Only two Federal agencies, the departments of Commerce and Education, have created plans that address all four elements outlined by the Office of Management and Budget’s 10 year-old memorandum requiring agencies to reduce exposure of Social Security numbers.
In 2007, the Office of Personnel Management, the Social Security Administration, and OMB were charged with making sure agencies develop SSN reduction plans and maintain related reporting practices.
According to a Government Accountability Office report published May 23, most of the 24 agencies covered by the Chief Financial Officers Act have not established SSN reduction plans or reporting practices. SSN reduction is part of a larger Federal push to protect people’s personal information; identity theft affects more than 12 million people a year.
“Hacks show that OPM and other agencies are fundamentally ill-prepared, and many Americans’ sensitive information is very vulnerable,” said Rep. Loretta Sanchez, D-Calif., in a House Oversight and Government Reform hearing May 23. “It’s troubling to see after 10 years, GAO reports show two of 24 agencies met the requirements for a complete plan to reduce unnecessary usage of SSNs. Even more troubling is that OMB has provided very little guidance. Ten years after the memo, we should be in a better position.”
GAO found that OMB’s enforcement of these reduction plans has been lacking. For example, OMB did not develop time frames or performance metrics for agencies to follow. GAO found that four of the 24 CFO Act agencies didn’t define “unnecessary use” of SSNs.
“SSNs can’t be completely eliminated from Federal systems because no other identifier applies the same level of universal applicability,” said Greg Wilshusen, director of information security services at GAO. “We’re lacking direction from OMB. Many agencies didn’t have time frames or performance indicators. OMB does not require agencies to keep up-to-date records or instances in which display is unnecessary.”
Social Security numbers, created in 1936, have lately become the “key to the kingdom for thieves,” according to Rep. Tom Rice, R-S.C. Rice recalled that he and his law school classmates’ grades were posted on a board for all to see and made anonymous by SSN.
“In recent years, privacy concerns have become more and more critical,” Rice said. “The American people rightly deserve and expect that the Federal government protect their Social Security numbers.”
Many Federal agencies rely on SSNs. Mariana LaCanfora, acting deputy commissioner for SSA’s Office of Retirement and Disability Policy, said that two-thirds of her department’s notices contain SSNs. However, her office is developing a beneficiary identification notice code, which will replace SSNs on mailing notices next year.
Similarly, the Centers for Medicare and Medicaid Services are developing a new identification system for beneficiaries that reduces the exposure of SSNs. In April 2018, all newly enrolled Medicare beneficiaries will receive new cards with a 13-digit Medicare Beneficiary Identifier. At the same time, CMS will distribute new cards to existing beneficiaries. CMS will have a 21-month-long transition period allowing both MBI and the Health Insurance Claim Number.
The reason CMS relies so heavily on SSNs is because SSA used to administer Medicare. SSA still enrolls beneficiaries and coordinates eligibility for certain benefits.
“For the first time, CMS will have the ability to terminate Medicare numbers and issue a new number to a beneficiary in instances where they are victim of identity theft,” said Karen Jackson, deputy chief operating officer of CMS.
Although agencies are creating systems to reduce the use of SSNs, Rep. David Schweikert, R-Ariz., said that too many identifiers could lead to more confusion.
“What I see is absurd, technology-wise. It’s my fear the problem may have gotten worse because I have [Veterans Affairs] with one set of numbers, I have Medicare with a different set, I have OPM with a different set,” Schweikert said. “Have we just made the problem much worse, at least for the customer service aspect? We may be creating a cascade effect that creates another level of complication. Now I have a handful of different numbers.”
To date, SSA has not suffered any major data breaches, unlike OPM and Education’s Free Application for Federal Student Aid tool.
However, Rep. John Larson, D-Conn., said that SSA is overdue for modernization. Since 2010, the number of Social Security beneficiaries has grown by 13 percent, but the budget allotment for the agency has shrunk by 10 percent. He stated that President Donald Trump plans a $70 billion cut for SSA.
“The new budget attacks SSA budget, though Trump promised 13 times not to cut Social Security or Medicare,” Larson said. “Social Security is the nation’s insurance program. It is not an entitlement. Frontline officers are our best line of defense, and they don’t get enough credit.”