Uncle Sam's Security Breach

When it comes to needlessly exposing Social Security numbers, federal agencies are grossly irresponsible -- especially the Pentagon

By Jane Black

There's no doubt in my mind that health-care companies are unintentionally enabling identity theft by printing Social Security numbers (SSN) on ID cards. But BW Online readers say the U.S. government is the worst offender. Since my last column (see BW Online, 8/14/03, "Why your ID is Such Easy Picking"), I've received scores of e-mails from readers who are furious that Medicare, Medicaid, and the U.S. military irresponsibly use their Social Security numbers, putting them at risk for ID theft.

"The government needs to be the role model here. Putting SSNs on Medicare and military IDs makes it easy for companies to skirt responsibility," says Beth Givens, executive director of the San Diego-based Privacy Rights Clearinghouse.

Although the SSN was originally created in 1936 to track workers' earnings and eligibility for Social Security benefits, federal statutes today mandate that it's used for everything from issuing birth certificates, food stamps, and Medicaid, to identifying all military personnel and veterans. (Click here for a complete list of legal uses of the SSN.)


  Even the Feds admit that security hasn't kept pace with the ever-more widespread use of the SSN: "Agencies aren't consistently following federal laws regarding the collection of personal information, implementing safeguards to protect SSNs from improper disclosure, or limiting the display of SSNs on documents not intended for the public," Barbara Bovbjerg, the director of education, workforce, and income security issues for the General Accounting Office, told the House Subcommittee on Social Security in April, 2002.

At the top of readers' worst-offenders list is the U.S. military. Originally, the Defense Dept. issued unique identifiers to its personnel. But since 1967, the military has required every active-duty military member and all their family over the age of 10 to carry a card with their military ID -- their SSN -- printed on it. "We now need someone to infiltrate the DoD and encourage them to revert to the old serial number for our servicemen/women," says Allen Larrabee, a retired U.S. Marines Corps Officer from Mountain Home, Idaho.

Though he's no longer on active duty, Larrabee and his wife are required to carry military ID cards printed with his Social Security number. Until his daughters came of age, they also carried cards with their own SSNs as well as their father's.


  Another pet peeve of readers is schools' use of the SSN. Tina Coleman of Havertown, Pa., wrote: "I have become increasingly concerned with the number and variety of organizations which ask for/require Social Security numbers, particularly those of my children." Case in point: The local school district uses SSNs for student ID numbers. They're printed on student IDs as well as on every report card or progress report. "Kids lose things.... If someone were to steal a child's ID, the theft wouldn't likely be discovered until years later, when the child goes to buy his first car or obtain his first credit card," she says. "By then, that child would be in a horrible mess before they even start out."

There's not much you can do to protect yourself. After all, unlike with a health-insurance company, you can't take your business elsewhere when dealing with the U.S. government. But you can ask smart questions: If a government employee asks for your Social Security number, refuse -- or at least ask why they need it. Under the Privacy Act, government agencies are required to tell individuals whether providing a SSN is mandatory or voluntary, cite the statutory authority under which the request is made, and state how the government plans to use it.

According to the GAO report, however, many do not. Of federal agencies surveyed, 32% did not inform individuals of the statutory authority for requesting the SSN, while 21% provided no information about how it would be used. Of state agencies, only 50% gave individuals the required information.


  It's not always easy to say no to protect your privacy. Patrick Moore, a senior software engineer at San Francisco-based Plumtree Software, says he gets looks of pure astonishment if he refuses to give his SSN. "They're so used to it being treated as a routine question," he says. "They regard it the same as someone saying, 'No, I refuse to give you my name.'"

"I'm glad to hear big companies are taking action on behalf of their employees," wrote San Diego reader Jeannine Ross after learning of IBM's (IBM ) demand that health-care companies no longer use SSNs as an ID. "Maybe it's time for the little people to rise up and band together too."

Ross makes a good point. Standing up for your rights will send the message to big government, corporations -- and maybe set an example for some of your peers. There's definitely strength in numbers. Let's send a strong message to government agencies and private entities that blithely put our Social Security numbers on display a strong message.

Black covers privacy issues for BusinessWeek Online in her twice-monthly Privacy Matters column

Edited by Patricia O'Connell

Before it's here, it's on the Bloomberg Terminal.