[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2229 Introduced in House (IH)]
113th CONGRESS
1st Session
H. R. 2229
To require the Commissioner of Social Security to issue uniform
standards for the method for truncation of Social Security account
numbers in order to protect such numbers from being used in the
perpetration of fraud or identity theft and to provide for a
prohibition on the display to the general public on the Internet of
Social Security account numbers by State and local governments and
private entities, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 3, 2013
Mr. Ross (for himself and Ms. Castor of Florida) introduced the
following bill; which was referred to the Committee on Ways and Means
_______________________________________________________________________
A BILL
To require the Commissioner of Social Security to issue uniform
standards for the method for truncation of Social Security account
numbers in order to protect such numbers from being used in the
perpetration of fraud or identity theft and to provide for a
prohibition on the display to the general public on the Internet of
Social Security account numbers by State and local governments and
private entities, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Safeguarding Social Security Numbers
Act of 2013''.
SEC. 2. FINDINGS.
Congress makes the following findings:
(1) The Federal Government requires virtually every
individual in the United States to obtain and maintain a Social
Security account number in order to pay taxes or to qualify for
old-age, survivors, and disability insurance benefits under
title II of the Social Security Act.
(2) Many Government agencies and private entities also use
Social Security account numbers as identifiers to track
individual records or as information that an individual must
present to verify his or her identity. Thus, Social Security
account numbers are routinely collected, recorded, and
transferred by public and private entities.
(3) As an unintended consequence of these uses, Social
Security account numbers have become one of the tools that can
be used to facilitate crime, fraud, and invasions of the
privacy of the individuals to whom the numbers are assigned.
(4) According to the Social Security Administration's
Inspector General, 16 percent of the 99,000 fraud cases it
investigated in the 1-year period ending September 30, 2006,
involved the misuse of Social Security account numbers.
(5) The Social Security account number is also a key piece
of information used in the perpetration of identity theft. In
calendar year 2006, over 240,000 individuals reported to the
Federal Trade Commission that they had been the victims of an
identity theft. Identity theft is a serious crime that can
cause substantial financial losses and force victims to spend
significant time restoring the accuracy of their credit
records.
(6) Social Security account numbers are publicly displayed
by some Government entities. In most jurisdictions throughout
the United States, State and local law requires that certain
documentary records, such as business filings, property
records, and birth and marriage certificates, be made available
to the general public. Some of these records contain personally
identifiable information of individuals, including Social
Security account numbers. Increasingly, State and local
recordkeepers are displaying public records on the Internet,
where these records are widely accessible at no cost or for a
minimal fee. There are known instances of criminals using
personally identifiable information from online public records
to commit identity theft.
(7) Private information resellers also routinely record and
transfer individuals' Social Security account numbers and other
personally identifiable information. In a 2006 study, the
Government Accountability Office (GAO) was able to purchase
truncated or full Social Security account numbers from 5 of 21
Internet information resellers that were surveyed.
(8) The GAO has concluded, based on available evidence,
that unauthorized access to personal data such as Social
Security account numbers is a frequent occurrence. A survey of
17 Federal agencies by the Committee on Oversight and
Government Reform of the House of Representatives found that
these agencies suffered more than 788 data breaches from
January 2003 through July 2006.
(9) In many instances, public and private entities seek to
protect Social Security account numbers from abuse by
truncating a portion of each number. However, because
truncation methods are not uniform, it is possible to obtain a
full Social Security account number by reconstructing the
number based on partial information obtained from different
sources.
(10) In a report issued in June 2007, the GAO found that
truncated Social Security account numbers in Federal documents
stored as public records remain vulnerable to misuse, in part
because different truncation methods used by the public and
private sectors permit the reconstruction of full Social
Security account numbers. Federal entities such as the
Department of Justice, the Internal Revenue Service, and the
Judicial Conference of the United States truncate by displaying
the last 4 digits of the Social Security account number. In
contrast, the GAO found that information resellers sometimes
sell records containing Social Security account numbers that
are truncated to display the first 5 digits.
(11) The first 5 digits of an individual's Social Security
account number are assigned based on the location in which the
account number was issued and the order in which the account
number was issued. The last 4 digits of an individual's Social
Security account number are randomly generated, creating a
unique account number for each individual. Many public and
private entities ask consumers to supply the last 4 digits of
Social Security account numbers as a way to verify consumers'
identities, providing an additional reason for identity thieves
to seek to acquire these digits.
(12) The GAO reported in 2006 that it had been unable to
identify any industry standards or guidelines for truncating
Social Security account numbers. Moreover, the GAO could not
identify any consensus among Government officials about which
method for truncation better protects Social Security account
numbers from abuse.
(13) The GAO has stated that standardizing the truncation
of Social Security account numbers would better protect these
numbers from misuse. Since 2005, the GAO has on multiple
occasions recommended the establishment of uniform standards
for truncation of Social Security account numbers.
(14) Given the Social Security Administration's role in
assigning Social Security account numbers, the Commissioner of
Social Security may be in the best position to determine
whether and how truncation should be standardized.
(15) The truncation of Social Security account numbers,
even by Federal Government agencies, is not comprehensively
required or regulated. Currently, the Social Security
Administration does not have the legal authority to regulate
the use of Social Security account numbers by other entities.
(16) Because the Federal Government created and maintains
the system of required Social Security account numbers, and
because the Federal Government does not permit individuals to
exempt themselves from those requirements, it is appropriate
for the Federal Government to take steps to curb the abuse of
Social Security account numbers.
SEC. 3. REQUIREMENT TO ISSUE UNIFORM STANDARDS FOR THE METHOD FOR
TRUNCATION OF SOCIAL SECURITY ACCOUNT NUMBERS.
(a) In General.--The Commissioner of Social Security shall issue
uniform standards--
(1) for the method for truncation of Social Security
account numbers in order to facilitate the protection of such
numbers from being used in the perpetration of fraud or
identity theft; and
(2) for the method for encryption (or other method of
securing from disclosure) of Social Security account numbers
transmitted by means of the Internet.
Such uniform standards shall not apply with respect to a Social
Security account number of a deceased individual.
(b) Requirements.--
(1) In general.--In establishing the uniform standards
required under subsection (a), the Commissioner of Social
Security shall consider the matters described in paragraph (2)
and consult with, at a minimum, the heads of the following
Federal agencies:
(A) The Department of Justice.
(B) The Federal Trade Commission.
(C) The Department of the Treasury.
(2) Specific considerations.--For purposes of paragraph
(1), the matters described in this paragraph are the following:
(A) The extent to which various methods for
truncation of Social Security account numbers will
assist in the prevention of fraud and identity theft,
taking into account the following:
(i) The risk that a truncated Social
Security account number can be combined with
other personally identifiable information to
derive or acquire a complete Social Security
account number.
(ii) The risk that the numerical digits not
masked in the truncation process will reveal
personally identifiable information about an
individual.
(iii) The risk that a truncated Social
Security account number can be used to derive
or acquire from other sources a full Social
Security account number.
(B) The methods in use for the truncation of Social
Security account numbers by the Federal Government,
State and local governments, and private entities and
the extent of use of each method by the Federal
Government, State and local governments, and private
entities.
(C) The reasons why Social Security account numbers
are collected and recorded by the Federal Government,
State and local governments, and private entities.
(D) The effect of each proposed method for
truncation on the uses for Social Security account
numbers by the Federal Government, State and local
governments, and private entities.
(E) Any comments regarding proposed methods for
truncation submitted to the Commissioner from--
(i) experts on privacy and data security,
consumer advocacy groups, and identity theft
assistance organizations;
(ii) the Federal Government or State or
local governments, including State Attorneys
General;
(iii) representatives of private entities
that transfer, display, record, or otherwise
utilize Social Security account numbers on a
regular basis;
(iv) the Comptroller General of the United
States; and
(v) any other appropriate entities.
SEC. 4. APPLICATION OF UNIFORM STANDARDS.
(a) Federal Government.--On and after the date that the
Commissioner of Social Security determines in regulations issued
pursuant to section 6, the uniform standards issued under section 3(1)
shall apply to the Federal Government--
(1) whenever the Federal Government displays a Social
Security account number; and
(2) to the extent practicable, whenever the Federal
Government transfers, records, or otherwise utilizes a Social
Security account number.
(b) State and Local Governments; Private Entities.--
(1) Display or transmission by a state or local government
by means of the internet.--
(A) Prohibition.--
(i) In general.--Subject to clause (ii), a
State, a political subdivision of a State, or
any officer, employee, or contractor of a State
or a political subdivision of a State, shall
not display to the general public on the
Internet all or any portion of any Social
Security account number.
(ii) Exceptions.--A State, a political
subdivision of a State, or any officer,
employee, or contractor of a State or a
political subdivision of a State may display to
the general public on the Internet--
(I) a portion of a Social Security
account number if such display complies
with the uniform standards for the
method for truncation and encryption of
such numbers issued by the Commissioner
of Social Security under section 3; and
(II) all or any portion of a Social
Security account number of a deceased
individual.
(B) Penalties.--A State, a political subdivision of
a State, or any officer, employee, or contractor of a
State or a political subdivision of a State that
violates subparagraph (A) shall be subject to a civil
penalty of not more than $5,000 per day for each day
that the State or political subdivision violated such
subsection.
(C) Enforcement.--The Attorney General may bring a
civil action against a State, a political subdivision
of a State, or any officer, employee, or contractor of
a State or a political subdivision of a State, in any
appropriate United States District Court for a
violation of subparagraph (A).
(D) Effective date.--Subparagraphs (A) through (C)
shall take effect on the date that is 1 year after the
date on which regulations are issued under section 6
and shall apply to violations occurring on or after
that date.
(2) Display by other means.--It is the sense of Congress
that if a State, local government, or private entity displays a
Social Security account number in a manner other than that
described in paragraph (1), the State, local government, or
private entity should comply with the uniform standards issued
under section 3 to the same extent that the Federal Government
or a State or local government is required to comply with such
standards under subsection (a) and paragraph (1) of this
subsection.
SEC. 5. GRANTS TO STATE AND LOCAL GOVERNMENTS TO COME INTO COMPLIANCE
WITH THE PROHIBITION ON THE DISPLAY TO THE GENERAL PUBLIC
ON THE INTERNET OF SOCIAL SECURITY ACCOUNT NUMBERS.
(a) In General.--The Attorney General shall award grants to States
and political subdivisions of States to carry out activities to remove,
redact, or truncate, in accordance with the uniform standards for the
method of truncation issued under section 3, all Social Security
account numbers on forms and records of executive, legislative, and
judicial agencies of States and political subdivisions of States that,
as of the date that is 1 year after the date on which regulations are
issued under section 6, would be displayed to the general public on the
Internet in violation of section 4(b)(1).
(b) Application.--A State or political subdivision of a State
desiring a grant under this subsection shall submit an application to
the Attorney General at such time, in such manner, and containing such
information as the Attorney General may reasonably require.
(c) Authorization of Appropriations.--There is authorized to be
appropriated to the Attorney General to carry out this subsection,
$10,000,000 for each of fiscal years 2014 and 2015.
SEC. 6. REGULATIONS.
Not later than the date that is 6 months after the date of the
enactment of this Act, the Commissioner of Social Security shall issue
regulations to carry out this Act.
SEC. 7. GAO REPORT.
Not later than 18 months after the effective date of the
regulations issued by the Commissioner of Social Security under section
6, the Comptroller General of the United States shall report to
Congress on the extent to which the uniform standards required under
section 3 have resulted in the adoption of such standards by private
entities, and whether these standards are likely to provide greater
protection against fraud and identity theft than the practices adhered
to prior to such date. The report shall include--
(1) a recommendation regarding--
(A) whether such standards should be mandatory for
State and local governments and private entities, and
if so, under what circumstances; and
(B) whether making such standards mandatory for
such entities (with respect to each circumstance
identified under subparagraph (A)) would help prevent
fraud, identity theft, and unauthorized access to
consumers' personally identifiable information; and
(2) recommendations for such additional legislation or
administrative action as the Comptroller General determines
appropriate to further reduce the risks of fraud, identity
theft, and unauthorized access resulting from the transfer,
sale, display, recording, or other utilization of Social
Security account numbers.
SEC. 8. PREEMPTION OF STATE LAW.
This Act and the amendments made by this Act shall supersede a
provision of State law only if, and only to the extent that, such
provision conflicts with a requirement of this Act or an amendment made
by this Act.
SEC. 9. DEFINITIONS.
In this Act--
(1) the term ``display to the general public on the
Internet'' means, in connection with all or any portion of a
Social Security account number, to post or to permit the
continued presence of such number, or any portion of such
number in a viewable manner on an Internet site that is
available to the general public, including any Internet site
that requires a fee for access to information accessible on or
through the site;
(2) the term ``Social Security account number'' means the
account number assigned to an individual by the Commissioner of
Social Security in the exercise of the Commissioner's authority
under section 205(c)(2) of the Social Security Act (42 U.S.C.
405(c)(2)) and includes any derivative of such number; and
(3) the term ``State'' means each of the 50 States, the
District of Columbia, the Commonwealth of Puerto Rico, the
United States Virgin Islands, Guam, and the Commonwealth of the
Northern Mariana Islands.
<all>