Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers – SSNs and ID Theft. The new report articulates a series of FTC recommendations with respect to the handling of Social Security numbers (SSNs) based upon the work of the President’s Identity Theft Task Force, which was established in May 2006 and led to an extensive fact finding effort summarized in the FTC’s November 2007 staff summary report (which can be found here [.pdf]). For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, when the FTC will begin enforcing federal identity theft regulations.
The FTC Report first makes two key recommendations that should be considered when developing an identity theft prevention programs:
FTC Recommendation 1 – Businesses should improve their methods of authenticating the identity of consumers
By this, the FTC means that businesses should reduce or eliminate altogether the use of SSNs to authenticate a person’s identity. The FTC explains that SSNs themselves are not useful tools to confirm a person’s identity because SSNs are widely used as “identifiers” — information that, like your name and address, are commonly supplied to a range of merchants, employers, government agencies and financial institutions — rather than as “authenticators” — information like a password or personal information which remains secret. In short, because your SSN is generally no secret to your boss, your doctor, your bank, the IRS and a number of other entities, knowledge of your SSN is insufficient to prove that you are who you say you are.
The FTC Report does identify some appropriate ways that SSNs may be used during the authentication process which might safely avoid some of the risks associated with using a SSN as an authenticator:
- using the SSN “to access databases containing information about an individual that can be used to formulate challenge questions that only the true individual should be able to answer (for example, the amount of her mortgage payment each month)”; [Report at 5]
- using the SSN to check an individual’s identity against a fraud database, for example, checking to see that the SSN matches the Social Security Administration’s listing for a living individual or whether the SSN is listed on industry databases of SSNs used to commit fraud; and
- using the SSN “as one element in their quantitative fraud prediction models, which are designed to flag suspect patterns of use of identifying information that might indicate that an application or proposed transaction is fraudulent” [Report at 5] — for example, a check to see whether there have been an unusually large number of credit applications or other suspicious activity using a particular SSN.
While these examples can be found in the FTC Report, the FTC has made clear that they are not taking a stance on whether any specific techniques would ensure compliance with new federal regulations. In calling for rulemaking on this issue, the FTC indicates, as they have with respect to recent Red Flags regulation, “the standard should be one of reasonableness and not perfection, acknowledging that there is no fool-proof method of authenticating consumers and no likelihood that one will be developed in the foreseeable future.” [Report at 7] Nevertheless, given the FTC’s conclusion that use of SSNs to authenticate a person’s identity presents a risk of identity theft, it seems clear that businesses that rely on SSNs as an authenticator do so at their peril.
FTC Recommendation 2 – Businesses should abolish the public display and transmission of Social Security numbers
Here, the FTC’s guidance is abundantly clear: stop displaying and transmitting SSNs in unnecessary and potentially risky ways. While the FTC calls on regulatory agencies that oversee the use of SSNs to adopt rules on this issue, the FTC makes a series of specific recommendations to businesses in advance of further regulation:
- Stop using SSNs as employee or customer numbers;
- Stop printing SSNs on identification cards that would be compromised every time a wallet is lost or stolen;
- Stop printing SSNs on mailings, such as account statements or paychecks that can be lifted from a person’s mailbox or trashcan;
- Stop displaying SSNs in emails or website pages, which can be observed over a person’s shoulder;
- Encrypt SSNs when they must be transmitted over the Internet.
[Report at 8-9]
In addition, the FTC appears to take the view that displaying only a truncated portion of a person’s SSN provides little protection because the other digits can often be collected from other sources or fabricated based on other personal information. [Report at 8]
Given the level of confusion that plagues many businesses’ efforts to develop identity theft prevention programs, the FTC’s clarity on this issue should not be ignored, especially since many, if not all, of these steps are simple and inexpensive to implement.
Other FTC Recommendations
Perhaps not surprisingly given the confusion generated by new federal and state identity theft regulations, the FTC’s remaining recommendations call on Congress, other regulatory agencies and the FTC itself to develop national standards and provide guidance and leadership to dispel the widespread confusion on what we can do to reduce the threat of identity theft. The FTC outlines some specific guidance to businesses, such as:
- Collect SSNs only when necessary;
- Retain SSNs only as long as necessary;
- Consider how to properly and securely dispose of records containing SSNs;
- Secure and/or encrypt electronic transmissions containing SSNs;
- Limit employee access to SSNs;
- Conduct reasonable employee screening to avoid hiring identity thieves; and
- Conduct reasonable employee training to prevent potential mistakes.
For those businesses working to comply with recent Massachusetts identity theft regulations (201 C.M.R. § 17.03) or similar state regulations, the FTC’s guidance may seem eerily familiar because it parallels many of state requirements. For example, in Massachusetts, 201 C.M.R. § 17.03(g) requires businesses to limit the amount of “personal information” (which includes SSNs) collected, limit access to that information to those employees that require access, and limit “the time such information is retained to that reasonably necessary to accomplish such purpose.” This is good news for businesses worried that they may face inconsistent federal and state requirement and bad news for those having difficulty meeting these state standards.
- The FTC Report – Security in Numbers – SSNs and ID Theft is available here (.pdf) or from the FTC here (.pdf)
- The FTC’s Staff Summary of Comments and Information Received Regarding the Private Sector’s Use of Social Security Numbers is available here (.pdf) or from the FTC’s website here (.pdf)
- The FTC’s website on the use of SSNs containing transcripts and webcast of public workshops, public comments, and press releases.
- The President’s Identity Theft Task Force website