Wednesday, January 07, 2009

FTC Recommends Measures to Prevent Use of SSNs in Identity Theft

This posting was written by Cheryl Beise, Editor of CCH Guide to Computer Law, and John W. Arden.

The Federal Trade Commission on December 17 unanimously adopted a report recommending five measures to help prevent Social Security Numbers (SSNs) from being used for identity theft.

The FTC report (“Security in Numbers: SSNs and ID Theft”) states that adopting nationwide standards for how businesses and other organizations verify the identity of new and existing customers would make it harder for identity thieves to use SSNs and other stolen information to consummate their fraud.

The first step in minimizing the use of SSNs in identity theft “is to limit the demand for SSNs by making it more difficult for thieves to use them to open new accounts, access existing accounts, or obtain other benefits or services,” according to the report.

The report also suggests that steps be taken to reduce the unnecessary display and transmission of SSNs. Such restrictions should be approached carefully, however, because a number of important functions in the U.S. economy depend on the use and access to SSNs. Overly restrictive limitations on the availability of SSNs could unintentionally curtail those important functions.

The five recommendations are:

Improve consumer authentication. “Appropriate and reasonable authentication procedures can help prevent identity thieves from consummating their fraud. Although most financial institutions are subject to some authentication requirements promulgated by the bank regulatory agencies, other business and organizations may not be subject to any such requirements. Requiring all private sector entities that maintain consumer accounts to establish appropriate, risk-based consumer authentication programs could reduce the misuse of consumer data and the prevalence of identity theft.”

Restrict the public display and transmission of SSNs. “Restricting the display of SSNs on publicly-available documents and identification cards, and limiting the circumstances and means by which they can be transmitted, would make it more difficult for thieves to obtain SSNs, without hindering their use for legitimate identification and data matching purposes.”

Establish national standards for data protection and breach notification. “An important step in limiting the supply of SSNs is for entities that collect and store sensitive consumer information to safeguard it against unauthorized access. Safeguards requirements currently exist with respect to certain industries, certain types of data, and in certain states . . . The Commission has previously expressed support for national data security standards that would cover SSNs in the possession of any private sector entity, and numerous commentators and workshop participants voiced similar support.”

Conduct outreach to businesses and consumers. “The Commission recommends increasing education and guidance efforts as additional steps to help reduce the role of SSNs in facilitating identity thefts.” The guidance should include messages such as the importance of collecting SSNs only when necessary and storing them only when necessary, steps that businesses can take to reduce the use of SSNs as internal identifiers, the proper disposal of SSNs, the importance of securing SSNs during their transmissions, and the limiting of employee access to SSNs.

Promote coordination and information sharing on the use of SSNs. “Coordination and information sharing among private sector entities and between government and the private sector could assist entitles in finding ways to reduce their uses of and better protect SSNs and improve their authentication processes.”

The report was based on extensive fact-finding by the FTC and other federal agencies, including public comments and a workshop the Commission conducted in December 2007. It was developed pursuant to a recommendation of the President's Identity Theft Task Force, which was established in May 2006 to develop a coordinated plan to prevent identity theft, prosecute identity thieves, and help victims recover from the crime.

A press release appears here on the FTC website. The 20-page report is available here.

No comments: