A new report from the Government Accountability Office finds that some federal agencies aren’t following through on a key anti-identity-theft measure. At issue is the removal of Social Security Numbers as the main taxpayer identifier from all manner of federal forms.
It’s not a new problem. As far back as 2007, then-President George Bush appointed a task force to find ways government could help fight identity theft. The task force in tern made recommendations to the Office of Management and Budget (OMB) and the Social Security Administration.
The recommendations included an initiative to reduce the use of a taxpayer’s Social Security Number as the main identifying number on the myriad federal forms used by the government. So the GAO was attempting to determine just how successful that effort has been.
Results, the auditors found, have been “mixed.”
In reporting the study to members of Congress, Gregory Wilshusen, the director of the GAO’s Information Security Issues section, said the initiative has made some headway. But Wilshusen adds that a combination of agency missteps, existing bureaucratic challenges, and lax oversight have led to less-than-desired progress.
For example, in 2008, the federal Office of Personnel Management (OPM) proposed a new regulation covering the collection, use and display of SSNs using the original guidance of the task force. The regulation would have required the use of some sort of alternate identifying number to be used on federal employment forms instead of the taxpayer’s SSN. However, the proposed regulation was withdrawn, because OPM had received negative comments about the plan, and an alternate government-wide identifier had not been determined.
In another instance, the Social Security Administration established a clearinghouse on an electronic bulletin board website to provide “best practices” and agency contacts for specific programs to reduce SSN usage in government. The GAO audit found the clearinghouse is no longer active. SSA didn’t have any records of how much the clearinghouse was used by other agencies, and had nothing to show when or why the site was discontinued.
The GAO surveyed 24 federal agencies in its attempt to gauge progress on the initiative, and found three reasons cited most often by the managers:
- Statutes and regulations still require the collection and use of SSNs. Some agencies are required by law to use SSNs to identify taxpayers or employees.
- Interactions with other federal and external entities still require the use of SSNs. Currently a Social Security Number is typically the only identifier that government agencies and external partners have in common that can be used to match up their records.
- Technological hurdles can slow replacement of the SSN in information systems.
The audit also found that guidance issued by the Office of Management and Budget failed to require clearly defined goals or timetables for compliance. Wilshusen says this and the other factors have led to differing definitions of just what constitutes unnecessary collection and use of SSNs.
“We noted that of the 24 agencies, four reported that they had no definition of “unnecessary collection and use” of SSNs. Of the other 20 agencies, eight reported that their definitions were not documented. Officials from many agencies stated that the process of reviewing and identifying unnecessary uses of SSNs was an informal process that relied on subjective judgments,” he reported.
Wilshusen and the GAO gave the lawmakers five recommendations that attempt to put the effort back on track:
- Specify elements that agency plans for reducing the unnecessary collection, use, and display of SSNs should contain and require all agencies to develop and maintain complete plans;
- Require agencies to modify their inventories of systems containing PII to indicate which systems contain SSNs and use the inventories to monitor their reduction of unnecessary collection and use of SSNs;
- Provide criteria to agencies on how to determine unnecessary use of SSNs to facilitate consistent application across the federal government;
- Take steps to ensure that agencies provide up-to-date status reports on their progress in eliminating unnecessary SSN collection, use, and display in their annual FISMA reports; and
- Establish performance measures to monitor agency progress in consistently and effectively implementing planned reduction efforts.
Wilshusen concluded that decreasing the use of Social Security Numbers on federal documentation will take a dedicated, unified effort within government. “Until OMB and agencies adopt better and more consistent practices for managing their SSN reduction processes, overall government-wide reduction efforts will likely remain limited and difficult to measure; moreover, the risk of SSNs being exposed and used to commit identity theft will remain greater than it need be.”