Okay, I just finished the 3rd conversation in just the past two weeks alone with an organization that is using Social Security Numbers (SSNs) as their primary form of customer and/or employee identification. I’ve written about this topic numerous times over the past 15 years. Seriously; all businesses out there doing this, please make a plan to stop doing this! Why? Here are three good reasons.
Good Reason #1: Using SSNs as identifiers is often illegal
Over the years I’ve been occasionally revisiting the topic of laws and regulations prohibiting the use of SSNs, most recently in 2008 when I identified over 45 U.S. federal and state laws and regulations regulating, and often prohibiting, the use of SSNs as identifiers in some locations. I provide pointers at the end of this post to some other reports and resources that contain many other lists of legal prohibitions for the use of SSNs.
Good Reason #2: SSNs facilitate identity theft
Within organizations there are multiple ways in which those IDs that are the same as SSNs are put at risk, and can subsequently be used for identity theft. First of all, think about all the people who have access to the customer and employee IDs you are using at your organization. The insider threat is growing, and if some of the folks within your organization (or whom you have contracted) with access to the IDs thinks he or she can get away with it without being caught, they may very well take the IDs and commit all sorts of fraud and crime with them. Desperate folks often take despicable actions. I’ve listed a few recent examples at the end of this post.
Second, think about how those folks, your employees and customers, who have those IDs (that are the same as their SSNs) are putting them at risk, often because they don’t realize what they are doing. The SSNs are often embedded within IDs, so folks don’t realize that by leaving an ID card out on a reception desk, or giving it to others, they are basically handing their SSNs to someone who may take it and do bad things.
Most organizations I’ve helped over the years have said, “We trust our employees! We don’t have to worry about them doing bad things!” Under perfect circumstances that may be close to true. However, there will always be situations that will push otherwise trustworthy employees into exploiting their positions of authority and access to such valuable information as SSNs. See some links to stories of such situations at the end of this post.
Good Reason #3: Using portions of SSNs as identifiers can lead to the full SSN
Many organizations are choosing to use portions of SSNs, often the last 6 digits and sometimes first 5 digits, as identifiers. They believe that since the full SSN is not being used that there is no risk involved. Au contraire, mon frère! Multiple studies throughout the years have demonstrated how SSNs can be determined through knowing only portions of them. Carnegie Mellon published a nice research paper on this topic back in July of 2009.
How widespread is this bad practice?
So, I’ve provided you with three compelling reasons that should convince most reasonable business leaders not to use SSNs as IDs. Do you really need more reasons? Well, perhaps you think, “Hey, everyone else is using SSNs as IDs, so why not us?” Does that make the practice okay? As your mother may have asked/scolded you as a child, “If everyone else was jumping off cliff, would you too? No, don’t!”
Organizations started using SSNs as customer, employee, systems and applications identifiers from almost the moment that SSNs came into existence in 1936. As the Social Security Administration (SSA) states, SSNs were, “created merely to keep track of the earnings history of U.S. workers for Social Security entitlement and benefit computation purposes,” but now they have “come to be used as a nearly universal identifier.” The SSA stresses that the SSN was not, and should not, be used for other purposes because of the significant fraud and abuse risks that doing so creates. However, the use of SSNs is pervasive. I provide some links below to articles discussing how ubiquitous this use is.
Bottom line for all organizations, from the largest to the smallest: Using SSNs as customer, patient, employee, systems or applications IDs is a *very bad* idea, and an even worse business practice. Organizations of all sizes (and perhaps new, along with small and medium sized businesses more than others) continue to use SSNs because the SSNs just seem to be just so darn easy and available to use.
Really; use a different type of identifier! Use something else that will not lead to bad things happening…to the individuals involved, or to your organization.
Good additional information about the use of SSNs as IDs
Here are some other thought-provoking and information-rich articles and news reports about using SSNs as identifiers, along with a few recent examples of breaches involving SSNs:
- From Consumer Reports: Social Security Number Protection Legislation for States
- Identity crisis: how Social Security numbers became our insecure national ID – The SSN-as-ID thing has got to stop. How did we get here, and can we get out?
- From Privacy Rights Clearinghouse: Social Security Numbers FAQ
- From AHIMA: Using the SSN as a Patient Identifier
- No, You Can’t Have My Social Security Number: Why using SSNs for identification is risky and stupid
- From the FTC: Security in Numbers – SSNs and ID Theft
- Your Social Security number may not be unique to you
- From a 2004 GAO report, “Social Security Numbers: Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information”
- Legal Alert: New York Strengthens Law Protecting Social Security Numbers
- A school lesson about identity theft
- ID theft can hit kids, too
- Keep Your Identity: Children’s SSNs often more at risk than adults
- University of Chicago Staffers’ SSNs Published in Mass Mailing
This post was written as part of the IBM for Midsize Business (http://goo.gl/S6P7m) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.
Cross-posted from Privacy Professor