FTC Recommendations on Identity Theft and SSNs for Private Sector

In response to a mandate from the President's Identity Theft Task Force, the Federal Trade Commission (FTC) issued its report, “Security in Numbers: SSNs and Identity Theft,” on Dec. 17, 2008. The report examines the role that Social Security numbers (SSNs) play in the problem of identity theft and contains five recommendations for Congress, the FTC, and private sector organizations that collect and use SSNs.

The FTC emphasizes the need for an approach designed to reduce the supply of and demand for SSNs while avoiding unreasonable impediments to the beneficial uses of SSNs. The recommendations in the report call on Congress, the FTC, and private sector organizations to:

1. Improve consumer authentication: All private sector organizations that maintain consumer accounts should establish appropriate, risk-based consumer authentication programs. Congress should adopt the proper incentives for improving authentication through carefully tailored legislation.
   
   
2. Restrict the public display and transmission of SSNs: Congress should require private sector organizations to restrict the display of SSNs on publicly available documents and identification cards and to limit the circumstances and means by which SSNs can be transmitted.
   
   
3. Establish national standards for data protection and breach notification: All private sector organizations that collect and store sensitive consumer information should safeguard such information against unauthorized use. Congress should adopt national standards that require private sector organizations to provide notice when a breach of consumers' personal information occurs that creates a significant risk of identity theft or other harm.
   
   
4. Conduct outreach to business and consumers: The FTC should continue outreach to private sector organizations and consumers in the area of identity theft prevention. The FTC should communicate to private sector organizations the importance of collecting SSNs only when necessary, reducing the use of SSNs as internal identifiers, limiting employee access to SSNs, and properly storing and disposing records that contain SSNs.
   
   
5. Promote coordination and information sharing on use of SSNs: The FTC should help private sector organizations share information about their experiences and approaches to consumer authentication, SSN usage, and identity theft prevention.

The FTC emphasizes that any legislation resulting from its recommendations should both be consistent with existing identity theft prevention laws and “provide flexibility to private sector entities to implement a program that is compatible with their size, the nature of their business, and the specific authentication risks they face.”

The FTC's report, “Security in Numbers SSNs and ID Theft” may be found at: http://www.ftc.gov/os/2008/12/P075414ssnreport.pdf