Reducing the Use of SSNs is Key to Securing PII
By DON CIO Privacy Team - Published, March 6, 2009
If the Department of the Navy eliminated the use of Social Security numbers (SSN) from email, forms, documents and electronic information technology systems, 80 percent of the personally identifiable information (PII) breaches reported in 2008 would never have occurred. The March Privacy Tip of the Month explores the relationship between SSNs and identity theft. It also provides approaches to reducing the display, collection and/or transmission of SSNs within the DON.
The use of SSNs has become an integral part of our culture. It is especially prevalent in medical, human resources and financial processes. Currently, there are no other identifiers that are as reliable, cost-effective and accurate for data matching as SSNs. Recognizing that there is significant value in continued use of the SSN, there must be a balance with the vulnerabilities that its use creates.
In all the research written about Identity theft, SSNs linked to a person’s name are the elements needed to perpetrate identity fraud. In a growing trend, thieves are using computer hacking, phishing, malware, spyware and key stroke loggers to gather SSNs. More commonly, however, thieves still resort to low-tech methods like dumpster diving, mail tampering, and purse and wallet theft to obtain privacy sensitive information. SSNs can also be obtained from the Internet and from public records. Identity theft and medical fraud have been linked to the loss or compromise of privacy sensitive data, including SSNs, within the DON.
The Department of Defense has recently taken steps to reduce the use of SSNs. A DoD Tiger Team developed a draft SSN Reduction Plan, which should significantly reduce the use and exposure of SSNs across the Department. For more information regarding the DoD SSN Reduction Plan, visit: www.dmdc.osd.mil/smartcard. Below is a list of action items that will be implemented within the DON during the next several months.
- Remove the SSN from barcodes and display on DoD ID cards. (The removal of dependent SSNs from ID cards is already underway. Sponsor SSNs will be changed to the last four digits to conform to Geneva Convention rules. Removal of SSNs imbedded in barcodes will occur by 2012.)
- Remove or reduce use of SSNs and PII from DON forms, where feasible. Collection must be validated against a list of authorized exceptions.
- Reduce the electronic display, storage and transmission of SSNs and PII.
- Collect and report actions taken to reduce/eliminate use of SSNs to DoD.
- Ensure 100 percent of IT systems that collect SSNs and other PII have completed a Privacy Impact Assessment.
Outside DoD and DON control, Congress has introduced legislation to committees that will strengthen penalties for identity theft and for the sale of SSNs. Removal of SSNs from public records is also a critical measure that must be effected. Additionally, more work is needed to strengthen the authentication procedures by financial institutions.
For questions regarding privacy and SSN reduction, contact Steve Muck, DON CIO Privacy Team Lead, firstname.lastname@example.org