Text: H.R.2229 — 113th Congress (2013-2014)All Information (Except Text)

There is one version of the bill.

Text available as:

Shown Here:
Introduced in House (06/03/2013)


113th CONGRESS
1st Session
H. R. 2229


To require the Commissioner of Social Security to issue uniform standards for the method for truncation of Social Security account numbers in order to protect such numbers from being used in the perpetration of fraud or identity theft and to provide for a prohibition on the display to the general public on the Internet of Social Security account numbers by State and local governments and private entities, and for other purposes.


IN THE HOUSE OF REPRESENTATIVES

June 3, 2013

Mr. Ross (for himself and Ms. Castor of Florida) introduced the following bill; which was referred to the Committee on Ways and Means


A BILL

To require the Commissioner of Social Security to issue uniform standards for the method for truncation of Social Security account numbers in order to protect such numbers from being used in the perpetration of fraud or identity theft and to provide for a prohibition on the display to the general public on the Internet of Social Security account numbers by State and local governments and private entities, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Safeguarding Social Security Numbers Act of 2013”.

SEC. 2. Findings.

Congress makes the following findings:

(1) The Federal Government requires virtually every individual in the United States to obtain and maintain a Social Security account number in order to pay taxes or to qualify for old-age, survivors, and disability insurance benefits under title II of the Social Security Act.

(2) Many Government agencies and private entities also use Social Security account numbers as identifiers to track individual records or as information that an individual must present to verify his or her identity. Thus, Social Security account numbers are routinely collected, recorded, and transferred by public and private entities.

(3) As an unintended consequence of these uses, Social Security account numbers have become one of the tools that can be used to facilitate crime, fraud, and invasions of the privacy of the individuals to whom the numbers are assigned.

(4) According to the Social Security Administration’s Inspector General, 16 percent of the 99,000 fraud cases it investigated in the 1-year period ending September 30, 2006, involved the misuse of Social Security account numbers.

(5) The Social Security account number is also a key piece of information used in the perpetration of identity theft. In calendar year 2006, over 240,000 individuals reported to the Federal Trade Commission that they had been the victims of an identity theft. Identity theft is a serious crime that can cause substantial financial losses and force victims to spend significant time restoring the accuracy of their credit records.

(6) Social Security account numbers are publicly displayed by some Government entities. In most jurisdictions throughout the United States, State and local law requires that certain documentary records, such as business filings, property records, and birth and marriage certificates, be made available to the general public. Some of these records contain personally identifiable information of individuals, including Social Security account numbers. Increasingly, State and local recordkeepers are displaying public records on the Internet, where these records are widely accessible at no cost or for a minimal fee. There are known instances of criminals using personally identifiable information from online public records to commit identity theft.

(7) Private information resellers also routinely record and transfer individuals’ Social Security account numbers and other personally identifiable information. In a 2006 study, the Government Accountability Office (GAO) was able to purchase truncated or full Social Security account numbers from 5 of 21 Internet information resellers that were surveyed.

(8) The GAO has concluded, based on available evidence, that unauthorized access to personal data such as Social Security account numbers is a frequent occurrence. A survey of 17 Federal agencies by the Committee on Oversight and Government Reform of the House of Representatives found that these agencies suffered more than 788 data breaches from January 2003 through July 2006.

(9) In many instances, public and private entities seek to protect Social Security account numbers from abuse by truncating a portion of each number. However, because truncation methods are not uniform, it is possible to obtain a full Social Security account number by reconstructing the number based on partial information obtained from different sources.

(10) In a report issued in June 2007, the GAO found that truncated Social Security account numbers in Federal documents stored as public records remain vulnerable to misuse, in part because different truncation methods used by the public and private sectors permit the reconstruction of full Social Security account numbers. Federal entities such as the Department of Justice, the Internal Revenue Service, and the Judicial Conference of the United States truncate by displaying the last 4 digits of the Social Security account number. In contrast, the GAO found that information resellers sometimes sell records containing Social Security account numbers that are truncated to display the first 5 digits.

(11) The first 5 digits of an individual’s Social Security account number are assigned based on the location in which the account number was issued and the order in which the account number was issued. The last 4 digits of an individual’s Social Security account number are randomly generated, creating a unique account number for each individual. Many public and private entities ask consumers to supply the last 4 digits of Social Security account numbers as a way to verify consumers’ identities, providing an additional reason for identity thieves to seek to acquire these digits.

(12) The GAO reported in 2006 that it had been unable to identify any industry standards or guidelines for truncating Social Security account numbers. Moreover, the GAO could not identify any consensus among Government officials about which method for truncation better protects Social Security account numbers from abuse.

(13) The GAO has stated that standardizing the truncation of Social Security account numbers would better protect these numbers from misuse. Since 2005, the GAO has on multiple occasions recommended the establishment of uniform standards for truncation of Social Security account numbers.

(14) Given the Social Security Administration’s role in assigning Social Security account numbers, the Commissioner of Social Security may be in the best position to determine whether and how truncation should be standardized.

(15) The truncation of Social Security account numbers, even by Federal Government agencies, is not comprehensively required or regulated. Currently, the Social Security Administration does not have the legal authority to regulate the use of Social Security account numbers by other entities.

(16) Because the Federal Government created and maintains the system of required Social Security account numbers, and because the Federal Government does not permit individuals to exempt themselves from those requirements, it is appropriate for the Federal Government to take steps to curb the abuse of Social Security account numbers.

SEC. 3. Requirement to issue uniform standards for the method for truncation of Social Security account numbers.

(a) In general.—The Commissioner of Social Security shall issue uniform standards—

(1) for the method for truncation of Social Security account numbers in order to facilitate the protection of such numbers from being used in the perpetration of fraud or identity theft; and

(2) for the method for encryption (or other method of securing from disclosure) of Social Security account numbers transmitted by means of the Internet.

Such uniform standards shall not apply with respect to a Social Security account number of a deceased individual.

(b) Requirements.—

(1) IN GENERAL.—In establishing the uniform standards required under subsection (a), the Commissioner of Social Security shall consider the matters described in paragraph (2) and consult with, at a minimum, the heads of the following Federal agencies:

(A) The Department of Justice.

(B) The Federal Trade Commission.

(C) The Department of the Treasury.

(2) SPECIFIC CONSIDERATIONS.—For purposes of paragraph (1), the matters described in this paragraph are the following:

(A) The extent to which various methods for truncation of Social Security account numbers will assist in the prevention of fraud and identity theft, taking into account the following:

(i) The risk that a truncated Social Security account number can be combined with other personally identifiable information to derive or acquire a complete Social Security account number.

(ii) The risk that the numerical digits not masked in the truncation process will reveal personally identifiable information about an individual.

(iii) The risk that a truncated Social Security account number can be used to derive or acquire from other sources a full Social Security account number.

(B) The methods in use for the truncation of Social Security account numbers by the Federal Government, State and local governments, and private entities and the extent of use of each method by the Federal Government, State and local governments, and private entities.

(C) The reasons why Social Security account numbers are collected and recorded by the Federal Government, State and local governments, and private entities.

(D) The effect of each proposed method for truncation on the uses for Social Security account numbers by the Federal Government, State and local governments, and private entities.

(E) Any comments regarding proposed methods for truncation submitted to the Commissioner from—

(i) experts on privacy and data security, consumer advocacy groups, and identity theft assistance organizations;

(ii) the Federal Government or State or local governments, including State Attorneys General;

(iii) representatives of private entities that transfer, display, record, or otherwise utilize Social Security account numbers on a regular basis;

(iv) the Comptroller General of the United States; and

(v) any other appropriate entities.

SEC. 4. Application of uniform standards.

(a) Federal Government.—On and after the date that the Commissioner of Social Security determines in regulations issued pursuant to section 6, the uniform standards issued under section 3(1) shall apply to the Federal Government—

(1) whenever the Federal Government displays a Social Security account number; and

(2) to the extent practicable, whenever the Federal Government transfers, records, or otherwise utilizes a Social Security account number.

(b) State and local governments; private entities.—

(1) DISPLAY OR TRANSMISSION BY A STATE OR LOCAL GOVERNMENT BY MEANS OF THE INTERNET.—

(A) PROHIBITION.—

(i) IN GENERAL.—Subject to clause (ii), a State, a political subdivision of a State, or any officer, employee, or contractor of a State or a political subdivision of a State, shall not display to the general public on the Internet all or any portion of any Social Security account number.

(ii) EXCEPTIONS.—A State, a political subdivision of a State, or any officer, employee, or contractor of a State or a political subdivision of a State may display to the general public on the Internet—

(I) a portion of a Social Security account number if such display complies with the uniform standards for the method for truncation and en­cryption of such numbers issued by the Commissioner of Social Security under section 3; and

(II) all or any portion of a Social Security account number of a deceased individual.

(B) PENALTIES.—A State, a political subdivision of a State, or any officer, employee, or contractor of a State or a political subdivision of a State that violates subparagraph (A) shall be subject to a civil penalty of not more than $5,000 per day for each day that the State or political subdivision violated such subsection.

(C) ENFORCEMENT.—The Attorney General may bring a civil action against a State, a political subdivision of a State, or any officer, employee, or contractor of a State or a political subdivision of a State, in any appropriate United States District Court for a violation of subparagraph (A).

(D) EFFECTIVE DATE.—Subparagraphs (A) through (C) shall take effect on the date that is 1 year after the date on which regulations are issued under section 6 and shall apply to violations occurring on or after that date.

(2) DISPLAY BY OTHER MEANS.—It is the sense of Congress that if a State, local government, or private entity displays a Social Security account number in a manner other than that described in paragraph (1), the State, local government, or private entity should comply with the uniform standards issued under section 3 to the same extent that the Federal Government or a State or local government is required to comply with such standards under subsection (a) and paragraph (1) of this subsection.

SEC. 5. Grants to State and local governments to come into compliance with the prohibition on the display to the general public on the Internet of Social Security account numbers.

(a) In general.—The Attorney General shall award grants to States and political subdivisions of States to carry out activities to remove, redact, or truncate, in accordance with the uniform standards for the method of truncation issued under section 3, all Social Security account numbers on forms and records of executive, legislative, and judicial agencies of States and political subdivisions of States that, as of the date that is 1 year after the date on which regulations are issued under section 6, would be displayed to the general public on the Internet in violation of section 4(b)(1).

(b) Application.—A State or political subdivision of a State desiring a grant under this subsection shall submit an application to the Attorney General at such time, in such manner, and containing such information as the Attorney General may reasonably require.

(c) Authorization of appropriations.—There is authorized to be appropriated to the Attorney General to carry out this subsection, $10,000,000 for each of fiscal years 2014 and 2015.

SEC. 6. Regulations.

Not later than the date that is 6 months after the date of the enactment of this Act, the Commissioner of Social Security shall issue regulations to carry out this Act.

SEC. 7. GAO Report.

Not later than 18 months after the effective date of the regulations issued by the Commissioner of Social Security under section 6, the Comptroller General of the United States shall report to Congress on the extent to which the uniform standards required under section 3 have resulted in the adoption of such standards by private entities, and whether these standards are likely to provide greater protection against fraud and identity theft than the practices adhered to prior to such date. The report shall include—

(1) a recommendation regarding—

(A) whether such standards should be mandatory for State and local governments and private entities, and if so, under what circumstances; and

(B) whether making such standards mandatory for such entities (with respect to each circumstance identified under subparagraph (A)) would help prevent fraud, identity theft, and unauthorized access to consumers’ personally identifiable information; and

(2) recommendations for such additional legislation or administrative action as the Comptroller General determines appropriate to further reduce the risks of fraud, identity theft, and unauthorized access resulting from the transfer, sale, display, recording, or other utilization of Social Security account numbers.

SEC. 8. Preemption of State law.

This Act and the amendments made by this Act shall supersede a provision of State law only if, and only to the extent that, such provision conflicts with a requirement of this Act or an amendment made by this Act.

SEC. 9. Definitions.

In this Act—

(1) the term “display to the general public on the Internet” means, in connection with all or any portion of a Social Security account number, to post or to permit the continued presence of such number, or any portion of such number in a viewable manner on an Internet site that is available to the general public, including any Internet site that requires a fee for access to information accessible on or through the site;

(2) the term “Social Security account number” means the account number assigned to an individual by the Commissioner of Social Security in the exercise of the Commissioner's authority under section 205(c)(2) of the Social Security Act (42 U.S.C. 405(c)(2)) and includes any derivative of such number; and

(3) the term “State” means each of the 50 States, the District of Columbia, the Commonwealth of Puerto Rico, the United States Virgin Islands, Guam, and the Commonwealth of the Northern Mariana Islands.


Share This