|Received:||8/3/2007 4:45:30 PM|
|Agency:||Federal Trade Commission|
|Rule:||Private Sector Use of SSNs|
|Attachments:||531096-00033.pdf Download Adobe Reader|
Comments:1. Current Private Sector Collection and Uses of the SSN o What businesses and organizations collect and use the SSN? For what specific purposes are they used? Physician offices and hospitals request me to provide a SSN. I suspect they want it in case of a collection problem. Even though Blue Cross Blue Shield stopped using the SSN, the physicians’ receptionists claim that Blue Cross and Blue Shield still need the SSN. I make up a number each time and have not had difficulty with Blue Cross payments. Hospitals do the same. Some investment companies, for example Vanguard still request the SSN on their automated telephone system but not on their online systems. Other investment companies, for example TIAA-CREF are clueless about protecting identities. Even when I say, “I am on a cell phone and do not want to provide the SSN over an unsecured connection,” they have no alternative procedures in place. Mayo Clinic is an excellent example of a medical facility that does not request SSNs and has not since 1970 or so. o What is the life cycle (collection, use, transfer, storage and disposal) of the SSN within the businesses and organizations that use it? Physicians’ offices pass the SSN into their permanent records. They are microfilmed or microfiched and also passed on to the provider that purchases the practice. o Are governmental mandates driving the private sector’s use of the SSN? None that I know of. In fact, the government offices are the best examples of the absolute reckless use of the SSNs even though they know that SSNs are a key to identity theft. It could be so easy to say, “This number is for official federal use only. All private entities will have to create their own.” o Are there alternatives to these uses of the SSN? Yes! Look at Mayo Clinic. Look at many banks and investment companies. Specifically, ingdirect.com, etrade.com. These companies may need the SSN for IRS reporting, but they have discontinued using it for identification during login or telephone requests. o What has been the impact of state laws restricting the use of the SSN on the private sector’s use of the SSN? I live in New Mexico and I do not see any effort to restrict the use of the SSN in the private sector. 2. The Role of the SSN as an Authenticator o The use of the SSN as an authenticator – as proof that consumers are who they say they are – is widely viewed as exacerbating the risk of identity theft. What are the circumstances in which the SSN is used as an authenticator? Call in to TIAA-CREF and they ask for your SSN. Call in to Vanguard and the automated system asks for the SSN. Employer’s such as National City until June 29 required the SSN for retired employees to access the benefits site. Others, such as J.P. Morgan Chase continue to require retirees’ SSN to access their help via the telephone. J.P. Morgan does not offer online access for many retired employees. o Are SSNs so widely available that they should never be used as an authenticator? Yes! For example, until 2006 schools such as New Mexico State University and Dona Ana Community College used the SSN as an identifier and it was widely published to many “users.” There is nothing secret about the SSN or the “last four digits.” Consider Medicare. Completely blind to the issue, Medicare continues to put the SSN on a card that is carried in a wallet or purse and given to so many different people. That would be fine if the SSN was not used by the agencies that I have already mentioned – and that is just a few. o What are the costs or other challenges associated with eliminating the use of the SSN as an authenticator? Many businesses have already eliminated the SSN as an authenticator. I believe the data must already exist to determine the cost.