Home | About NCTR | Resources | Meetings | News Room | Member Directory

The Honorable E. Clay Shaw, Jr.

Chairman, Social Security Subcommittee
Room B316, Rayburn Building
Washington, DC 20515

August 15, 2000

Dear Chairman Shaw:

Thank you for the opportunity to comment on H.R. 4857, the "Privacy and Identity Protection Act of 2000," which the Subcommittee passed on July 20. We appreciate the public’s concern about the need to protect Social Security account numbers (SSANs) from fraudulent and other misuse and members of the National Council on Teacher Retirement work diligently to protect the identity and privacy of their plan participants.

Perhaps it is overlooked in the discussion of this issue that the use of SSANs, both in the normal course of business correspondence, telephone conversations, and increasingly with email, is the best method of ensuring the proper identity of those to whom we must provide critical and timely services. When coupled with other identifiers, identification by SSAN serves to protect a plan participant’s account.

The bill as currently drafted, however, 1) is unclear about the meaning of "display to the general public," 2) would impose significant cost if retirement systems were required to remove SSANs from checks, 3) needs to provide definitions about the such removal, 4) is unclear about the unauthorized use of personal identification numbers, and 5) needs to clarify that government officers and employees are not liable for the unauthorized activity of third party providers with whom they have contracted for certain services, such as health insurance.

Thus, we strongly recommend that, before further action on the bill is taken, the Subcommittee request the General Accounting Office (GAO) to 1) assess the current usage of SSANs by the federal, state, and local governments for identification and other purposes and 2) determine how current usage may result in fraud and other misuse.

The National Council on Teacher Retirement (NCTR) is an association of 75 state, local, territorial, and university retirement systems that serve teachers and other public employees. The administrators of many of these retirement systems have provided me comments about the bill, which I will outline below.

Display of Social Security Account Number

Section 101(b) would prohibit public access to social security account numbers possessed by governmental agencies. The Section would add a new paragraph to the Social Security Act that reads:

"(V) No agency or instrumentality of the Federal Government or of a State or a political subdivision thereof may display to the general public any individual’s social security account number, or any derivative of such number. Each such agency or instrumentality shall ensure that access to such numbers and any derivative of such numbers, is restricted to persons who may obtain them in accordance with applicable law. for purposes of this subclause, the term ‘display to the general public’ in connection with a social security account number, or a derivative thereof, means the intentional placing of such number or derivative in a viewable manner on an Internet site that is available to the general public or in material made available or sold to the general public."

By way of background, NCTR members use SSANs in a variety of ways. Many use the number to identify members of the retirement system. Others use them on checks and other financial transactions (discussed below), in correspondence with members, on members’ annual statements of accounts, tax reporting (e.g., 1099Rs), and reports to and from employers (e.g., school districts), state entities, and private sector providers such as insurance companies.

In addition, SSANs are needed to match members against the Social Security Administration’s list of deceased persons. If any matches are revealed, the retirement system may be unknowingly paying a benefit to someone who has died. If the payment is being cashed (in the case of a check) or withdrawn (in the case of a direct deposit), some unauthorized individual is using the money by either mistake or fraud. This cross checking stops such payments, thereby helping to ensure the integrity of the retirement system’s funds.

Moreover, some retirement systems sometimes use the SSAN in a scrambled manner, in bar codes, or in some truncated manner (e.g., the last four digits of the number only). In addition, some retirement systems provide their members with personal account information on a web site. Access to this information is by password only. The language of Section 101(b)(1) lacks clarity in a number of respects. First, the definition of "display to the general public" contains the phrase "in material made available. . . to the general public." It is not obvious to us what "made available" comprises. For example, correspondence from the retirement system to a member may contain a SSAN. The SSAN does not appear on the envelope, but only on the letter itself. The correspondence will reach the member without others seeing it, except in rare situations. In that case, the correspondence is lost or intercepted and read by an unauthorized individual who then learns of the member’s SSAN. Similarly, a computer hacker might be able to access the SSAN of members from the retirement system web site.

The section contains no definition of "derivative of such number." Thus, we are not certain whether scrambled and other uses of SSANs would be allowable.

SSANs on Checks Section

101(d) would prohibit the use of SSANs on checks issued for payment by governmental agencies. The section adds the following new paragraph:

"(xi) No agency or instrumentality of the Federal Government or of a State or a political subdivision thereof may include the social security account number of any individual, or any derivative of such number, on any check issued for any payment by the Federal Government, any State or political subdivision thereof, or any agency or instrumentality thereof."

Many retirement systems place the SSAN on benefit checks, refund checks, and other payments. The SSAN is also used to identify electronic funds payments. In instances where the check itself does not contain the SSAN, the number may be on the stub attached to the check.

We have several concerns and questions with this proposed prohibition. First, the expense of removing the SSAN for checks would be very costly for some retirement systems. Second, if the retirement system places the SSAN on the stub of the check, does that use fall within or outside of the proposed prohibited use? Third, the checks are contained in envelopes that are designed so that the contents cannot be viewed from the outside. Thus, the contents are not, as a practical matter, available to the general public.

Personal Identification Number Section

101(g) prohibits the display by governmental agencies of SSAN for purposes of identification. The Section would create a new paragraph that reads: "(xii) No agency or instrumentality of the Federal Government or of a State or political subdivision thereof may display the social security account number, or any derivative of such number, on any card or tag that is commonly provided to employees for purposes of identification and that is to be maintained by the employees. For purposes of this clause, the term ‘display’ in connection with a social security account number, or a derivative thereof, means the intentional placing of such number or derivative in a viewable manner."

Some retirement systems issue employee identification cards to their employees that contain their SSANs. Some are worn around the neck and others are kept in a individual’s pocket or wallet. In addition, some retirement systems provide identification cards for health care that bear the number. Further, some states have deferred compensation and other programs in which a third party administrator uses the SSAN not only to identify the employee, but also on some type of identification card.

We are concerned about whether the definition would cover identification cards intended for storage in a wallet or pocket. Moreover, does the definition cover identification cards for health insurance and other programs?

Liability

We’d like to raise a concern about liability for violation of the proposed legislation. We understand that the governmental officer or employee who allowed an unauthorized use would be personally liable. As we discuss above, SSANs are frequently used by the third party providers. These providers administer health care and other benefits. If a provider engaged by the governmental entity were to allow an authorized use, would the governmental officer or employee be nonetheless liable?

Mr. Chairman, as we stated above, we hope you will have a GAO study conducted before enacting this bill. It that is not possible, we ask for your resolution of the points we raised.

Sincerely,

Cynthia L. Moore