Skip to content

Hearing on the Role of Social Security Numbers in Identity Theft and Options to Guard Their Privacy

April 13, 2011


HEARING ON THE ROLE OF SOCIAL
SECURITY NUMBERS IN IDENTITY THEFT
AND OPTIONS TO GUARD THEIR PRIVACY



BEFORE THE

SUBCOMMITTEE ON SOCIAL SECURITY

OF THE

COMMITTEE ON WAYS AND MEANS

U.S. HOUSE OF REPRESENTATIVES

ONE HUNDRED TWELFTH CONGRESS

FIRST SESSION


April 13, 2011


SERIAL 112-SS2


Printed for the use of the Committee on Ways and Means

 

COMMITTEE ON WAYS AND MEANS
 
SUBCOMMITTEE ON SOCIAL SECURITY
SAM JOHNSON, Texas, Chairman

 
KEVIN BRADY, Texas
PAT TIBERI, Ohio
AARON SCHOCK, Illinois
ERIK PAULSEN, Minnesota
RICK BERG, North Dakota
ADRIAN SMITH, Nebraska

                             

XAVIER BECERRA, California
LLOYD DOGGETT, Texas
SHELLEY BERKLEY, Nevada
FORTNEY PETE STARK, California

C O N T E N T S



Advisory of April 13, 2011 announcing the hearing


WITNESSES

The Honorable Patrick P. O’Carroll Jr.
Inspector General, Social Security Administration
Testimony

Maneesha Mithal
Associate Director of the Division of Privacy and Identity Protection, Federal Trade Commission
Testimony

Theresa L. Gruber
Assistant Deputy Commissioner, Office of Operations, Social Security Administration
Testimony



HEARING ON THE ROLE OF SOCIAL
SECURITY NUMBERS IN IDENTITY THEFT
AND OPTIONS TO GUARD THEIR PRIVACY

 
April 13, 2011
  U.S. House of Representatives,
Committee on Ways and Means,
Washington, D.C.

The subcommittee met, pursuant to notice, at 2:02 p.m., in Room B‑318, Rayburn House Office Building, Hon. Sam Johnson [chairman of the subcommittee] presiding.

[The advisory of the hearing follows:]




     *Chairman Johnson.  The subcommittee will come to order.  Welcome, everyone.

     Identity theft is a lasting and devastating crime.  Victims spend years having to prove who they are, while monitoring credit reports, fending off collection agencies or the IRS for charges they never made or wages they never earned.  Some are picked up by law enforcement by crimes committed by the ID theft using their name.  Americans have every reason to be concerned.

     According to the Congressional Research Service, in 2009 ID theft claimed over 11 million victims and cost consumers about $50 billion annually.  The Privacy Rights Clearinghouse reports the total number of known records that have been compromised due to security breaches beginning in January 2005 through last week topped 500 million.  Just yesterday, in my own state of Texas, the comptroller’s office announced the largest security breach in state history:  some 3.5 million personal files were mistakenly left on a computer file available to the public, putting current and retired state employees at risk.

     Even though Social Security numbers were created to track earnings for determining eligibility and benefit amounts under Social Security, the numbers are widely used as personal identifiers.  Some of the uses of these numbers in preventing fraud are vital to many commercial and government operations.  Examples include enforcing child support, aiding law enforcement, and compiling information from many sources to help ensure the accuracy of credit reports.

     Unfortunately, as pointed out by GAO in testimony before this subcommittee, Social Security numbers have become the identifier of choice, and are used for everyday business transactions.  In fact, in their April 2007 report, the President’s Identity Theft Task Force identified the Social Security number as the most valuable commodity for an identity thief.

     Even worse, identity theft continues to threaten our national security.  As said in the 9/11 Commission report, fraud and identification documents is no longer just a problem of theft.  At many entry points to vulnerable facilities, including gates for boarding airplanes, sources of identification are the last opportunity to ensure that people are who they say they are, and to check whether or not they are terrorists.

     Congress needs to get to work on identity theft and limiting access to Social Security numbers is an excellent place to start.  For years, Ways and Means Subcommittee on Social Security has been working on this problem in a bipartisan way.  In fact, Mr. Doggett and I have been on a bill year after year to try to do this.  We have approved bills to protect the privacy of Social Security numbers and prevent identity theft since the 106th Congress, when it first approved the Social Security Number, Privacy, and Identity Theft Prevention Act.

     The legislation was first introduced on a bipartisan basis by then‑subcommittee chairman Clay Shaw, and then‑ranking member, the late Bob Matsui.  Despite numerous attempts, Congress has not been able to close the deal.  Sadly, Social Security number use is so widespread across so many industries that the committees of jurisdiction have yet to reach agreement on the right approach to limiting their use.

     Still, I believe this committee can make progress.  To that end, today I am reintroducing, with Mr. Doggett, the Medicare Identity Theft Prevention Act, a bill to remove the Social Security number from the Medicare card.  It makes no sense that people are told, “Don’t carry your Social Security card in order to protect your identity,” but then every senior citizen is told, “Carry your Medicare card,” which displays prominently the Social Security number.

     The risk of ID theft goes far beyond the card being stolen.  Every medical record at nursing homes, hospitals, and doctor offices has a Social Security number written on it.  The wholesale amount of Social Security numbers that are available to identity thieves is staggering and completely unnecessary.

     You know, just last night I was dealing with the TV guys on cable.  Guess what they asked for?– my Social Security number to prove it was me.  Can you believe that?  Well, I didn’t know what to say.

     The Centers for Medicare and Medicaid Services have refused to act.  If they won’t do what is right for America’s seniors, we will.  I thank my colleague from Texas for his work on this issue, and I urge my other colleagues to support this issue, as well.

     The problem of identity theft is not going to be addressed with one single piece of legislation.  But protecting Medicare cards carried by 47 million Americans is a good place to start.  I will say that if the military can remove Social Security numbers, CMS ought to be able to do the same.

     I look forward to hearing from each of our witnesses, and thank them in advance for sharing with us their experiences and their recommendations.  And thank you all for being present today.

     And I now yield to my friend, Xavier Becerra, our ranking member.

     *Mr. Becerra.  Mr. Chairman, thank you very much for calling this hearing.  As you just said, millions of Americans are harmed each year, due to the misappropriation of their identities.  This subcommittee is deeply concerned about this particular problem.  In fact, we have held 17 previous hearings on this subject since 2000, the year 2000.

     Let me urge this subcommittee to show the same diligence and thoroughness in examining some other critical issues that we will be confronting soon surrounding Social Security, such as the impact of cuts to the Social Security Administration’s (SSA) operating budget proposed for this year, and the consequences for people, for example, who are waiting for their disability benefits.  Also, the impact of cuts to the Social Security  Administration’s operating budget on the ability of the SSA to prevent waste, fraud, and abuse, and certainly in regards to the impact on senior’s retirement security from the kinds of Social Security benefit cuts that budget Chairman Paul Ryan has proposed and praised.

     While we may have different views on the importance of Social Security benefits for today’s seniors and future retirees, we are united in our concern about identity theft.  Identity theft ruins individuals’ good names, and destroys their credit ratings.  It has even ruined the future credit ratings of young children.  This subcommittee has heard from many victims of identity theft, and have described the extensive harm that they have suffered, as a result of identity fraud, harm which continues long after the fraud is discovered.  Identity theft crimes carry a total cost to Americans of over $17 billion.

     I welcome the testimony of the Social Security Administration and its inspector general.  I also welcome the testimony of the Federal Trade Commission, which plays a critical role in protecting consumers from identify theft.

     Chairman Johnson, I look forward to joining you and others in reintroducing identity theft legislation for this new congress, and I am hoping that we can make significant progress as we work together in that regard.

     Before I yield back my time, Mr. Chairman, if I could yield one minute to the gentleman from Texas, Mr. Doggett.

     *Mr. Doggett.  Thank you.  While I shared the broader concerns that Mr. Becerra has just outlined, I just want to applaud your leadership on this, Mr. Chairman.  I agree with every word you said about the subject that is up today, identity theft.

     This is at least the third congress in which you and I have been in partnership, trying to solve this problem.  We actually passed it through the House in 2008, despite a lot of bureaucratic obstacles that were thrown up, and then the bureaucracy managed to kill it over in the Senate Finance Committee, or it would already be law.

     I think one of the most effective ways for the bureaucracy to stand in the way of something that they don’t want to move quickly on is to throw up a big cost estimate.  And that is what has happened here.  And we have been trying to get the specifics for months, if not years, from CMS about their claim that it will be too costly for them to protect the Identity of our seniors.  They need to come forward with their study, and it needs to be well‑founded.  And we should not let their objections stand in the way, again, of doing what is right by our seniors and, as you said, at least doing for folks who rely on Medicare what the military has already been able to do for our military men and women and for our veterans.  I thank you, Mr. Chairman.  Thank you, Mr. Becerra.

     *Chairman Johnson.  The gentleman from California, you are recognized.

     *Mr. Stark.  Mr. Chairman, I am pleased that you called this mark‑up, and proud to be a cosponsor of your bill, and I would ask you if you would consider, and if the committee would not object, we introduced legislation that would address the problem of identity theft for foster children.  The foster children’s Social Security numbers often pass through many hands, and we have encountered problems when the children age out of foster care, they have found that their identity has already been stolen, and people have opened credit cards, and so forth.  And we have some language that I hope you would consider adding to your legislation that would protect these very vulnerable children.

     I know that Mr. Delay worked with us years ago on doing this, and I look forward to seeing if we can include this in your ‑‑

     *Chairman Johnson.  Yes, I am sure Mr. Doggett would agree.

     *Mr. Doggett.  Absolutely.

     *Chairman Johnson.  We will certainly look at it.

     *Mr. Stark.  Thank you, Mr. Chairman.

     *Mr. Becerra.  Chairman, we are pleased that you have called this hearing, and I would yield back the balance of my time.

     *Chairman Johnson.  Thank you, Mr. Becerra.  Let me tell you we are getting a vote in about 10 or 15 minutes, maybe 20.  There will be four votes and three of them are five minutes.  So we will break when that occurs and come back after the votes, which will be about a half‑hour.

     Today we are joined by three witnesses.  Our first witness is the honorable Patrick O’Carroll, Jr.  He is the Social Security Administration Inspector General.  Next is Maneesha Mithal, who is the Associate Director of the Division of Privacy and Identity Protection at the Federal Trade Commission.  And lastly we will hear from Theresa Gruber, who is the Assistant Deputy Commissioner, Office of Operations at the Social Security Administration.

     So, all I would ask you is stop dragging your feet and let us get these things done.

     [Laughter.]

     *Chairman Johnson.  Mr. O’Carroll, you are recognized.  I welcome all of you, and thank you for being here.


STATEMENT OF PATRICK P. O’CARROLL, JR., INSPECTOR GENERAL, SOCIAL SECURITY ADMINISTRATION

 

     *Mr. O’Carroll.  Good afternoon, Chairman Johnson, Congressman Becerra, and members of the subcommittee.  Thank you for the invitation to testify today.

     We all understand the serious threat and damaging effects of identity theft.  But to better illustrate the issue, I would like to present one victim’s story.  Dr. Juan Martinez, born and raised in Chicago, was thrilled to accept a teaching position at the University of Chicago in 2005.  Soon after he began working in his hometown, however, Dr. Martinez received a letter from the IRS that stated he failed to pay his taxes on wages earned the previous year in Colorado.  The letter arrived with a substantial bill.

     Someone had stolen his identity, and Dr. Martinez was left to prove his case to the IRS.  Dr. Martinez and his wife struggled for several years, as they disputed charges with the IRS, and attempted to track down the person who was fraudulently using Dr. Martinez’s name, Social Security number, and birth date.

     In 2010, Dr. Martinez learned that a bank account was opened in his name in Missouri.  Authorities in Chicago referred the case to one of our special agents in St. Louis.  Working with the bank where the account was opened, our agent quickly identified and located the man who illegally used Dr. Martinez’s information for five years.  The man admitted to purchasing false identity documents, and using Dr. Martinez’s name to get a job, rent an apartment, and open a bank account.  Last month he was sentenced to seven months in prison and ordered to pay restitution of more than $5,000 to Dr. Martinez.

     Now, Dr. Martinez and his family may finally breath a sigh of relief.  We in OIG are very pleased to have helped Dr. Martinez.  And while he could not be here today, he has prepared a written statement about his ordeal, and we would like to enter that into the record.  

[Dr. Martinez statement for the record follows:]

     As the case illustrates, identity theft places a huge burden on the victims.  Use of the SSN is still widespread throughout government programs and financial transactions.  And with technology constantly evolving, stealing SSNs and entire identities has become even easier.  As we pursue investigations similar to the case of Dr. Martinez, our agents participate in SSN misuse task forces across the country, investigating identity theft, as well as mortgage, bankruptcy, and benefit fraud.

     My office has done work that led to the removal of the SSN from the selective service mailings.  We have also recommended its removal from other government documents and IDs, such as the Medicare card.  The Department of Defense recently announced it will remove the SSN from military IDs, and we agree that this is a step in the right direction to protect valuable personal information.

     SSA, though, still cannot prohibit the collection and use of SSNs.  Our investigative and audit work has taught us that the more SSNs are used, the higher the probability that these numbers can be used to commit crimes.  Our recent recommendations to SSA include:  supporting legislation to limit public and private entities’ use of the SSN; continuing efforts to safeguard and protect personal information; and ensuring the highest level of online security before offering replacement Social Security cards over the internet.

     We have recently completed audits that question the collection of students’ SSNs in kindergarten through 12th grade, as well as state and local governments’ collection and use of SSNs.  We have also completed reviews on assigning SSNs to non‑citizens with fiancee visas and exchange visitor visas.  Although temporary residents may be authorized to work in the United States, we question whether they should receive SSNs which will remain valid for life.

     We are currently reviewing SSA’s controls over how the Agency issues SSN print‑outs, which are often used as a substitute for replacement Social Security cards.  We plan to issue that report this summer.

     In conclusion, we must continue to ensure the integrity of the enumeration process, limit the use and public display of the SSN, encourage SSN protection, and provide meaningful penalties for those who misuse the SSN or fail to protect it.  My office will continue to work with you and SSA to maintain and improve the integrity of the Social Security number.

     Thank you again for this invitation to testify today, and I will be happy to answer any questions.

     [The statement of Mr. O’Carroll follows:]

     *Chairman Johnson.  Thank you.  I am told that most of the stolen numbers are from young people who have not yet begun to work.  Is that your information?

     *Mr. O’Carroll.  I would qualify that by saying that a lot of them belong to children that haven’t begun to work.  And when people are vacuuming up numbers that are out there, often times they are targeting children’s numbers.  But I cannot say it is exclusive.

     *Chairman Johnson.  That is because they have not ever recorded them anywhere.

     *Mr. O’Carroll.  Agreed.

     *Chairman Johnson.  Yes.  Thank you.

     Ms. Mithal, you are recognized for five minutes.

STATEMENT OF MANEESHA MITHAL, ASSOCIATE DIRECTOR OF THE DIVISION OF PRIVACY AND IDENTITY PROTECTION, FEDERAL TRADE COMMISSION

     *Ms. Mithal.  Chairman Johnson, Ranking Member Becerra, and members of the subcommittee, I am Maneesha Mithal from the Federal Trade Commission.  I appreciate the opportunity to present the FTC’s views on the role of Social Security numbers and identity theft.

     Protecting consumers against identity theft is a critical component of our consumer protection mission.  The Commission’s written testimony describes the widespread use of SSNs in our economy, as well as its role in facilitating identity theft.  In my oral statement I would like to focus on the FTC’s activities to implement the recommendations of the President’s 2007 identity theft task force, which the FTC’s chairman co‑chaired, along with the attorney general.  I would like to highlight our implementation of four recommendations, in particular.

     First, we have tried to find ways to reduce the use of SSNs in the public and private sectors.  As to the public sector, federal agencies have taken a lot of steps to eliminate or restrict the use of SSNs.  Most recently, as we have heard, the Department of Defense announced that it would stop using SSNs on military ID cards as of June 2011.

     As to the private sector use of SSNs, we hosted a workshop and issued a report recommending federal legislation in a variety of areas.  Among other things, we recommended legislation to reduce the public display of SSNs, and to improve consumer authentication.

     Second, a key component of our efforts to combat identity theft is to make sure that consumers’ sensitive data, including SSNs, don’t fall into the hands of identity thieves.  To that end, we enforce laws requiring companies to maintain reasonable security of consumers’ information.  Since 2001, the Commission has brought over 30 law enforcement actions challenging businesses that failed to reasonably protect sensitive consumer information.

     Several of these cases have involved breaches of SSNs.  One example is Choice Point.  We sued Choice Point and alleged that it sold sensitive information about more than 160,000 consumers to identity thieves.  We obtained $15 million in monetary relief against the company.

     More recently, we settled actions against three sellers of credit reports.  These sellers allowed hackers to access sensitive credit report information, including SSNs.  The settlements require each company to have comprehensive information security programs in place.

     We also brought a case against a company called LifeLock, which deceptively advertised its identity theft protection services.  Now, you may recall LifeLock’s ads, in which the CEO displayed his own real Social Security number, stating that he guaranteed protection against identity theft.  Of course, he later became a victim of identity theft.  We worked with 36 state attorneys general to bring a case against the company for deceptive practices, and we obtained $12 million in monetary relief.

     Third, in addition to bringing cases, we provide consumer assistance and education.  We manage a toll‑free Identity theft hotline, along with a dedicated website through which we receive 15,000 to 20,000 contacts each week.  Callers to the hotline receive counseling from trained personnel on steps they can take to prevent or recover from identity theft.

     We also make available a wide variety of consumer education materials, including many in Spanish, to help consumers deter, detect, and defend against identity theft.  I am now holding some examples of our consumer education materials, and I would be happy to provide additional copies to your staff after the hearing.

     One successful strategy in disseminating our materials has been to provide them to first responders.  For example, because victims often report identity theft to local law enforcement agencies, we inform these agencies on how to talk to victims.  The FTC and its partners have provided identity theft training to over 5,400 law enforcement officers from over 1,700 agencies.  Similarly, we have created a comprehensive guide to pro bono attorneys and legal services clinics who assist low‑income identity theft victims.

     Finally, we serve as a clearinghouse for information about identity theft.  We make information in our complaint database available to over 2,000 law enforcement partners.  To assist law enforcement and policy makers, we also routinely issue reports on the number and nature of identity theft complaints we receive.  Most recently we announced that in 2010 we received 250,000 identity theft complaints, which represents 19 percent of the total number of complaints we received.  Identity theft has remained a top complaint category for more than a decade.

     Fighting identity theft continues to be a top priority for the FTC, and we look forward to working with the subcommittee on this important issue.

     [The statement of Ms. Mithal follows:]

     *Chairman Johnson.  Ms. Gruber, you are recognized for five minutes.

STATEMENT OF THERESA L. GRUBER, ASSISTANT DEPUTY COMMISSIONER, OFFICE OF OPERATIONS, SOCIAL SECURITY ADMINISTRATION

     *Ms. Gruber.  Thank you.  Chairman Johnson, Ranking Member Becerra, and members of the subcommittee, my name is Theresa Gruber, and I am the Assistant Deputy Commissioner for Operations at the Social Security Administration.  I have worked for the Agency for nearly 20 years, starting in one of our field offices in Minnesota.  In my current role I oversee the operation of more than 1,200 Social Security offices, 8 card centers, 33 1‑800‑number teleservice centers, and 8 processing centers.

     Thank you for the opportunity to discuss how we assign Social Security numbers, and the role that the Social Security number, or SSN, can play in identity theft.  My written statement provides details on the history of the SSN, and I will focus today on what we have done to improve and strengthen our enumeration and card issuance processes.

     Originally, the only purpose of the Social Security number was to keep an accurate record of earnings under Social Security, and to pay benefits based on those earnings.  We provided the SSN card to show what SSN we assigned to a particular individual, with the idea that, when shown to an employer, that employer would be able to properly report that individual’s earnings.  The card was never intended, and does not serve, as a personal identification document.

     Assigning SSNs has been one of our most important and significant workloads.  Since the inception of the program, we have assigned about 465 million Social Security numbers.  Last fiscal year we assigned 5.5 million original Social Security numbers, completed 11.5 million requests for replacement cards, and processed over 1 billion verifications of SSNs.

     Although the card is not an identification document, unscrupulous individuals use the SSN to steal identities and obtain false identification documents.

     I would like to thank you for helping us to strengthen our SSN assignment process, for example, through the enactment of the Intelligence Reform and Terrorism Prevention Act of 2004.  As a result of this legislation, we have implemented numerous changes to our assignment process.  We added new security features to the card to help prevent counterfeiting.  We also limited the number of replacement cards we issue to any one individual, and established new, rigorous standards for evidence.

     As an agency, we are always looking for ways to improve the security and efficiency of our records.  For example, we know that we have to expand the pool of nine‑digit numbers available for assignment.  To that end, we plan to implement this summer a new assignment methodology called “SSN randomization.”  Randomization will help protect the Social Security number by eliminating any geographic significance in the number, and making it more difficult to reconstruct an SSN using public information.  As a result, the new process will also extend the pool of SSNs available for assignment nationwide.

     We have also taken a number of steps to improve the way we assign Social Security numbers.  First, we opened two new Social Security card centers, bringing our total now to eight.  These specialized centers process all applications for original SSNs and replacement cards in specific metropolitan areas.

     In coordination with the Department of State and the Department of Homeland Security, we expanded the Enumeration at Entry program, permitting all individuals applying for an immigrant visa to elect to receive an SSN at the time of initial admission.  This program allows us to use information collected and verified by both agencies to assign an SSN automatically.

     We have implemented and are continuing to enhance our new Social Security Number Application Process, which our field offices use to process SSN applications.  This automated system ensures uniform compliance with our enumeration policies and evidence requirements.

     In conclusion, we must remember that with all the improvements in the way we assign SSNs, the Social Security card is still just a record of an SSN assigned to an individual, and not an identity document.  We understand the use of the SSN for other purposes has grown exponentially over the years.  The challenge we face is to balance our commitment to assigning SSN numbers quickly and accurately, with the equally important need to maintain the integrity of the enumeration system, and to prevent SSN fraud.

     I want to thank the Chairman and the members of the subcommittee for inviting me here today, and look forward to your continued support for our Agency and our mission.  I will be happy to answer any questions.

     [The statement of Ms. Gruber follows:]

     *Chairman Johnson.  Thank you for your testimony.  And we will proceed to questions.

     Let me ask you a question, first.  How much does it cost to issue a Social Security card?

     *Ms. Gruber.  It depends on the manner in which you get the card.  If you come into one of our ‑‑

     *Chairman Johnson.  You mean all the offices aren’t the same?

     *Ms. Gruber.  Well, actually, if you come into our field office, it costs about $32.  If you go through one of our automated processes, a process called “Enumeration at Birth,” where we assign a Social Security number for a child who is born, that is about $8.  And ‑‑

     *Chairman Johnson.  Eighty?

     *Ms. Gruber.  Eight dollars.

     *Chairman Johnson.  Oh.

     *Ms. Gruber.  And if you do it through the Enumeration at Entry program that I talked about, it is about $5.

     *Chairman Johnson.  How about if we charged for that?

     *Ms. Gruber.  We would be happy to work with the subcommittee on exploring that option.

     *Chairman Johnson.  You all think about that.  Let me ask you a couple of questions.

     Mr. O’Carroll, do you have all the tools you need to protect the Social Security number?

     *Mr. O’Carroll.  Chairman Johnson, as we have heard during the testimony here, the number is out of the box, and it is pretty widely displayed, and it is out there.  So it is pretty hard to keep the SSN as private and secure as we would have preferred and liked.

     But, with that, I think the tools that we could use are any ways to limit the collection of Social Security numbers, much like you were saying, when a vendor is asking for it but doesn’t need it.  The display of Social Security numbers is a problem. We have been trying to get SSNs off of government checks.  It is being removed from some government IDs ‑‑ as you are proposing now, off of the Medicare card – and that is another good tool.  And the last one is just the collection of SSNs, in terms of limiting financial institutions’ collection of Social Security numbers, which can end up in a PII breach, as you discussed in Texas.  That is another concern of ours.

     So, what we are looking for is more of any tool that will at least prevent it being displayed more than it is now, and being compromised.

     *Chairman Johnson.  I understand that while we have restricted the number of Social Security number replacement cards, people can visit a local office and get a print‑out with their number on it.  And that they can easily be used by ID thieves.  Why is it we are doing that?  I mean isn’t it just as easy to print them a new card?

     *Mr. O’Carroll.  Well, we are almost a victim of a success on that one.  And under the Identity Theft Act that was passed by Congress we have limited the number of cards that are being issued.  So, remember, in the past it was unlimited numbers of cards going to people.  That has been restricted now, and so ‑‑

     *Chairman Johnson.  Well, it is still free, isn’t it?

     *Mr. O’Carroll.  It is still free, but we are limiting the number that can be received each year, and the number in a lifetime.  And what that caused is anybody who needs a Social Security number, hasn’t been safeguarding it, doesn’t keep it carefully, is coming into the offices now, asking for the print‑outs instead of a replacement card.

     And I think a secondary problem that has come with the print‑out is a lot of employers, rather than get a Xerox copy of a Social Security card, are asking for what they think is more recently updated information, and asking for the print‑outs, which is causing another group of people to come in requesting the print‑outs.

     And that leads to two of our concerns.  One is the identification requirements for an original card are much more strict than it is to get a print‑out.  So what is happening now is there is this secondary market for the print‑outs, and often times they are not as good a means of identification as Social Security cards.

     *Chairman Johnson.  Well, why do we have to do print‑outs at all?  Why can’t they get a replacement card, if they can?

     *Mr. O’Carroll.  Well, they can, but only a limited number of times.  And there is also a concern due to the Freedom of Information Act ‑‑

     *Chairman Johnson. Three times ought to be enough.  I mean how many times have you lost your card?

     *Mr. O’Carroll.  I haven’t.  I still have the one that my parents got when I was a little child.

     *Chairman Johnson.  Okay.

     *Mr. O’Carroll.  It was with my father’s stuff that I inherited from him.

     But I agree with you.  I think that is why there is a limit to the number of times an individual can get a replacement card.  But a lot of people believe that under Freedom of Information Act they are entitled to this print‑out.

     So, I am more concerned with just making sure that the proper identification is used when they get the print‑out so that we know it is the right person, that they are not using secondary, less reliable types of identification to get that print‑out, that it has the same level of integrity as the card.

     And then, as you had brought up earlier, maybe if there was a charge for getting the print‑outs, it would diminish the number of times that it was asked for.  As it stands now, employers are charged if they purchase a print‑out from SSA; individuals are not.

     *Chairman Johnson.  Okay.  Well, I am not hot about that idea.  Mr. Becerra, you are recognized for five minutes.

     *Mr. Becerra.  Thank you, Mr. Chairman.  Ms. Mithal, let me ask you a question.  In the private sector right now we have a patchwork of regulations to deal with the use of the Social Security number.  Can you give us some examples of industries that are doing a good job of trying to protect the number, and perhaps an industry that is not doing such a good job of protecting the privacy of an individual’s Social Security number?

     *Ms. Mithal.  I think it would be difficult to provide an industry example.  We can provide examples of best practices.  So, for example, if you do not need the Social Security number, do not ask for it.  It is something that we have implemented as an agency, at the FTC.  I remember when I started over 10 years ago, I used to have to put my Social Security number on a leave slip.  And we do not have to do that any more.  And I think that is a practice that we would encourage the private sector ‑‑ if you do not need the Social Security number, do not collect it.

     *Mr. Becerra.  Okay.  And I have heard that some of these information resellers have some of the worst practices around, that some of these Internet information resellers actually advertise that with a little more than your name, your city, and state, they can sell you a Social Security number for a few dollars.  Is that still the case?  Is there any regulation of those resellers?

     *Ms. Mithal.  There is.  In fact, a couple of years ago we brought a number of cases against those who were posing as consumers, and getting information about them.  And so we have a law that prohibits unfair or deceptive practices.  And we alleged that that was an unfair practice.  And so there are laws covering that practice.

     *Mr. Becerra.  And finally, give us a sense.  If you were addressing people who are concerned about their identity and it being stolen, as each and every one of us here is, what would be the best advice you give to any American to try to safeguard his or her Social Security number?

     *Ms. Mithal.  There are several things I would say.  I would say treat it like you would cash.  Secure it.  Do not carry it around.  Any documents that you dispose of, get a shredder.  Make sure that if you are providing your number online, that you practice safe computing, that you update your anti‑spyware and anti‑malware software, that you check your accounts frequently, and that you order your free credit report, which you are entitled to once a year, from the three major credit reporting agencies.

     *Mr. Becerra.  Good advice.  Ms. Gruber, a quick question.  What does SSA say to individuals as they come in contact with your offices about the integrity of their number and protecting it?

     What ‑‑ is there anything you tell them, other than respond to the questions they may have about the reason they are there?

     They may be coming for benefits, or to apply for something.  But does anyone take the time to say, “By the way, you know, you should be securing your Social Security number,” et cetera, et cetera?

     *Ms. Gruber.  Thank you, Ranking Member Becerra, that is a very good question.  We do. Our efforts are multi‑faceted.  When folks come in to apply for a replacement card, we do absolutely remind them, as both my colleagues have mentioned, to not carry it with them.  In fact, it says that on the card.

On our website, we have a number of publications, and frequently asked questions ‑‑ in fact, I think we have 11 of them ‑‑ that deal with identity theft, that deal with how to safeguard the card.  And we know that they are very widely used.  We get thousands of hits every month on those types of things.

     And when a person does suspect that their SSN has been misused or stolen, we do talk to them about ‑‑ and encourage them to take a number of steps, including working with the FTC, including working with IRS, and frequently monitoring their financial accounts, their credit reports.  Even if they are not a victim of identity theft, we encourage folks to do that, which is what all of our literature, that is pretty widely available, says.

     *Mr. Becerra.  Well, I hope, with your good assistance, the three of you, that this perhaps will be the last time we have to hold a hearing on identity theft, because perhaps this time Congress could get together, working with our chairman, to finally pass a bill out of the House and hopefully out of the Senate, so we can deal with this, Mr. Chairman, as I think most of us believe we should have done a long time ago, and get this taken care of.  Because it is a shame that tens of billions of dollars are lost by Americans and, as well, much of their sanity in life because somebody stole their identity.

     So, I thank you for your testimony, again.  And, Mr. Chairman, I am pleased that you were able to bring them together to have this hearing.

     *Chairman Johnson.  Thank you.  We have a good panel.  We are having a vote right now.  I am going to recess the committee, and it will be about 30, 45 minutes before we get back.  Thank you.

     *Mr. Brady.  Hey, Mr. Chairman?

     *Chairman Johnson.  Yes?

     *Mr. Brady.  Can I go on the record saying I really appreciate Ms. Mithal’s recommendation that we carry cash?  If you could talk to my wife about giving me some, I would be very appreciative.

     [Laughter.]

     *Mr. Brady.  I am with you on that.

     [Recess.]

     *Chairman Johnson.  The meeting will come back to order.  Mr. Paulsen is recognized for questions.

     *Mr. Paulsen.  Thank you very much, Mr. Chairman.  And thank you.  This has been an interesting hearing.  Maybe I can start with Mr. O’Carroll.

     You know, in your testimony you mentioned, or you highlighted at least, the fact that temporary residents may have authorization to work in the United States for a limited time, and you questioned sort of the propriety of assigning an SSN to those folks, which is valid for life.  Since an SSN number may be a key to their ability to overstay his or her visa, would you briefly overview for us your work in this area, how you reached this conclusion, and how Social Security has responded to some of those concerns you raised?

     *Mr. O’Carroll.  Yes, Mr. Paulsen.  We have done a number of reports on this issue. We looked at both the fiancée visas, where you come into the country, you say that you are going to be here to get married, and in that time period you are allowed months in the United States prior to your marriage. At that point, the fiancée will come in, get a Social Security number, and let us say, for example, the marriage does not happen, that person leaves the country.  That SSN that the person was given is now out there forever.

     And then, we also looked at the visas that are issued to foreign students that come to the United States to work for summer ‑‑

     *Chairman Johnson.  Wait a minute.  Can I stop you ‑‑

     *Mr. O’Carroll.  Yes, sir.

     *Chairman Johnson.  If they are going out of the country, why can’t we stop them at immigration on the way out?

     *Mr. O’Carroll.  No, meaning what happens with the SSN, then, is that that number for that individual now exists for perpetuity.

     *Chairman Johnson.  But you don’t make them give the card up?

     *Mr. O’Carroll.  No.

     *Chairman Johnson.  Can we?

     *Mr. O’Carroll.  That is something we will have to look at.  Let me look into that and see if that is a possible solution.

     *Mr. Paulsen.  If you could give a follow‑up to it, Ms. Gruber, just to kind of get some feedback, too.  But please continue on.

     *Mr. O’Carroll.  And then, the other one that we were finding is with the students that are coming in for summer work.  That is a very similar one to what Chairman Johnson was saying.  At the end of their work, at which point they have been issued an SSN, they work for a summer, they go back to their country of residence, in many cases never to come back into the United States again, we have a concern.  Why issue a Social Security number for that?

     One of the solutions would be to instruct the IRS to give them a tax identification number, as opposed to having to give them an SSN would be a possible solution.

     *Mr. Paulsen.  Ms. Gruber, maybe you can follow up regarding the Agency’s view on this, and how you and Mr. O’Carroll work together, perhaps, on some of these issues?

     *Ms. Gruber.  Sure.  Thank you, Mr. Paulsen.  A couple of things.  You know, one of the reasons we actually assign an SSN to someone who might be here temporarily is that we, under law, are required to do so‑‑ if they have DHS or Department of Homeland Security authorization to work, under the law we have to assign them an SSN.

     There are valid reasons why somebody who has a temporary status here ‑‑ as long as they have work authorization ‑‑  might actually want to work.  And eventually, if they gain permanent status, they could use those credited earnings while they were here lawfully, but temporarily for their benefits in the future.  In order to make a change, it would require a change to the Social Security Act, actually, to not issue an SSN to folks who are here lawfully, who do have authorization to work.

     And one other final thing, Mr. Paulsen.  The Social Security card itself does not really give them the ticket to work.  They have to have the card plus the DHS documentation.

     *Mr. Paulsen.  Okay.  Mr. O’Carroll, any other follow‑up on that, or ‑‑

     *Mr. O’Carroll.  I think that pretty well covers it.

     *Mr. Paulsen.  Okay.  Ms. Mithal, maybe I can ask you.  The President’s task force, you know, a few years back did a lot of work on public display of SSNs, and all the problems surrounding identity theft that I think were a part of that effort. The 2007 strategic plan referred to identity theft as a problem with no single cause and no single solution.

     However, they did develop a whole list of recommendations, like 30, 31.  You know, the very first recommendation was decreasing the unnecessary use of SSNs in the public sector.  Why was that the number one recommendation?

     *Ms. Mithal.  Well, I think it is fairly obviously that one of the sources of identity theft is the ubiquity of Social Security numbers that are out there.  And one of the things that we need to do to address the practice is to make sure they don’t get into the hands of identity thieves in the first place.  And it seems that reducing the public display of Social Security numbers, reducing the use of them, would be a natural first step.  And we decided, well, let us clean our own house, start with the public sector, before we get to the private sector.

     *Mr. Paulsen.  Well, Mr. Chairman, I think that makes sense, in terms of a number one recommendation.  So, thank you, I yield back.

     *Chairman Johnson.  Mr. Becerra, do you have another question you would like to ask?

     *Mr. Becerra.  Mr. Chairman, I think we probably asked and had them answer these questions 17 different times.  So I think we know what we have to do, and we just hope that they can continue to offer us some good advice as we try to move forward.

     *Chairman Johnson.  Yes.  Well, let me ask one, then.  You know there is close to 50 million Medicare cards floating around with Social Security numbers on them.  How can people protect themselves from medical ID theft?

     *Mr. O’Carroll.  Well, that was one of our recommendations from one of our audits, was the susceptibility of the public to having their number compromised, because it is on the Medicare card.  And at the time, we recommended to SSA to explore ways of working with HHS, which has jurisdiction over the Medicare card, to look into having the number taken off.

     And what we found at the time was a couple of things.  And I will ask Terry to elaborate, but about $30 million would be the cost to SSA of just retooling to take the number off of the card.  And HHS said it would cost about $300 million take and 8 to 12 years to do it.  So with that, I will yield to SSA.

     *Chairman Johnson.  Okay.  Mr. Brady, do you care to question?

     *Mr. Brady.  Yes, sir.  One, I appreciate, Chairman, you holding this hearing today in the bipartisan nature.  Two, I think the bill that has been or being introduced puts a heavy emphasis on prevention of the theft in the first place.  And I want to drive the point or the need for that because on the back end, my understanding is that it is rare that we catch and prosecute those who are good at identity theft.

     And my question is, out of the 11 million victims in 2009, not all of them were directly victims of the theft created through the Social Security number.  But the average person, senior, anyone, who is an identity theft victim through Social Security number, what are the chances that the criminal who does that gets caught and prosecuted?  Any idea?

     *Mr. O’Carroll. In the inspector general’s office at SSA, we get about a half‑a‑million public contacts a year, most related to allegations of waste, fraud, and abuse at SSA.  And we figure about half of those allegations relate to misuse of the Social Security number.  A large portion of them are either referred to SSA, HHS, or the FTC. From that group, we generally look into anything related to misuse of Social Security benefits or related to Social Security in some other way.

     So we investigate about 500 SSN misuse cases a year. That is about five percent of our investigations. Almost every one of them will end up with a conviction because by the time we open a case, we know that it is sufficient enough of a violation that we will have a positive result.

     But again, that is a very small percentage, as you are seeing.  From 500,000 contacts down to about 500 investigations is what we are looking at from our agency.  And I will yield to the FTC on the more global ‑‑

     *Ms. Mithal.  Yes, but we are not a criminal enforcement agency, so I would have to defer to DoJ on that.  But I can say that the crime really ranges from a pick‑pocket, taking your credit card for a joy ride, to a terrorist that is stealing people’s identity to commit bad acts against the country.

     And so, I think the ‑‑ there is really no hope of catching all the identity thieves.  And I think you are absolutely right, that we need to focus on prevention, victim assistance, and making sure that Social Security numbers do not fall into the wrong hands.

     *Mr. Brady.  And actually, just to clarify, I am frustrated by the lack of prosecution.  I am not looking to your agencies, but overall, I think it is just very rare.  My pet peeve is I see a lot of resources being used, when I turn on the TV and see time and money being used to pursue Marion Jones or Bobby [sic] Bonds or Roger Clemens, or issues like that. I look at those teams and think, “How many victims of Social Security identity theft could be helped, you know, if we applied the same type of rigor and ambition toward catching those?”  One, we should be preventing in the first place, and two, really prosecuting them harshly if they are caught. I think it is right to put an emphasis on prevention.  I do think we need to have a much higher prosecution rate on the back end, as well.

     So, Chairman, thank you very much.  And, Ms. Gruber, I did not mean to ignore you.  Any comments?

     *Ms. Gruber.  I think that both of my colleagues summed it up pretty well, and we certainly  know how tough it is when we have an interview with somebody who is a victim of identity theft.  Their life is turned upside down.  And so we understand.

     *Mr. Brady.  Thank you, Chairman.

     *Chairman Johnson.  Thank you.  Mr. O’Carroll, you got any ideas how we can, you know, stem the tide of identity theft or stolen cards or something like happened in Texas, for instance?  Can you talk to that issue?  And how can we fix it?

     *Mr. O’Carroll.  We have several concerns.  One, of course, is identity theft for financial purposes.  The other one that we are running into is identity theft where people are illegally using other people’s numbers to live and work in the United States.  And we all know the problems that follow.  Either you are going to be much like the doctor I talked about, where you are going to have someone else’s wages posted against your record that the IRS is expecting to pay taxes on, and it takes years to get that straightened out.

     So as we said before, any way that we can prevent the use of the Social Security number out there is going to shrink the problem down in size from where it is right now, where everybody has that concern of losing your identity.

     If we are not getting very good results from the prosecution side, let us focus on the prevention side.  And prevention is a lot of the different tools that we have talked about. And everybody has got to be very careful with their information. For instance, sometimes phone calls are made, where there is the phishing scam to get your information out there, so don’t volunteer it yourself.

     Also, I think we are all concerned that the material that is in your mailbox can be stolen that has all of your personal information.  Often times there is an application for a credit card in the same stack of mail with your personal information on it.

     So, I think if this committee could consider ways of preventing the publication of Social Security numbers, it would be a step in the right direction.

     *Chairman Johnson.  Well, we can look at that.  You know, I do not know exactly how we would do that, though.  You know, you can make laws until you are blue in the face, and people do not follow them.

     *Mr. O’Carroll.  I encourage the enforcement side, too, as a deterrent, I must say.

     *Chairman Johnson.  Yes.  Well, thank you all.  I appreciate you waiting for us.

     Do you have any further questions, Mr. Becerra?

     I appreciate you all being here today.  I look forward to working with all of you to stem the tide of theft by better protecting our Social Security numbers.  And I thank you for being here.  The hearing is adjourned.

     [Whereupon, at 3:34 p.m., the subcommittee was adjourned]

 

SUBMISSIONS FOR THE RECORD
Juan J. Martinez, Ph.D.
Helene Perry
LifeLock

QUESTIONS FOR THE RECORD
Patrick P. O’Carroll Jr.
Maneesha Mithal
Theresa L. Gruber