Wednesday, November 01, 2006

ID Theft Report Discourages use of SSNs

The front page of the latest issue of Privacy Journal has the headline "Feds Now Discourage Use of SSNs". The article reports on the interim recommendations from an interagency task force on identity theft. Privacy Journal focuses on the report as the first indication that the federal government finally recognizes the danger that SSNs pose, and may start to take steps to remedy the harm they've caused by helping make SSNs ubiquitous in government and many private databases.

This report, by itself, doesn't change government policy, so you can't cite it as authority when trying to get assistance from government agencies without revealing your SSN. But you can refer to it when working to convince administrators that agency policy should change or that training of the people who collect information from the public should be updated. I suspect that it would also serve as useful ammunition when arguing with people in private industry. The report isn't directly addressed to them, and doesn't hold any legal authority, but it is a recommendation from the government, and it does represent a significant change of heart.

  • Recommendation 1: OMB should provide guidance to all federal agencies about giving notice in the event of data breaches.
  • Recommendation 2: OMB and DHS should identify best practices and mistakes to avoid.
  • Recommendation 3: on SSNs
    1. OPM should accelerate its review of the use of SSNs in its collection of human resource data, and take steps to reduce their use (including the assignment of employee identification numbers).
    2. The commentary suggests that agencies assign employee ID numbers to replace SSNs. They also suggest that Executive Order 9397 (which encouraged use of SSNs in Federal databases) might need to be "partially rescinded" in order to reduce use of SSNs.

    3. OPM should develop and issue policy guidance to the federal HR community on the appropriate use of SSNs in employee records, including the proper way to restrict, conceal, or mask SSNs.
    4. OMB should require all federal agencies to review their use of SSNs to determine which uses can be reduced or eliminated.
  • Recommendation 4: All agencies should add disclosure of information in response to a data breach to their published "routine use" list under the Privacy Act.
  • Recommendation 5: The task force should investigate reliable methods of authenticating individuals to reduce openings for identity thieves.
  • Recommendation 6: Congress should add restitution for time spent remediating harm from identity theft to the criminal statutes.
  • Recommendation 7: The FTC will develop standardized forms for reporting identity theft to police.

No comments: