on checks. Officials told us they hope to implement a system similar to the DOD Commissary by the end of 2002. [40] SSNs are displayed on all licenses in one state, on all licenses except where the driver has asked that they be omitted in nine states, and only on licenses requested by the driver in 14 states. [41] It varies from state to state as to whether certain records, such as marriage licenses and birth certificates, are maintained in county or state offices. Certain documents, however, such as land and title transfers, are almost always maintained at the local, or county, level. [42] Veterans are advised that these are important documents, which can be registered/recorded in most states or localities for a nominal fee making retrieval easy. In October 2001, DOD added a cautionary statement that recording these documents could subject them to public access in some states or localities. [43] In some states, for example, adoption records, grand jury records, and juvenile court records are not part of the public record. In addition, some court documents pertinent to the cases may or may not be in the public record, depending on local court practice. Finally, the judge can choose to explicitly seal a record to protect the information it contains from public review. [44] Some jurisdictions also permit citizens to request public records through the mail. [45] Our surveys were mailed first in August 2001, and the last surveys analyzed were received in March 2002. [46] In other cases, the law requires that the SSN appear on the document itself, as on death certificates. [47] In these cases when the governmental office is not requesting that the individual disclose his or her SSN, the receiving office is not required to provide the individual with the information required under section 7 of the Privacy Act. [48] There are few appropriate vehicles available to notify large segments of the public of this type of information. SSA has a public education campaign and also sends a statement of earnings and projected benefits to about 123 million people each year. [49] [hyperlink, http://www.gao.gov/products/GAO/AIMD-98-68]. [50] Although the IRS uses and shares SSNs with a number of governmental entities, we did not focus on the requirements for the use and dissemination of taxpayer information because they are distinct from many of the requirements covered in this report. See GGD- 99-164. [51] We did not target state Departments of Motor Vehicles; instead we incorporated information gathered by another GAO team studying SSN use in these state agencies for child support enforcement efforts. See [hyperlink, http://www.gao.gov/products/GAO-02-239]. In addition, we did not focus on state tax agencies because the requirements for sharing taxpayer information are distinct from the other requirements in this report. [52] We also visited court officials at Anoka County, Minnesota. [53] U.S. General Accounting Office, Identity Theft: Prevalence and Cost Appear to be Growing, [hyperlink, http://www.gao.gov/products/GAO-02-363] (Washington D.C.: Mar. 1, 2002). [54] The Privacy Act defines a system of records as a group of records under the control of the agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual, such as an SSN. [End of section] GAO’s Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO’s Web site [hyperlink, http://www.gao.gov] contains abstracts and full text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as “Today’s Reports,” on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to [hyperlink, http://www.gao.gov] and select “Subscribe to daily E-mail alert for newly released products” under the GAO Reports heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov: (202) 512-4800: U.S. General Accounting Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: