Social Security Numbers: Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information (22-JAN-04, GAO-04-11). In 1936, the Social Security Administration (SSA) established the Social Security number (SSN) to track workers' earnings for Social Security benefit purposes. However, the SSN is also used for a myriad of non-Social Security purposes. Today, public and private sector entities view the SSN as a key piece of information that enables them to conduct their business and deliver services. However, given the apparent rise in identity crimes as well as the rapidly increasing availability of information over the Internet, Congress has raised concern over how certain private sector entities obtain, use, and safeguard SSN data. In previous reports, we discussed the benefits of government and commercial entities using SSNs. We also examined how certain private sector entities and the government obtain, use, and safeguard SSNs. This report provides additional information on private sector uses of SSNs. The Chairman, Subcommittee on Social Security, House Committee on Ways and Means, asked that GAO examine the private sector use of SSNs by businesses most likely to obtain and use them including information resellers, consumer reporting agencies (CRAs), and health care organizations. Specifically, our objectives were to (1) describe how information resellers, CRAs, and some health care organizations obtain and use SSNs and (2) discuss the laws and practices relevant to safeguarding SSNs and consumers' privacy. GAO makes no recommendations. -------------------------Indexing Terms------------------------- REPORTNUM: GAO-04-11 ACCNO: A09140 TITLE: Social Security Numbers: Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information DATE: 01/22/2004 SUBJECT: Consumer protection Federal law Identity verification Information disclosure Privacy law Private sector practices Social security number State law ****************************************************************** ** This file contains an ASCII representation of the text of a ** ** GAO Product. ** ** ** ** No attempt has been made to display graphic images, although ** ** figure captions are reproduced. Tables are included, but ** ** may not resemble those in the printed version. ** ** ** ** Please see the PDF (Portable Document Format) file, when ** ** available, for a complete electronic file of the printed ** ** document's contents. ** ** ** ****************************************************************** GAO-04-11 United States General Accounting Office GAO Report to the Chairman, Subcommittee on Social Security, Committee on Ways and Means, House of Representatives January 2004 SOCIAL SECURITY NUMBERS Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information GAO-04-11 Highlights of GAO-04-11, a report to Subcommittee on Social Security, Committee on Ways and Means, House of Representatives In 1936, the Social Security Administration (SSA) established the Social Security number (SSN) to track workers' earnings for Social Security benefit purposes. However, the SSN is also used for a myriad of non-Social Security purposes. Today, public and private sector entities view the SSN as a key piece of information that enables them to conduct their business and deliver services. However, given the apparent rise in identity crimes as well as the rapidly increasing availability of information over the Internet, Congress has raised concern over how certain private sector entities obtain, use, and safeguard SSN data. In previous reports, we discussed the benefits of government and commercial entities using SSNs. We also examined how certain private sector entities and the government obtain, use, and safeguard SSNs. This report provides additional information on private sector uses of SSNs. You asked that GAO examine the private sector use of SSNs by businesses most likely to obtain and use them including information resellers, consumer reporting agencies (CRAs), and health care organizations. Specifically, our objectives were to (1) describe how information resellers, CRAs, and some health care organizations obtain and use SSNs and (2) discuss the laws and practices relevant to safeguarding SSNs and consumers' privacy. GAO makes no recommendations. www.gao.gov/cgi-bin/getrpt?GAO-04-11. To view the full product, including the scope and methodology, click on the link above. For more information, contact Barbara D. Bovbjerg at (202) 512-7215 or [email protected]. January 2004 SOCIAL SECURITY NUMBERS Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information Information resellers, consumer reporting agencies, and some health care organizations routinely obtain SSNs from their customers and have come to rely on SSNs as identifiers that help them determine an individual's identity and accumulate information about individuals. Larger information resellers usually obtain SSNs from their customers and use them to determine the identity of an individual for purposes such as employment screening, credit information, and criminal history. Other Internet-based information resellers whose Web sites we accessed also obtain SSNs from their customers and scour public records and other publicly available information to provide the information to persons willing to pay a fee. CRAs, too, are large users of SSNs. They obtain SSNs from businesses that furnish individuals' data to them and use SSNs to determine consumers' identities and match the information they receive from businesses with information stored in consumers' credit files. Finally, health care organizations obtain SSNs from individuals themselves and companies that offer health care plans and use them as identifiers. Some health care organizations use SSNs as member identification numbers. Certain federal laws help to safeguard consumers' personal information, including SSNs, by restricting the disclosure of and access to such information, and private sector officials we spoke with said that they indeed take steps to safeguard the SSN information they collect. Information resellers, CRAs, and health care organizations told us they take steps to safeguard SSN data in part for business purposes but also because of federal and state laws that require such safeguards. Finally, some states are taking steps, legislatively, to address consumer concerns regarding SSN use and privacy of their personal information. Of the 18 states we examined, at least 6 had enacted laws specifically restricting private sector use and display of SSNs. California's law, in particular, has had some nationwide effect on business practices in places where some businesses have discontinued the display of SSNs in all of their locations. Also, our review shows that several state laws are similar to California's. In addition, while some state laws and regulations we reviewed did not restrict or prohibit SSN use or display specifically, they did extend beyond federal restrictions regarding the sharing of personal information. Private Sector Users of Social Security Numbers Source: Social Security Administration and GAO Analysis. Contents Letter Results in Brief Background Private Sector Entities Routinely Obtain SSNS from Their Business Clients and Use Them Largely as a Tool to Identify Individuals Federal and State Laws Affect the Disclosure of Personal Information, and Businesses Say They Have a Proprietary Interest in Safeguarding SSNs Concluding Observations Agency Comments 1 2 4 6 13 23 24 Appendix I Scope and Methodology Appendix II Federal Laws Affecting Information Resellers, CRAs, and Health Care Organizations 27 GLBA 27 DPPA 28 HIPAA 29 FCRA 29 Tables Table 1: Aspects of Federal Laws That Affect Private Sector Disclosure of Personal Information 14 Table 2: Provisions Included in Enacted Legislation Reviewed 22 Abbreviations CRA consumer reporting agencies DPPA Drivers Privacy Protection Act FCRA Fair Credit Reporting Act FTC Federal Trade Commission GLBA Gramm-Leach-Bliley Act HIPAA Health Insurance Portability and Accountability Act SSA Social Security Administration SSN Social Security Number This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States General Accounting Office Washington, DC 20548 January 22, 2004 The Honorable E. Clay Shaw Chairman Subcommittee on Social Security Committee on Ways and Means House of Representatives Dear Mr. Chairman: The Social Security number (SSN) is used for a myriad of non-Social Security purposes. Private and public sector entities frequently ask individuals for SSNs in order to conduct their business and sometimes to comply with federal laws. Certain private sector entities, such as consumer reporting agencies (CRAs), information brokers or resellers1, and health care organizations, use the SSN as a key piece of information that enables them to conduct their business and deliver services to their customers. For example, business clients or individual customers provide SSNs to these entities, and the numbers are used to produce credit reports or verify information about individuals for employment and other purposes. However, given the apparent rise in identity theft crime, as recently reported by the Federal Trade Commission,2 as well as the rapidly increasing availability of personal information over the Internet, Congress has expressed concern over how certain private sector entities obtain, use, and safeguard SSN data. We previously reported on the benefits to government and commercial entities of using SSNs.3 To build on that work and to address Congress' ongoing concern about certain commercial entities' use of SSNs, in this report we focus on information brokers or resellers, CRAs (sometimes 1Information resellers are companies that amass consumer information from various sources for the purpose of reselling such information for fraud prevention and risk management data solution products, retail marketing, and investigative research tools. 2Federal Trade Commission, Identify Theft Survey Report, Washington, D.C.: September 2003. 3See U.S. General Accounting Office, Social Security: Government and Commercial Use of the Social Security Number Is Widespread, GAO/HEHS-99-28 (Washington, D.C.: Feb 16, 1999) and Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards, GAO-02-352 (Washington, D.C.: May 31, 2002). referred to as credit bureaus), and health care organizations, which are the same industries that we focused on in our previous work. You requested that we (1) describe how information resellers, CRAs, and some health care organizations obtain and use SSNs and (2) discuss the laws and practices relevant to safeguarding SSNs and consumers' privacy. To determine how information resellers, CRAs, and health care organizations obtain and use SSNs, we conducted on-site structured interviews with six large information resellers, three large and well- known CRAs, two large health care plans, and two health care industry associations. We also had our investigators access the Web sites of six Internet-based information resellers that specialize in searching for people or obtaining information about individuals by the use of SSNs, and our investigators paid them a fee to obtain their information. To determine the laws and practices relevant to safeguarding SSNs, we questioned information resellers, CRAs, health care organizations, and the Federal Trade Commission about the relevant federal laws that limit these entities' ability to obtain and use individuals' personal information that includes SSNs. We also questioned the private sector entities about the safeguards they had in place to protect SSNs and reviewed some of their policies and procedures. However, we did not verify the extent to which these businesses comply with their own policies, procedures, and safeguards. To discuss actions taken by states to safeguard consumers' privacy, we conducted site visits to two states-one that had passed privacy legislation and one that had issued an executive order on personal information, surveyed state audit officials in each of the 50 states, and interviewed select industry and state officials in person or via telephone. We also conducted a legislative review of 18 states that were identified by state officials as having laws or proposed laws governing SSN use. We conducted our work between November 2002 and December 2003 in accordance with generally accepted government auditing standards. (See app. I for more information about our scope and methodology.) Results in Brief We found that information resellers, CRAs, and some health care organizations routinely obtain SSNs from their business clients and individual customers and have come to rely on SSNs as identifiers that help them verify an individual's identity and accumulate information about that person. This is particularly true of information resellers, who amass personal information, including SSNs, from public and private sources, and provide their products and services to a variety of customers. Large information resellers generally limit their services to their business clients, including law firms and financial institutions that establish accounts with them. Officials from these entities told us that they usually obtain SSNs from their business clients and use the information as a factor in determining the identity of an individual for purposes such as employment screening, credit information, and criminal history. Other Internet-based information resellers whose Web sites we accessed also obtain SSNs from their individual customers and scour public records and other publicly available information to obtain information about individuals. These resellers provide information about individuals through the Internet to persons willing to pay a fee to obtain the information. CRAs obtain SSNs from businesses that furnish individuals' data, including SSNs, to them and they also receive information from other information resellers and public records. CRA officials told us that they use SSNs to determine consumers' identities and match the information they receive from businesses with information stored in consumers' credit files. Finally, health care organizations obtain SSNs from individuals themselves and from companies that offer health care plans. These organizations use SSNs as member identification numbers, which enable them to identify the correct individual, the type of coverage the individual has under the health plan, and other information, such as medical services and prescription drugs provided to that individual. Certain federal laws help to safeguard consumers' personal information, including SSNs, by restricting the disclosure of and access to such information, and private sector officials we spoke with said that they indeed take steps to safeguard the SSN information they collect. Federal laws, such as the Gramm-Leach-Bliley Act, the Drivers Privacy Protection Act, and the Health Insurance Portability and Accountability Act, have placed restrictions on the ways in which information resellers, CRAs, and health care organizations may use and disclose consumers' personal information, including SSNs. Information resellers, CRAs, and health care organizations said that they take steps to safeguard SSN data, in part for business purposes but also because of federal and state laws that require such safeguards. Officials from these entities said that they employ certain safeguards to protect against the unauthorized use and disclosure of SSNs, such as controlling employees' access to records that contain SSNs. In addition, officials from large information resellers and CRAs said they require their business clients to sign formal agreements saying that their use of SSN data will only be for legally permissible purposes under the law. We found that some Internet-based information resellers whose Web sites we accessed also require customers to affirm the permissible purpose under the law for which they are obtaining the information. However, these Internet-based information resellers did not attempt to verify how Background we used the information we purchased from them. Finally, some states are taking steps, legislatively, to address consumer concerns regarding SSN use and the privacy of their personal information. Of the 18 states we examined, at least 6 of them enacted laws specifically restricting private sector use or display of SSNs.4 California's law has influenced business practices and some states have adopted laws similar to California's. Also, while some state laws and regulations we reviewed did not restrict or prohibit SSN use or display specifically, they did extend beyond federal restrictions regarding the sharing of personal information. The Social Security Act of 1935 authorized the Social Security Administration (SSA) to establish a record-keeping system to help manage the Social Security program, and this resulted in the creation of the SSN. Through a process known as enumeration, unique numbers are created for every person as a work and retirement benefit record for the Social Security program. SSA generally issues SSNs to most U.S. citizens, and SSNs are also available to noncitizens lawfully admitted to the United States with permission to work. SSA estimates that approximately 277 million individuals currently have SSNs. Because of the number's uniqueness and broad applicability, the SSN has become the identifier of choice for government agencies and private businesses, and thus it is used for a myriad of non-Social Security purposes. With the enhancement of computer technologies in recent years, private sector businesses are increasingly computerizing their records; as a result, these enhancements have spawned new business activities involving the aggregation of personal information.5 Such entities aggregate large numbers of both public and private data, including SSNs, from recordkeeping systems throughout the country into centralized databases and use those databases, in many cases, for the purpose of providing consumer services. Businesses and others rely on entities such as information resellers and CRAs to use SSNs to build credit reports, extract or retrieve data from consumers' credit histories, verify individuals' identities, market their products, and prevent financial fraud. Information resellers, sometimes referred to as information brokers, are businesses that specialize in amassing consumer information that includes 4Arizona, California, Georgia, Missouri, Texas, and Utah. 5See GAO/HEHS-99-28. SSNs for informational services. They may provide their services to a variety of customers, either to specific business clients or through the Internet to anyone willing to pay a fee. Large information resellers limit their services to businesses that establish accounts with them. Law firms, private businesses, law enforcement agencies, and others are usually their clients. For example, lawyers, debt collectors, and private investigators may request information on an individual's bank accounts and real estate holdings for use in civil proceedings such as divorce; automobile insurers may want information on whether insurance applicants have been involved in accidents or have been issued traffic citations; employers may want background checks on new hires; pension plan administrators may want information to locate pension beneficiaries; and individuals may ask for information to help locate birth parents. When requesting information, customers may ask for nationwide database searches or searches of only specific geographical areas. Other information resellers, particularly those that are Internet-based, generally offer their services to the public at large for a fee. CRAs, also known as credit bureaus, are agencies that collect and sell information about the creditworthiness of individuals. CRAs collect information that is considered relevant to a person's credit history. These agencies then use this information to assign a credit score to an individual, indicating the person's creditworthiness. Prospective creditors purchase credit reports about specific individuals from CRAs, and then use this information to decide how much credit, if any, to extend to the individual. Organizations that provide health care services also commonly use consumers' SSNs. These organizations generally deliver their services through a coordinated system that includes health care providers and health plans (insurers).6 While both providers and insurers are within this coordinated system, they are distinct from each other. For instance, in conducting business, health care providers offer medical or health services to patients and bill either the patient or the health plan for those services. In contrast, health plans offer insurance to individuals or groups of employees, who then make premium payments in exchange for services. Some health care organizations play dual roles of both health care provider and health insurer, which makes the distinction in how they obtain and use SSNs more complex. 6Health plans are also referred to as health care insurers. Because of the myriad of uses of the SSN, Congress has previously asked GAO to review various aspects of SSN use in both the public and the private sectors.7 In our previous work, our reports have looked at how private businesses and government agencies obtain and use SSNs.8 In addition, we have reported that the perceived widespread sharing of personal information and instances of identity theft have heightened public concern about the use of Social Security Numbers.9 We have also noted that the SSN is used, in part, as a verification tool for services such as child support collection, law enforcement enhancement, and issuing credit to individuals.10 Although these uses of SSNs are beneficial to the public, SSNs are also key elements in creating false identities. We testified before the Subcommittee on Social Security, House Committee on Ways and Means, about SSA's enumeration and verification processes, and reported that the aggregation of personal information, such as SSNs, in large corporate databases, as well as the public display of SSNs in various public records, may provide criminals the opportunity to commit identity crimes.11 Private Sector Entities Routinely Obtain SSNS from Their Business Clients and Use Them Largely as a Tool to Identify Individuals Information resellers, CRAs, and health care organizations routinely obtain SSNs from their business clients and use SSNs for various purposes, such as to build tools that verify an individual's identity or match existing records. In addition to acquiring SSNs from various public sources, officials from these firms said they often obtain SSNs from their business clients wishing to use their services. For example, health care organizations obtain SSNs from the subscriber or policyholder of the employer group during the enrollment process. Given the various types of services these companies offer, we found that all of them have come to rely on the SSN as an identifier, which helps them determine a person's identity for the purpose of providing the services they offer. These officials said that because the SSN is a unique number, it is the most reliable factor 7GAO-02-352, and U.S. General Accounting Office. Identity Theft: Prevalence and Cost Appear to Be Growing, GAO-02-363 (Washington, D.C.: March, 2002). 8GAO/HEHS-99-28. 9U.S. General Accounting Office. Social Security: Government and Other Uses of the Social Security Number are Widespread, GAO/T-HEHS-00-120 (Washington, D.C.: May 18, 2000). 10GAO/HEHS-99-28. 11U.S. General Accounting Office. Social Security Numbers: Ensuring the Integrity of the SSN. GAO-03-941T (Washington, D.C.: July 10, 2003). in determining an individual's identity. However, most of the large information resellers said that the SSN is not needed to develop many of their products, such as products that launch e-mail marketing or telemarketing programs, but when the SSN is used, it provides increased accuracy and completeness in terms of trying to determine an individual's identity. Large and Internet-Based Information Resellers Obtain SSNs from Their Business Clients, as Do CRAs and Health Care Organizations Information resellers generally obtain SSNs from their business clients, who often provide SSNs to obtain a reseller's services or products. However, most of the large information reseller officials we spoke to said that many of the products they offer do not incorporate SSN data. They said they generally amass demographic information about households in order to provide marketing products such as detailed data lists of e-mails and postal addresses, and telephone numbers, or information for retailers and others to use to obtain new customers. As a result, their business concentrates more on marketing such products. However, these officials said that they obtain SSNs from their business clients because they also offer specific services, such as background checks, employee screening, determining criminal histories, or searching for individuals. For example, business customers of some of the information resellers who specialize in employee screening provide them with SSNs in order to have background checks done on potential employees. Large information resellers also said they can obtain SSNs from various public and private sources. For example, they obtain SSN data from public records such as bankruptcies, tax liens, civil judgments, criminal histories, deaths, real estate ownership, driving histories, voter registration, and professional licenses. These officials said, however, that the availability of SSN information in public records varied depending on the state and county. For example, some states and counties included SSNs in their filings of tax liens and court records, but not in other records. Bankruptcy information, which is governed at the federal level, always includes SSNs. All of the resellers that we spoke to said that they obtain SSNs from public records where possible, and to the extent the information is provided on the Internet, they are likely to obtain it from such sources. However, given the varied nature of SSN data found in public records, some reseller officials said they are more likely to rely on receiving SSNs from their business clients than they are from obtaining them from public records. Our investigators also used the Web sites of the Internet-based resellers to try to determine the sources they used to obtain information on SSNs. We reviewed the sources of information the resellers listed on their Web sites. They found that they relied mostly on public information and public record data. For example, they listed various kinds of public record information at the state, county, and national levels, as well as other publicly available information, such as newspapers. As with large information resellers, once they obtained an SSN they relied on information in public records to help verify an individual's identity and obtain additional information. Some large information resellers may also obtain SSN information from private sources. In many cases such information was obtained through review of data where a customer has voluntarily supplied information resellers with information about himself or herself. In addition, large reseller officials said they also use their clients' records in instances where the client has provided them with information. For example, officials from one large reseller said they obtained lists of their retail customers' credit card holders. The list includes the names, addresses, SSNs, and other data of the credit card holders. The reseller then uses the list to match the names of the retail company's delinquent payment holders with the most recent bankruptcy records. In addition, Federal Trade Commission (FTC) staff said that information resellers also obtain information from CRAs. We found the Internet-based resellers to be more dependent on SSNs than the large information resellers, primarily because their focus is more related to providing investigative or background-type services to anyone willing to pay a fee. We found these entities to be primarily focused on amassing information around an individual's SSN, which in most cases they obtain from customers trying to use their Web sites. To discover what type of information could be obtained from such sources, our investigators accessed the Web sites of six Internet-based information resellers and paid a fee to gain access to the personal data. We found that when we supplied a SSN, these resellers provided with us information such as the corresponding name, address, and telephone number and, on two occasions, a truncated SSN such as 123-45-xxx. All but one of the Internetbased resellers required our investigators to provide both the name and SSN of the person who was the subject of our inquiry. Like information resellers, CRAs also obtain SSNs from their customers or the businesses that furnish data to them, as well as from private and public sources. CRA officials said that they obtain SSNs from businesses that subscribe to their services, such as banks, insurance companies, mortgage companies, debt collection agencies, child support enforcement agencies, credit grantors, and employment screening companies. These businesses voluntarily report consumers' charge and payment transactions, accompanied by SSNs, to CRAs. Individuals provide these businesses with their SSNs for reasons such as applying for credit. CRA officials said that they also obtain SSNs from public sources. For example, some officials said SSNs can be obtained from bankruptcy records, a fact that is especially important in terms of determining that the correct individual has declared bankruptcy. CRA officials told us that they also obtain SSNs from other information resellers, especially those that specialize in obtaining information from public records. CRA and information reseller officials we spoke to also said that they would support limiting the public display of SSNs, especially where the general public might be able to retrieve such information. For example, they said they support removing the SSN from identification cards, health care insurance cards, and university student identification numbers. None of these officials, however, support removing the SSN from public records or restricting their access to SSN data in public records. They said such restrictions would slow some business transactions and likely increase costs to consumers because many of the conveniences currently enjoyed by consumers, such as obtaining instant credit, would take much longer and, in some cases, cease to exist. Finally, health care organization officials said that they obtain SSNs from individuals themselves and companies that offer health care plans. For example, subscribers or policyholders provide health care plans with their SSNs through their company or employer group when they enroll in health care plans. In addition to health care plans, health care organizations include health care providers, such as hospitals. Such entities often collect SSNs as part of the process of obtaining information on insured people. However, health care officials said that, particularly with hospitals, the medical record number rather than the SSN is the primary identifier. Businesses Use SSNs to Verify Individuals' Identities and to Compile Information about Individuals We found that the primary use of the SSN by information resellers, CRAs, and health care organizations alike was to help verify the identity of an individual. In addition, the SSN was also used to compile and match data about individuals with information already in company databases. This was particularly true of CRAs, whose officials said they usually match individuals' SSNs with records in their data sets. Most information reseller, CRA, and health care organization officials we spoke to said that the SSN is the single most important identifier available, mainly because it is truly unique to an individual, unlike an individual's name and address, which can often change over an individual's lifetime. Large and Internet-based Information Resellers Use the SSN as an Identifier Large information resellers said that they generally use the SSN as an identity verification tool. Some of these entities have incorporated SSNs into their information technology, while others have incorporated SSNs into their client's databases used for identity verification. For example, one large information reseller that specializes in information technology solutions has developed a customer verification data model that aids financial institutions in their compliance with some federal laws regarding "knowing your customer." According to this company's information, the data model compares information provided by the applicant, such as name, address, and SSN, with the data they already have in their databases, which is composed of multiple public and private sources. Another information reseller that specializes in mortgage services uses the SSN as the main factor in identifying individuals for their product reports and also for conducting investigations for their clients for resident screening or employment screening. Yet another large information reseller uses SSNs for internal matching purposes of its databases. For example, this company has various database products that compile information to provide such products as insurance underwriting tools.12 We also found that Internet-based information resellers use the SSN as a factor in determining an individual's identity. Although the Internet Web sites we accessed advertised by saying they would be able to find a person's SSN or find a person using an SSN, these resellers in all but one case required us as the client to supply the SSN. The information they then provided back to us was information that usually restated what we had given them or verified the person's SSN. Most of the information resellers officials we spoke to said that although they obtain the SSN from their business clients, the information they provide back to their customers rarely contains the SSN. Almost all of the officials said that they provide their clients with a truncated SSN, an example of which would be 123-45-xxxx. In one case, one large information reseller provides business products with three different access levels, which includes the general public, subscriber products, and select products for entities such as law enforcement. Company officials said the subscriber level provides subscribers with truncated SSNs, while full SSNs are viewable at the select group product level, giving the user 12Officials from this company stated that information in this database comes from a variety of sources, such as government agencies, insurance companies, and CRAs. CRAs Use SSNs as Identifiers and to Match Incoming Data with Their Existing Databases group a tool to authenticate data about specific individuals.13 With regard to the Internet-based information resellers we accessed, only one provided the complete SSN back to us. These resellers usually provided information related to the SSN we had provided them, such as name, address, or date of birth. CRAs use SSNs as the primary identifier of individuals that enables them to match the information they receive from their business clients with the information stored in their databases on individuals. Because these companies have various commercial, financial, and government agencies furnishing data to them, the SSN is the primary factor that ensures that incoming data is matched correctly with an individual's information on file. For example, CRA officials said they use several factors to match incoming data with existing data, such as name, address, and financial account information. If all of the incoming data, except the SSN, match with existing data, then the SSN will determine the correct person's credit file. Given that people move, get married, and open new financial accounts, these officials said that it is hard to distinguish among individuals. Because the SSN is the one piece of information that remains constant, they said that it is the primary identifier that they use to match data. We found that CRAs and information resellers can sometimes be the same entity, a fact that blurs the distinction between the two types of businesses but does not affect the use of SSNs by these entities. For example, information resellers that assemble or evaluate consumer credit information for the purpose of furnishing consumer reports to third parties would be considered CRAs under federal law, and the law restricts what they can do with the credit report information. Five of the six large information resellers we spoke to said they were also CRAs. CRA officials said that they also build their own databases or purchase databases from other companies, and then resell the information in these databases to their customers. However, CRA officials said that information furnished for credit reports can only be used for credit reporting purposes and 13Officials at this company said that full SSNs are obtainable by entities or individuals who have been approved through authentication and verification methods for access to the specific information. Such individuals or entities would include, state, local, and federal government entities; special investigative units and claims departments of public and private insurance companies; collection departments of companies that own their debt; and other public and private entities, on a case-by-case basis, for the purposes of detecting, investigating, or preventing fraud or other criminal activities. Health Care Organizations Also Use SSNs to Identify Individuals but in Some Cases Such Use Is Being Discontinued cannot be resold. Information not covered by federal law that CRAs use to build their databases or buy from other databases can be resold as consulting solutions or direct-marketing products. In our discussions with CRAs, some officials said that information reselling constituted as much as 40 percent of CRAs' business. Health care organizations also use the SSN to help verify the identity of individuals. These organizations use SSNs, along with other information such as name, address, and date of birth, as a factor in determining a member's identity. Health care officials said that health care plans, in particular, use the SSN as the primary identifier of an individual, and it often becomes the customer's insurance number. Health care officials said that they use SSNs for identification purposes, such as linking an individual's name to an SSN to determine if premium payments have been made, or they use the SSN as an online services identifier, as an alternative policy identifier, and for phone-in identity verification. Health care organizations also use SSNs to tie family members together where family coverage is used,14 to coordinate member benefits, and as a cross-check for pharmacy transactions. For example, health care officials said that when people purchase pharmaceuticals, the SSN is used to help identify the person that is authorized to receive the pharmaceuticals and medical benefits. Health care industry association officials also said that SSNs are used for claims processing, especially with regard to Medicare. According to these officials, under some Medicare programs, SSNs are how Medicare identifies benefits to an individual. Given the increased interest in the use and protection of SSNs as well as the recent passage of federal and state laws, health care organization officials said that in some instances health care organizations are limiting their use of SSNs to be in compliance with the laws. For example, one health care organization we spoke to said that certain of its regions no longer use SSNs as a basis for providing member records or for identification purposes. Another region does not use the SSN to verify the identity of members, but instead relies upon the medical record number, date of birth, or address. In yet another region, health care insurers use a unique account number because SSN's cannot be used as the health care insurer's account number. 14During the enrollment process, subscribers have a number of options, one of which is deciding whether they would like single or family coverage. In cases where family coverage is chosen, the SSN is the key piece of information generally allowing the family members to be linked. Federal and State Laws Affect the Disclosure of Personal Information, and Businesses Say They Have a Proprietary Interest in Safeguarding SSNs Information resellers, CRAs, and health care organization officials said that certain federal laws have helped to limit the disclosures they are allowed to make to their customers. Officials from these companies said that they are either subject to the laws directly, given the nature of their business, or indirectly, through their business clients subject to these laws. In addition, we found that information resellers, CRAs, and health care organizations take steps to safeguard SSN data, sometimes by employing safeguards to protect against the unauthorized use and disclosure of SSNs or, in the case of large information resellers and CRAs, requiring their clients to sign formal agreements saying that their use of SSN data will be only for activities permissible under the law. We also found that Internetbased information resellers also require customers to affirm the permissible purpose under the law for which they are obtaining the information. Finally, at least six states have enacted laws to restrict the private sector's use of SSNs, and California's SSN law has had some effect nationwide. In addition, some state regulations and laws regarding the sharing of personal information have extended beyond federal restrictions. Certain Federal Laws Limit Disclosure of Personal Information That Includes SSNs According to officials we spoke to, certain federal laws have placed restrictions on their use and disclosure of consumers' personal information that includes SSNs. These laws include the Gramm-Leach-Bliley Act (GLBA), the Drivers Privacy Protection Act (DPPA), and the Health Insurance Portability and Accountability Act (HIPAA). As shown in table 1, the laws either restrict the disclosures that entities such as information resellers, CRAs, and health care organizations are allowed to make to specific purposes or restrict whom they are allowed to give the information to. Moreover, as shown in table 1, these laws focus on limiting or restricting access to certain personal information and are not specifically focused on information resellers. Table 1: Aspects of Federal Laws That Affect Private Sector Disclosure of Personal Information Federal laws Restrictions Gramm-Leach-Bliley Act Creates a new definition of personal information that includes the SSN and limits when financial institutions may disclose the information to non-affiliated third parties. Drivers Privacy Protection Act Prohibits disclosing personal information from a motor vehicle record that includes SSN except for purposes permissible under the law. Health Insurance Portability and Protects the privacy of protected health Accountability Act information that includes SSNs and restricts health care organizations from disclosing such information to others without the patient's consent. GLBA Limits Disclosure of Nonpublic Personal Information That Includes SSNs Source: GAO analysis. Prior to GLBA, financial institutions had few limitations as to where, why, and to whom they could provide customer data. GLBA helps protect consumers' privacy and limits when a financial institution may disclose certain types of a consumer's financial information. GLBA created a new definition of personal information, referred to as nonpublic personal information, which means personally identifiable financial information that is 1. provided by a consumer to a financial institution (for example, name, address, income, SSN, or other information on an application); 2. the result of any transaction with the consumer or any service performed for the consumer (for example, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or 3. otherwise obtained by the financial institution (for example, information from a consumer report).15 Provisions under GLBA limit when a financial institution may disclose a consumer's nonpublic personal information to non-affiliated third parties. 15Nonpublic personal information does not include information that is "publicly available." In other words, the information is generally made lawfully available to the public, and an individual can direct that it not be made public. Financial institutions must notify their customers about their information sharing and tell consumers of their right to opt out if they do not want their information shared with certain non-affiliated third parties.16 GLBA covers a broad range of financial institutions, including many companies not traditionally considered to be financial institutions, because they engage in certain "financial activities." In addition, any entity that receives consumer financial information from a financial institution under one of the GLBA exceptions may be restricted in its reuse and redisclosure of that information. We found that some CRAs consider themselves to be financial institutions under GLBA.17 These entities are therefore directly governed by GLBA's restrictions on disclosing nonpublic personal information to non-affiliated third parties. We also found that some of the information resellers we spoke to did not consider their companies to be financial institutions under GLBA. However, because they have financial institutions as their business clients, they complied with GLBA's provisions in order to better serve their clients and ensure that their clients are in accordance with GLBA. For example, if information resellers received information from financial institutions pursuant to notice and opt-outs, they could resell the information only to the extent that they were consistent with the privacy policy of the originating financial institution and any opt-outs. Information resellers and CRAs also said that they protect the use of consumers' nonpublic personal information and do not provide such information to individuals or unauthorized third parties. In addition to imposing obligations with respect to the disclosures of personal information, GLBA also requires federal agencies responsible for financial institutions to adopt appropriate standards for financial institutions relating to safeguarding customer records and information. Information 16An exception to this opt-out requirement is that a financial institution may provide nonpublic personal information to a non-affiliated third party that is performing services for or functions on behalf of the financial institution, including marketing of the financial institution's own products or services. The financial institution must, however, fully disclose this to the consumer, and the non-affiliated third party must enter into a contractual agreement to maintain the confidentiality of such information. 17Under GLBA, the term financial institution is defined as "any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956," which goes into more detail about what are "activities that are financial in nature." These generally include banking, insurance, and investment industries. DPPA Limits Disclosure of Personal Information from a Motor Vehicle Record That Includes SSNs HIPAA Restricts Disclosing Protected Health Information That Includes SSNs resellers and CRA officials said that they adhere to GLBA's standards in order to secure financial institutions' information. FTC staff said that although GLBA helps to limit the disclosure of consumers' nonpublic personal information, GLBA also includes certain broad exceptions that are unspecific (see app. II for information on GLBA's exceptions). FTC officials said that they receive many inquiries from CRAs and information resellers concerning the application of GLBA's exceptions, such as whether the exceptions apply to certain circumstances. As a result, they said it is difficult to determine how and whether certain entities are appropriately interpreting the exceptions. DPPA was enacted to prohibit the release and use of certain personal information from state motor vehicle records. DPPA prohibits any person from knowingly obtaining or disclosing personal information from a motor vehicle record for any use not permitted under DPPA. DPPA specifies certain exceptions when personal information contained in a state motor vehicle record may be obtained and used, such as use by an employer or its agent or insurer to obtain information relating to the holder of a driver's license (see app. II for a list of permissible uses). As a result of DPPA, information resellers said they were restricted in their ability to obtain SSN and other driver license information from state motor vehicle offices unless they were doing so for a permissible purpose under the law. These officials also said that information obtained from a consumer's motor vehicle record has to be in compliance with DPPA's permissible purposes, thereby restricting their ability to resell motor vehicle information to individuals or entities not allowed to receive such information under the law. Furthermore, because DPPA restricts state motor vehicle offices' ability to disclose driver license information, which includes SSN data, information resellers said they no longer try to obtain SSNs from state motor vehicle offices, except for permissible purposes. HIPAA requires health care organizations and providers to meet certain privacy standards with respect to personal health information. HIPAA's privacy rule specifically states that "a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information." The privacy rule provides patients access to their medical records, control over how their health information may be used and disclosed, avenues for recourse if their medical privacy is compromised, and a number of other privacy rights (see app. II for more details on covered entities and individuals' obligations and rights). HIPAA gives individuals the right, in most cases, to obtain and inspect copies of health information about themselves. In addition, it generally restricts health care plans and certain health care providers from disclosing such information to others without the patient's consent, except for purposes of treatment, payment, or other health care operations. There are, however, exceptions to facilitate compliance with state reporting requirements and other public health purposes. Health care organizations, including health care providers and health plan insurers, are subject to HIPAA's requirements. In addition to providing individuals with privacy practices and notices, health care organizations are also restricted from disclosing a patient's health information without the patient's consent, except for purposes of treatment, payment, or other health care operations. Information resellers and CRAs do not consider themselves to be "covered entities" under HIPAA, although some information resellers said that their customers are considered to be business associates under HIPAA. As a result, they said they are obligated to operate under HIPAA's standards for privacy protection, and therefore could not resell medical information without having made sure HIPAA's privacy standards were met. FCRA Limits Access to Information in Credit Data Under FCRA, Congress has limited the use of consumer reports18 to protect consumers' privacy and limits access to credit data to those who have a legally permissible purpose for using the data, such as the extension of credit, employment purposes, or underwriting insurance (see app. II for a list of FCRA's permissible purposes). However, these limits are not specific to SSNs. All of the CRAs that we spoke to said that they are considered to be consumer-reporting agencies under FCRA. In addition, some of the information resellers we spoke to who handle or maintain consumer reports are classified as CRAs under FCRA. Both CRAs and information resellers said that as a result of FCRA's restrictions they are limited to providing credit data to their customers that have a permissible purpose under FCRA. Consequently, they are restricted by law from providing such information to the general public. 18The FTC has determined that certain types of information, including SSNs, do not constitute a consumer report under FCRA because they are not factors in determining credit eligibility. Large Information Resellers, CRAs, and Health Care Organizations Employ Safeguards to Protect SSN Information Large information resellers, CRAs, and health care officials said they employ certain safeguards to mitigate the risk of individuals gaining unauthorized access to SSNs or making improper disclosure or use of SSNs. These officials said that potential risks occur from internal sources such as employees' unauthorized access to information and from external sources such as business clients and computer hackers. To address internal risks, these officials said they (1) conduct background checks on employees, (2) train employees on the appropriate way to handle sensitive information, (3) teach employees about the federal and state laws governing certain information, (4) require employees to sign written agreements that specify what they are allowed to do with information that includes an SSN, and (5) terminate employees and take legal actions against employees that improperly use or disclose SSNs. For example, health care organization officials said they train their employees on how to comply with HIPAA and how to safeguard medical records and other types of personal information. Some information resellers said that they take steps to control and monitor employee access to computerized records that contain SSNs by assigning different levels of access. Employees are, therefore, only given access to information that they need to perform their job. In addition, employees' access to records that contain SSNs was also monitored. For example, some officials said they track employees browsing in records in certain databases and monitor any unusual transactions. In some cases, CRA and health care officials said they created audit trails for every transaction, and these trails allow them to track employees' activities. Officials from large information resellers and CRAs also told us that they take action to mitigate external risks that could result in the unauthorized use and disclosure of SSNs. Some of these officials said they have "know your customer" policies in place. For example, one information reseller told us that prior to the sale of information, they verify the identity of their customers and make sure they have the necessary credentials to obtain access to their information database. Large information resellers and CRA officials also said they always determine the eligibility of their customers to have access to their information by conducting audits of their customers prior to entering into a contract with them. For example, they determine prior to entering into a formal contract that in the case of a CRA, the financial institution is what it says it is and is eligible to receive credit reports. Or, in the case of an information reseller, that a law enforcement agency is in fact a law enforcement agency and is eligible to receive motor vehicle information. In conducting their audits, these entities review customers' business licenses, perform background and credit checks, and often visit the entity itself. Some officials did say, however, that they face certain challenges in protecting SSN data, such as ensuring that they provide their information to legitimate businesses or government agencies that have appropriate, legally permissible purposes to have such information. Nonetheless, there have been cases when the unauthorized use and disclosure of SSNs have occurred. For example, CRA officials told us that through their audit process they discovered instances where their clients have violated their written agreement by using personal information for non-permissible purposes. Large information reseller and CRA officials also said they require their clients to sign formal agreements acknowledging that the information provided to them will be used in accordance with permissible activities under federal and state law. For example, if a business client wanted to obtain information from a state motor vehicle agency, the client would have to sign a formal agreement saying that such information would be used only for permissible purposes, such as the verification of personal information for the purpose of preventing fraud or the pursuit of legal remedies against an individual. Representatives of one large reseller that we spoke to said that they not only require their clients to indicate which permissible use applies before they give access to information, but they also have specific access levels, depending on their client's formal agreement with them. For example, if the client was an investigative police unit, then it could be granted full access to the reseller's databases under the formal agreement, which included full SSN disclosure as well as other personally identifiable information. Clients granted this level of access were subject to background checks and other verification techniques, such as on-site verifications, by the reseller. Once a formal contract has been entered into with a customer, large information resellers and CRA officials said that they audit their clients to ensure that they are complying with the legal and contractual restrictions, such as obtaining credit reports for legitimate business purposes. In addition, these audits may be conducted either on-site or by mail requiring the customer to provide documentation regarding the permissible purposes for the information requested by the customer. Officials from one entity told us they conduct an Internet "secret shopper" program whereby they police certain Internet Web sites that sell SSNs to make sure that their customers are not supplying these sites. In addition, health care officials said that health insurance companies are audited by state insurance departments to ensure that, among other things, appropriate computer safeguards are in place. Large information resellers and CRA officials also told us that they are frequently audited by their customers, who need to ensure that they are in turn in compliance with the same laws and restrictions they impose on their clients. For example, CRA officials told us that especially with regard to GLBA requirements, financial institutions are frequently auditing their computer systems to make sure they meet standards under GLBA. We found that Internet-based information resellers require customers, upon accessing their Web site, to acknowledge that they will abide by their "terms and conditions" and indicate the permissible purpose for which they are obtaining the information. For example, we found that they required our investigators to concur with the site's terms and conditions before any informational service was provided. In addition, two of the Internet-based resellers provided a list of permissible purposes from which we had to select, such as collection purposes. At these resellers' Web sites, only after we indicated the permissible purpose for which we would like to purchase information were we allowed to purchase personal information by credit card. We did not find that the Internet-based resellers attempted in any way to audit us, determine who we were, or determine that we were indeed using the information for the permissible purpose we had selected. At Least Six States Have Enacted Laws to Restrict Private Sector Use of SSNs At least six states have enacted their own legislation to restrict private sector uses of SSNs. Based on our review of select legislative documents within 18 states, California, Missouri, Arizona, Georgia, Utah, and Texas had enacted laws to restrict either the display or the use of SSNs.19 In 2001, California enacted Senate Bill (SB) 168, restricting private sector use of SSNs. Specifically, this law generally prohibits companies and persons from: o posting or publicly displaying SSNs, o printing SSNs on cards required to access the company's products or services, o requiring people to transmit an SSN over the Internet unless the connection is secure or the number is encrypted, 19In the 18 states we researched, we reviewed more than 40 legislative documents, including relevant laws, proposed laws, legislative summaries, and other related documents, such as state regulations, executive orders, and referendums. o requiring people to log onto a Web site using an SSN without a password, or o printing SSNs on anything mailed to a customer unless required by law or the document is a form or application.20 Furthermore, in 2002, shortly after the enactment of SB 168, California's Office of Privacy Protection published recommended practices for protecting the confidentiality of SSNs. These practices were to serve as guidelines to assist private and public sector organizations in handling SSNs. Similar to California's law, Missouri's law (2003 Mo. SB 61), which is not effective until July 1, 2006, bars companies from requiring individuals to transmit SSNs over the Internet without certain safety measures, such as encryption and passwords. However, while SB 61 prohibits a person or private entity from publicly posting or displaying an individual's SSN "in any manner," unlike California's law, it does not specifically prohibit printing the SSN on cards required to gain access to products or services. In addition, Arizona's law (2003 Ariz. Sess. Laws 137), effective January 1, 2005, restricts the use of SSNs in ways very similar to California's law. However, in addition to the private sector restrictions, it adds certain restrictions for state agencies and political subdivisions.21 For example, state agencies and political subdivisions are prohibited from printing an individual's SSN on cards and certain mailings to the individual. Last, Texas prohibits the display of SSNs on all cards, while the Georgia and Utah laws are directed at health insurers and, therefore, pertain primarily to insurance identification cards.22 None of these three laws contain the provisions mentioned above relating to Internet safety measures and mailing restrictions. Table 2 lists states that have enacted legislation and related provisions. 20Cal. Civ. CodeS:1798.85. 21Political subdivisions would include counties, cities, and towns. 22Georgia's law (O.C.G.A. S:33-24-57.1(f)) and Utah's law (Utah Code Ann. S:31-22-634) are both effective July 1, 2004. However, Utah's law provides certain extensions until March 1, 2005. Texas' law (2003 Tex. Gen. Laws 341) is effective March 1, 2005. Table 2: Provisions Included in Enacted Legislation Reviewed States where provision or restriction Provision enacted Specifically prohibits display on cards AZ, CA, GA, TX, UT Requires Internet safety measures AZ, CA, MO, Restricts mailing of SSNs AZ, CA California's SSN Law Appears to Have Had Some Nationwide Effect Some State Laws and Regulations Extend beyond Similar Federal Restrictions Source: GAO analysis. During the course of our work, we found that California is at the forefront with respect to its consumer privacy protection efforts and that the enactment of its SSN law restricting private sector display of SSNs appears to have had some nationwide effect on business practices. For example, a senior manager for at least one private company with locations in California stated that the company identified 175 areas within its organization where SSNs were being used, and 130 of these (over 74 percent) were in connection with health care organizations providing health care services to its employees. As a result, the company has asked all of its health care providers nationwide-regardless of respective state laws-to discontinue their display of SSNs on health benefit cards. In addition, according to officials representing one health care association, as a result of the California law, by January 2006 all of its health care plans- located in various states-are required to discontinue displaying SSNs on their cards. In addition, our review of state legislation and interviews of state and industry officials show several state laws are very similar to California's law. We found that regulations and laws in 2 of the 18 states we reviewed do not address SSNs specifically but do extend beyond federal restrictions regarding the sharing of "personal information," which may include SSNs. As previously mentioned, GLBA requires that financial institutions provide consumers the opportunity to opt out of sharing personal information with certain third parties, meaning that unless a consumer notifies the financial institution not to, the institution may share this information. Alternatively, financial institutions may disclose nonpublic information to non-affiliated third parties, including other financial institutions, pursuant to certain exceptions in GLBA, without providing consumers a right to opt out of those disclosures. In addition, FCRA allows those with a legitimate, legally defined purpose or permissible purpose access to consumers' credit information. To better address consumer concerns about privacy and the protection of personal information, however, states such as Vermont and North Dakota have issued regulations or enacted laws that extend beyond the provisions of these two federal laws. For example, an Assistant Concluding Observations Attorney General in Vermont stated that while Vermont does not have any specific laws governing the use of SSNs, it has regulations requiring banking, insurance, and securities companies to obtain consumers' permission prior to sharing consumers' personal information-opt-in provisions. The Assistant Attorney General added that Vermont's Fair Credit Reporting Act has a similar opt-in requirement before permitting access to consumer credit reports. Furthermore, until Congress passed the GLBA, North Dakota had a banking privacy law to protect personal information. This banking law also prohibited financial institutions in North Dakota from selling or sharing customer data with other companies unless the individual provided consent. The North Dakota legislature amended the state's opt-in privacy law to make it consistent with GLBA's opt-out requirement. However, in June 2002, following public outcry, North Dakota voters passed a referendum reinstating the former opt-in law, again requiring consumer consent before sharing personal information. Information resellers, CRAs, and health care organizations are likely to continue obtaining and using SSNs primarily to match records, since the SSN is a key factor in determining the identity of an individual and there is no widely accepted alternative. While these entities told us that they typically do not resell SSNs they obtain, there are few restrictions placed on their ability to obtain and use SSNs for their businesses, including information obtained from public records--a primary source of personal data for most information resellers. Certain state laws, however, limit the disclosure of some personal information that includes SSNs. Federal laws that have some restrictions on reselling nonpublic personal information, such as GLBA, have broad exceptions, which entities can broadly interpret. This broad interpretation combined with the uncertainty about the application of the exceptions suggests that reselling personal information-including SSNs-is likely to continue. Private sector officials we spoke to agreed that, given the continued rise in identity crimes, removing SSNs from public display is a step in the right direction. However, these officials stated that they had legitimate uses for the SSN and that restricting business-to-business access or use of such information would hurt consumers and possibly aid identity thieves in their attempts to assume an individual's identity by making it more difficult for businesses to verify an individual's identity. Thus, any restrictions Congress deems necessary regarding SSNs will have to weigh the consequences of restricting the use of SSNs on the one hand with legitimate business needs for the use of SSNs on the other. Agency Comments We provided a draft of this report to the Commissioner of the Social Security Administration and the Chairman of the Federal Trade Commission for their review and comment. Neither agency provided a formal comment letter. However, the FTC provided technical comments, which we incorporated as appropriate. As agreed with your office, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days after its issue date. At that time, we will send copies of this report to the Commissioner of the Social Security Administration and the Chairman of the Federal Trade Commission. Copies will also be made available to others on request. In addition, the report will be available at no charge on GAO's Web site at http://www.gao.gov. If you have any questions concerning this report, please contact me on (202) 512-7215 or George Scott at (202) 512-5932. Other major contributors include Gwen Adelekun, Richard Burkard, Tamara Cross, Jason Holsclaw, Raun Lazier, Kevin Murphy, and James Rebbe. Barbara D. Bovbjerg Director, Education, Workforce, and Income Security Issues Appendix I: Scope and Methodology To describe how information resellers, CRAs, and health care organizations obtain and use SSNs, we expanded on previous GAO work in this area and we interviewed officials from large information resellers, CRAs, health care organizations, the Consumer Data Industry Association (an international trade association that represents consumer information companies), and the Social Security Administration. We then selected six large and well-known information resellers and conducted structured interviews about how they obtained and used SSNs. We also had our investigators access six Internet-based information resellers' Web sites. We researched such resellers on the Internet and choose six that specialized in finding people by their SSN or searched for people by their SSN. To understand how CRAs obtain and use SSNs, we interviewed three large, well-known CRAs. Finally, to determine how health care organizations were obtaining and using SSNs, we talked to two large and well-known health care plans. One submitted our questions to its eight regions, and the other also sought the views of its various regions. We also talked to two health care organizations-one that represents 1,000 health care plans, and one whose 300 members are primarily insurers. Each association asked some of its members to determine how they obtained and used SSNs. We were unable to determine the extent to which some of their responses were representative of associations with similar memberships. To determine the laws and practices relevant to safeguarding SSNs, we determined what federal laws were helping to protect SSNs through our discussions with information resellers, CRAs, health care organizations, and the Federal Trade Commission. We then researched the relevant laws and reviewed them to determine what limits were placed on the use and disclosure of an individual's personal information, including SSN. To report on the safeguards that information resellers, CRAs, and health care organizations have in place to protect SSNs, we conducted site visits and in-depth interviews with certain of these entities. We asked them about the types of safeguards they employ to protect SSNs from both internal and external misuse. We also reviewed their policies and procedures for protecting SSNs. However, we did not assess the safeguards that they used to protect SSNs. Also, the information we obtained from these entities was self-reported and was not independently verified by GAO. Finally, to gain an understanding of what states are doing legislatively to restrict SSN use, we conducted site visits to two states-California and Washington; conducted interviews with federal, state, and industry officials; and reviewed pertinent state legislation. More specifically, our interviews at the federal level were with officials from the Federal Trade Commission, the Secret Service, and the Department of the Treasury. At the state level, Appendix I: Scope and Methodology we interviewed officials from Washington's Office of the Attorney General and California's Office of Privacy Protection. Also at the state level, we surveyed state audit officials in each of the 50 states to determine whether they had conducted reviews relating to our work, whether they were familiar with state laws affecting private sector use of SSNs, and whether they were aware of any notable practices (within the public or private sector) aimed at protecting consumer privacy and personal information. In addition, we interviewed private sector businesses and organizations and contacted some state offices of the attorney general, and identified state laws and legislative initiatives related to the use of SSNs. This resulted in our legislative review of 18 states (including the 2 states we visited) that were identified as having laws or proposed laws governing SSN use. Appendix II: Federal Laws Affecting Information Resellers, CRAs, and Health Care Organizations GLBA GLBA requires companies to give consumers privacy notices that explain the institutions' information-sharing practices. In turn, consumers have the right to limit some, but not all, sharing of their nonpublic personal information. Financial institutions are permitted to disclose consumers' nonpublic personal information without offering them an opt-out right in the following circumstances: o to effect a transaction requested by the consumer in connection with a financial product or service requested by the consumer; maintaining or servicing the consumer's account with the financial institution or another entity as part of a private label credit card program or other extension of credit; or a proposed or actual securitization, secondary market sale, or similar transaction; o with the consent or at the direction of the consumer; o to protect the confidentiality or security of the consumer's records; to prevent actual or potential fraud, for required institutional risk control or for resolving customer disputes or inquiries, to persons holding a legal or beneficial interest relating to the consumer, or to the consumer's fiduciary; o to provide information to insurance rate advisory organizations, guaranty funds or agencies, rating agencies, industry standards agencies, and the institution's attorneys, accountants, and auditors; o to the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978, to law enforcement agencies, self-regulatory organizations, or for an investigation on a matter related to public safety; o to a consumer reporting agency in accordance with the Fair Credit Reporting Act or from a consumer report reported by a consumer reporting agency; o in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business if the disclosure concerns solely consumers of such business; o to comply with federal, state, or local laws; an investigation or subpoena; or to respond to judicial process or government regulatory authorities. Appendix II: Federal Laws Affecting Information Resellers, CRAs, and Health Care Organizations DPPA Financial institutions are required by GLBA to disclose to consumers at the initiation of a customer relationship, and annually thereafter, their privacy policies, including their policies with respect to sharing information with affiliates and non-affiliated third parties. The DPPA specifies a list of exceptions when personal information contained in a state motor vehicle record may be obtained and used (18 U.S.C. S: 2721(b)). These permissible uses include: o for use by any government agency in carrying out its functions; o for use in connection with matters of motor vehicle or driver safety and theft; motor vehicle emissions; motor vehicle product alterations, recalls, or advisories; motor vehicle market research activities, including survey research; o for use in the normal course of business by a legitimate business, but only to verify the accuracy of personal information submitted by the individual to the business and, if such information is not correct, to obtain the correct information but only for purposes of preventing fraud by pursuing legal remedies against, or recovering on a debt or security interest against, the individual; o for use in connection with any civil, criminal, administrative, or arbitral proceeding in any federal, state, or local court or agency; o for use in research activities; o for use by any insurer or insurance support organization in connection with claims investigation activities; o for use in providing notice to the owners of towed or impounded vehicles; o for use by a private investigative agency for any purpose permitted under the DPPA; o for use by an employer or its agent or insurer to obtain information relating to the holder of a commercial driver's license; o for use in connection with the operation of private toll transportation facilities; Appendix II: Federal Laws Affecting Information Resellers, CRAs, and Health Care Organizations HIPAA o o FCRA o for any other use, if the state has obtained the express consent of the person to whom a request for personal information pertains; o for bulk distribution of surveys, marketing, or solicitations, if the state has obtained the express consent of the person to whom such personal information pertains; o for use by any requester, if the requester demonstrates that it has obtained the written consent of the individual to whom the information pertains; for any other use specifically authorized under a state law, if such use is related to the operation of a motor vehicle or public safety. The HIPAA privacy rule also defines some rights and obligations for both covered entities and individual patients and health plan members. Some of the highlights are: Individuals must give specific authorization before health care providers can use or disclose protected information in most nonroutine circumstances, such as releasing information to an employer or for use in marketing activities. Covered entities will need to provide individuals with written notice of their privacy practices and patients' privacy rights. The notice will contain information that could be useful to individuals choosing a health plan, doctor, or other service provided. Patients will be generally asked to sign or otherwise acknowledge receipt of the privacy notice. Covered entities must obtain an individual's specific authorization before sending them marketing materials. Congress has limited the use of consumer reports to protect consumers' privacy. All users must have a permissible purpose under the FCRA to obtain a consumer report (15 USC 1681b). These permissible purposes are: o as ordered by a court or a federal grand jury subpoena, o as instructed by the consumer in writing, o for the extension of credit as a result of an application from a consumer or the review or collection of a consumer's account, Appendix II: Federal Laws Affecting Information Resellers, CRAs, and Health Care Organizations o for employment purposes, including hiring and promotion decisions, where the consumer has given written permission, o for the underwriting of insurance as a result of an application from a consumer, o when there is a legitimate business need, in connection with a business transaction that is initiated by the consumer, o to review a consumer's account to determine whether the consumer continues to meet the terms of the account, o to determine a consumer's eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant's financial responsibility or status, o for use by a potential investor or servicer or current insurer in a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation, and o for use by state and local officials in connection with the determination of child support payments, or modifications and enforcement thereof. GAO's Mission Obtaining Copies of GAO Reports and Testimony The General Accounting Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site (www.gao.gov) contains abstracts and fulltext files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548 To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 512-6061 To Report Fraud, Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm Waste, and Abuse in E-mail: [email protected] Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Jeff Nelligan, Managing Director, [email protected] (202) 512-4800 Public Affairs U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548 *** End of document. ***