The Social Security Administration sent 352 million notices by snail mail in 2015. With volume like that—much of it containing valuable fraud-enabled information—you’d think the SSA would have a great system for protecting sensitive personally identifiable information from the constant threat of identity-related crime.
Recently, the Office of the Inspector General of the SSA published a report entitled “Social Security Administration Correspondence Containing Full Social Security Numbers.” While it is akin to the Gobi desert on paper, there is one bit of terrible news in there that should, and really must, excite an apoplectically strong reaction. Of those 352 million notices sent out by the SSA in 2015, 223 million—a full 66%—included individuals’ Social Security Numbers. Not partials, not the last four digits but the Full Monty.
The reason the SSA had decided to include complete SSNs in correspondence was the most perplexing part. The logic is worthy of a Lewis Carroll story: “including the SSNs on notices is central to [the SSA’s] business processes because it supports the Agency’s current operational and systems infrastructure.”
Translation: the SSA is not going to lift a figural finger to avert a known threat—the use of SSNs in identity-related crime—because doing so would disrupt the way they do things, which, incidentally, is exposing individuals needlessly to the threat of identity-related crime.
Back in 2007, “The SSA considered removing SSNs from additional notices,” the report said. “It concluded that displaying the SSN on notices permitted instantaneous identification of a beneficiary and the location of his/her records in SSA’s computer systems. Additionally, removing the SSN would impede tele-service representatives’ ability to authenticate a caller.”
Got that? It’s easier.
The report also pointed to the fallibility of the U.S. Postal service, saying that they could not know how many of those notices actually arrived safely to their intended recipients.
One thing was abundantly clear from the Inspector General’s audit and investigation: More SSNs are included in the SSA workflow and paperwork than is necessary, a practice that creates a larger attackable surface for identity crime to take place. “However,” the report added, “we are not aware of any SSN misuse attributable to the SSN displayed on SSA notices.”
If only SSNs could have trackers that showed where they were stolen. In this era of constant threats, privacy and data security should not be a bolt on; it must be built into all processes. To not be actively working to protect people seriously ups the odds of a future crime—or, more to the point, a host of future crimes.
Identity theft is no fallacy, and we know exactly where it comes from. There is an army of sophisticated, creative and extremely persistent criminals out there working every imaginable angle to get enough information to commit crimes using other peoples’ identities, and the Social Security number included in literally hundreds of millions of notices sent out by the SSA is the skeleton key to all their endeavors. Once your name can be tied to a particular SSN, your life, quite literally, is in the hands of a thief.
The rise of identity theft is undeniable at this point, and something I document at great length in my new book, Swiped. The SSA report goes into some detail regarding the way other federal agencies have handled the use of SSN in correspondence in light of the identity theft epidemic—the prime example being Medicare cards including the card bearer’s SSN—and the takeaway is that many of them are doing a better job than the SSA.
Identity theft is a disruption. One disruption breeds another until stability is reestablished. We are nowhere near that point yet.
The Inspector General has pointed out the error. There should be no more discussion. This is not a matter of how fast it can be done or how inconvenient it might be. There is no amount of human capital issues that can excuse the situation at the SSA with regard to correspondence containing SSNs. It doesn’t matter how much it will cost to fix the issue.
The government is supposed to serve us. It is not supposed to serve us on a platter for the nearest fraudster, lurking next to a mailbox so he or she can fleece this or that hapless individual who, because of institutional lassitude, has zero control over a life-changer (and not for the better) delivered by a letter carrier.
Adam Levin is chairmman and founder of CyberScout.com. This story originally appeared on Credit.com. It is an Op/Ed contribution and does not necessarily represent the views of the company or its partners.