Despite a reminder from the chairman of the House Oversight and Government Reform Committee, federal agencies haven’t reviewed their data on Social Security numbers in nearly a decade.
Social Security numbers (SSNs) may be convenient for agencies to identity citizens’ records in databases, but their use has become so commonplace that they’re linked to many other pieces of personally identifiable information — a real “honey pot” scenario for would-be hackers.
Rep. Jason Chaffetz (R-Utah) wrote to Government Accountability Office Comptroller Gene Dodaro in April requesting updates on an agencywide review of databases meant to reduce the number of instances where SSNs are collected for citizen services.
The Office of Management and Budget last ordered agencies to review their record-keeping of Social Security numbers in May 2007.
“We have this citizen number, really it’s your Social Security number. But it was never intended to be used for anything other than receiving Social Security benefits, and it was legally barred for using it for anything other than Social Security benefits. But what happened is there have been so many exceptions to the rule that have been put on there … that exception swallows the rule,” Marc-Anthony Signorino, executive director at the Identity Ecosystem Steering Group, told Federal News Radio.
The Office of Personnel Management, under former director John Berry, acknowledged SSNs had outgrown their original intent, made an attempt to stop using Social Security numbers as the primary identification for federal systems in order to fight identity theft, and instead move toward a new “national identifier system.”
But OPM shuttered the plan in January 2010, citing the time and cost of setting up a new ID system. Signorino said moving to a new national identifier has always been one of those “third-rail” ideas that wind up dead on arrival .
“What happens is you’re just trading one number for another,” he said. “You’re attenuating the problem — it’s one more step, but it doesn’t solve the solution.”
But the Centers for Medicare and Medicaid Services are one step closer to reducing the use of SSNs. A law signed by President Barack Obama in January 2015 gives CMS four years to move beneficiaries to a new Medicare card that doesn’t feature an SSN.
“Every time you go to the doctor, they take a photocopy of it. Well, how insecure is that?” Signorino said. “The Centers for Medicare and Medicaid Services haven’t done it [yet] because it’s expensive, it’s tough. It’s a big nut to crack.”
Rep. Sam Johnson (R-Texas), chairman of the Ways and Means’ Subcommittee on Social Security, advocated for the bill.
“The Social Security number is the key to identity theft, and thieves are having a field day with seniors’ Medicare cards,” Johnson told The New York Times in April 2015.
Signorino said the modernized Medicare cards, or pending legislation for chip-and-PIN cards, could reduce the $60 billion CMS loses annually to fraud.
“Not only do you prevent identity theft and loss by moving to new technological means, such as smartcard or different identity technologies, you could prevent fraud, which would pay for the program itself,” he said. “The federal government already uses the chip-PIN card for logical access to computer systems … that’s something that’s easily duplicated, whether it’s your Social Security card, which could also have your VA card, which could also be your Medicare card. So one card could do all those purposes because the chip on it is so robust and secure.”
But in the balancing act between security and convenience, Signorino said the federal government has been slow to roll out chip cards due to costs.
“There are a lot of other practices and procedures out there that can be examined, too, but I think the question is a cost-risk benefit,” Signorino said. “For some high-risk transactions — at IRS, you really want to protect someone’s identity, or at CMS you really want to protect somebody’s health information — that might be worth it.”
IRS in the meantime has relied on cheaper, lower-tech verification methods like knowledge-based authentication — for example, asking users for the make and model of their first car if they forget their passwords.
However, Signorino said data security could take many different forms for agencies.
“There are different challenges — disaggregating the information, making sure databases that hold the personally identifiable information apart from the identifier is separated somehow, to make sure that only the amount of data collected is required to be collected … technology is a fantastic tool, we just have to make sure we use the right technology.”