“do You Really Need My Social Security Number?” Data Collection Practices in the Digital Age

• Publication year: 2008

Jonathan J. Darrow⁰ & Stephen D. Lichtenstein¹
But he that filches from me my good name Robs me of that which not enriches him And makes me poor indeed.²
I. Introduction

Today, in both the traditional and e-commerce digital environments, an individual's social security number is obtained as a matter of course in order to uniquely identify both the individual and his or her account. Whether one is seeking dental care, obtaining a parking permit, securing an apartment, or simply renting a video, the service-providing entity will frequently obtain a social security number as a prerequisite to doing business. Until recently, there were virtually no laws restricting the ability of entities unrelated to the Social Security Administration to request, use, collect, or handle the number. At times the government even promoted or required its expanded use.³ This haphazard, laissez-faire approach to the social security number has evolved into a data collection practice that spans the gamut of organizations, from government agencies to non-profits, employers to financial services institutions, universities to health service providers, as well as credit card companies, retailers, and many others.⁴ Aptly characterizing the current state of affairs, one legal scholar noted that "[a] person cannot function normally in today's United States without a social security number."⁵ Even the government has conceded that the disclosure of a social security number is a virtual necessity to engage in a wide range of everyday activities in modern society, including obtaining a job.⁶ One commentator summed it up nicely: "If you are at all an active participant in the modern economy, the list of companies that have your [Social Security Number] is depressingly long."⁷

It was not always so. To the contrary, the widespread purposes for which social security numbers are now used vastly exceed the original intent of the number as simply a means for administering the social security system.⁸ Enacted in 1935, the animating purpose of the Social Security Act was:

[t]o provide for the general welfare by establishing a system of Federal old-age benefits, and by enabling the several States to make more adequate provision for aged persons, blind persons, dependent and crippled children, maternal and child welfare, public health, and the administration of their unemployment compensation laws; to establish a Social Security Board; to raise revenue; and for other purposes.⁹ The Social Security Act was never intended to create a national identification system for general usage.¹⁰ It was not until eight years after its passage, in 1943, that president Roosevelt inaugurated an era of expanding use of the social security number by authorizing other federal agencies to use these numbers whenever the agency head deemed it advisable.¹¹ Even so, federal use of the social security number did not substantially accelerate until the 1960s, when the Internal Revenue Service, Veterans Administration, and other federal agencies began using it as the official record-keeping number.¹² Despite increasing use of the number, social security cards continued to warn against use for identification purposes. From 1946 until 1972 social security cards bore the cautionary legend "NOT FOR IDENTIFICATION."¹³ This language did little to alter behavior, however, and eventually the legend was removed.¹⁴

The use of social security numbers by entities other than the Social Security Administration is not inherently objectionable, and social security numbers are in many ways ideally suited as unique identifiers. The numbers themselves are essentially arbitrary¹⁵ and thus essentially impossible to guess or calculate. Because no two people possess the same number,¹⁶ the potential confusion that might occur if names were used in their place can be avoided. Unlike names and addresses, social security numbers generally do not change and thus provide consistency over time.¹⁷ They are intangible and have no intrinsic value, and therefore do not by themselves constitute a target for theft. Almost all citizens have one.¹⁸ Moreover, the existence and use of a common identifier is virtually indispensable in allowing organizations, whether public or private, to differentiate one individual from another. For example, libraries must have a means for identifying who is borrowing a book; banks must be able to match deposits to accounts; and universities must be able to track application materials and academic records. A unique identifier allows these types of transactions and processes to occur efficiently. Not surprisingly, the social security number has been credited with facilitating coordination among government agencies and aiding in statistical research efforts.¹⁹

The problem arises less from the fact that many organizations use the social security number as a means of account identification, and more from its simultaneous use as a password or "key" that allows the holder to access or "unlock" the account. As more and more institutions adopt the social security number, its effectiveness as a password becomes greatly diminished.²⁰ Reflecting the unfortunate reality that a single number can provide access to multiple accounts, commentators have lamented that the social security number has become a "skeleton key" for identity theft criminals.²¹ Even more troubling, the availability of the number increases in direct proportion to its use as a key. Any organization that wishes to use an individual's social security number must make at least one copy of it; this copy is frequently stored in a computer system that may be accessible by a global workforce of employees. Given that thousands of organizations collect the number and share it with affiliates, contractors, government entities and others, the number's vulnerability to loss, employee misuse, or theft by third parties quickly becomes apparent. The advent of the Internet and the proliferation of outsourcing have only magnified the speed and extent of dispersal of the social security number. Just as the weakest link will make a chain give way, the institution with the most lax security procedures or least honest employees may be the only thing standing between a thief and the contents of an individual's bank account and private records.²²

How secure would one feel if she gave the key to her home to every government agency, health care provider, credit card company, and other business organization with whom she had a direct or indirect relationship? What would one do if a copy of this key could be located, inexpensively or even for free on the internet, by anyone with basic information who is willing to look for it? Yet this is exactly the system that has been created via the use of the social security number as a password that can provide the holder with access to an individual's financial resources, retirement accounts, private health information, and more. Worse yet, unlike locks which can be changed if a key is lost or falls into the wrong hands, the social security number is virtually unchangeable.²³

This article begins in Part II by highlighting the problems of identity theft and explaining how widespread use of the social security number creates an elevated risk of loss. The impact of recent trends in electronic data aggregation and outsourcing are emphasized. Part III explores the existing legal framework and recently enacted laws affecting social security number collection, display, and storage, and argues that these laws are generally inadequate. In Part IV, an analytical framework is proposed that would place the risk of loss on the party that is in the best position to avoid the loss. Federal laws consistent with this framework are proposed that would increase security and reduce risk of loss, all while minimizing the costs borne by organizations that collect and use data.

II. A Growing Problem

A. Personal Data and Identity Theft

The alarming magnitude of identity theft has been widely recognized and documented.²⁴ State legislatures began to acknowledge the problem of identity theft in 1996, when Arizona became the first state in the nation to enact a statute criminalizing the theft of one's identity.²⁵ By 2007, all fifty states had some form of identity theft legislation on the books.²⁶ Attesting to the significance of the problem and the fact that identity theft substantially affects interstate commerce, Congress passed the Identity Theft and Assumption Deterrence Act of 1998, which criminalized identity theft at the federal level and authorized the Federal Trade Commission (FTC) to track the incidence of identity theft nationwide.²⁷ Pursuant to this authority, the FTC issued its first identity theft report, covering calendar year 2000, which reflected approximately 28,000 cases of identity theft.²⁸ In seven years, the number of consumer identity theft reports to the FTC increased nearly ten-fold, to over 258,000.²⁹ However, the number of FTC-reported cases grossly understates the pervasiveness of identity theft. Reflecting the fact that not all cases of identity theft are reported, the Federal Bureau of Investigation claims that more than ten million individuals are victimized by identity theft annually.³⁰

Financial losses from identity theft are as staggering as the number of individuals affected. The FTC estimates that the total cost to society exceeds $50 billion per year.³¹ These figures include losses both to consumer victims and to businesses that are defrauded by the identity thief. According to a Department of Justice estimate, losses to households from identity theft over a particular six-month period were $3.2 billion.³² A study cited by the Government Accountability Office (GAO) reported that organizations whose data storage systems were breached sustained an average loss of $1.4 million per breach,³³ and the number and size of breaches have been increasing exponentially.³⁴ As far back as 1997, a single credit...