<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.0 Transitional//EN'>

<html><head><title>531096-00120.htm</title>

<meta name='vs_defaultClientScript' content='JavaScript'>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<meta name='vs_targetSchema' content='http://schemas.microsoft.com/intellisense/ie3-2nav3-0'>

<meta name='Originator' content='CommentWorks'></head><body><Table>

<tr><td><b>Comment Number: </b></td><td>531096-00120</td></tr>

<tr><td><b>Received: </b></td><td>8/20/2007 5:02:01 PM</td></tr>

<tr><td><b>Organization: </b></td><td>PSCU-Financial Services</td></tr>

<tr><td><b>Commenter: </b></td><td>Ravi Nair</td></tr>

<tr><td><b>State: </b></td><td>FL</td></tr>

<tr><td><b>Agency: </b></td><td>Federal Trade Commission</td></tr>

<tr><td><b>Rule: </b></td><td>Private Sector Use of SSNs</td></tr>

<tr><td>No Attachments</td></tr></Table>

<hr><P><b>Comments:</b></p>PRIVATE SECTOR USE OF SOCIAL SECURITY NUMBERS Topics for Comment: 1. Current Private Sector Collection and Uses of the SSN -What businesses and organizations collect and use the SSN? For what specific purposes are they used? Credit Union and Credit Union Service Organizations (CUSO) collect and use the SSN. SSN are used for verifying consumer Credit through the nationwide Credit reporting Bureaus, Call Center related credit card call authentication using last 4 digits, as customer /card holder verification /research in response to the inbound fraud related calls and effecting employee federal payroll taxes, COBRA, workers Comp, state unemployment and 401(k). -What is the life cycle (collection, use, transfer, storage and disposal) of the SSN within the businesses and organizations that use it? Account opening by Credit Union, periodic authentication/verifier for CUSO Contact Center, Credit Verification by / through Credit Bureaus etc and as long as the customer maintains business relationship and solicit new products or services. -Are governmental mandates driving the private sector’s use of the SSN? Compliance requirements related to Know Your Customer (KYC) associated with the USA Patriot Act, periodically effecting Federal payroll, Social Security Taxes, COBRA, State Unemployment, Workers Compensation, employee insurance/Healthcare set up etc drive the use of the SSN. -Are there alternatives to these uses of the SSN? Yes, the alternatives are government issued documents such as Passport, Drivers License, other forms of Ids, address, cardholder zip code, date of birth, share draft account #, mother’s maiden name, CV V, etc. -What has been the impact of state laws restricting the use of the SSN on the private sector’s use of the SSN? Pursuant to Section 28.222(3) Florida Statutes, recognizes the authority of the clerk of the circuit court to record in the official records certain federal documents. These recorded documents are confidential and the clerk is responsible for preventing the release of such information to the public. 2. The Role of the SSN as an Authenticator -The use of the SSN as an authenticator – as proof that consumers are who they say they are – is widely viewed as exacerbating the risk of identity theft. What are the circumstances in which the SSN is used as an authenticator? Member Credit Union may select one of the options amongst several available parameters as the last 4 digits of the SSN for authentication. There are certain end user applications that would require consumer to use SSN as authenticator. -Are SSNs so widely available that they should never be used as an authenticator? Certainly, private sector is widely aware of this and other parameters are used in conjunctions. -What are the costs or other challenges associated with eliminating the use of the SSN as an authenticator? Consumer awareness, governmental mandates, and associated end user applications effectively to be changed to meet the new requirements if any. Systemic cost will be high as certain legacy applications are managed by data processors. 3. The SSN as an Internal Identifier -Some members of the private sector use the SSN as an internal identifier (e.g. employee or customer number), but others no longer use the SSN for that purpose. What have been the costs for private sector entities that have moved away from using the SSN as an internal identifier? What challenges have these entities faced in substituting another identifier for the SSN? How long have such transitions taken? Do those entities still use the SSN to communicate with other private sector entities and government about their customers or members? We don’t use SSN as an internal identifier. Governmental mandates for effecting Federal Taxes, COBRA, state unemployment, initial set up of deferred plans or 401(k) still require use of SSN. - For entities that have not moved away from using the SSN as an internal identifier, what are the barriers to doing so? Not applicable as we don’t use SSN as an internal identifier. 4. The Role of the SSN in Fraud Prevention - Many segments of the private sector use the SSN for fraud prevention, or, in other words, to prevent identity theft. How is the SSN used in fraud prevention? SSN is used as a cardholder verifier in response to the fraud related calls initiated and asked the cardholder to call back to prevent any potential fraud. - Are alternatives to the SSN available for this purpose? Are those alternatives as effective as using the SSN? None available at present due to data processor systemic constraints. Establishing personal password, e-mail id, etc would help as alternative to SSN. - If the use of the SSN by other sectors of the economy were limited or restricted, what would the ramifications be for fraud prevention? A process has to be established to monitor the effect and conclude. 5. The Role of the SSN in Identity Theft - How do identity thieves obtain SSNs? Identity thieves manage to exploit the internet and public records to obtain these SSNs. - Which private sector uses of the SSN do thieves exploit to obtain SSNs, i.e, SSN as identifier or SSN as an authenticator? Which of those uses are most vulnerable to identity thieves? Most of the private sectors have moved away from using the full SSNs. Other alternatives are available as for identifier and authenticator. As such, any of these alone may not be applicable. - Once thieves obtain SSNs, how do they use them to commit identity theft? What types of identity theft are thieves able to commit with the SSN? Do thieves need other information in conjunction with the SSN to commit identity theft? If so, what other kinds of information must they have? Besides SSN, other details such as address, account number, phone details, etc may be used to take over consumer account or identity and open up fraudulent account. - Where alternatives to the SSN are available, what kind of identity theft risks do they present, if any? Total account or identity take over. </body></html>