More modern IT could keep SSA from mailing out Social Security numbers

If you have ever received a notice in the mail from the Social Security Administration, odds are your Social Security number was on it. Of the 352 million notices the agency mailed last year, about 233 million included the recipients' full SSNs, potentially putting people at risk of identity theft, according to an inspector general report released on April 27.

The government has long advocated that agencies stop using the numbers as personal identifiers, and many large agencies have already done so. The IG recommends that SSA follow suit and prioritize removing SSNs from their mailed notices and re-evaluate how much it would cost to do so.

SSA officials agreed with both recommendations but said making the change in fiscal 2016 would mean postponing other critical IT projects. Meanwhile, the agency plans to use existing IT projects to replace SSNs with Beneficiary Notice Control Numbers on a case-by-case basis and as resources permit.

Right now, the agency's operational and systems infrastructure is still designed for SSNs. Employees cannot communicate personal information to callers without the numbers, even if they have their BNCs. And if they don't remember their SSNs, callers have to go to a field office, where an employee searches for their numbers. That could create confusion, longer call times and more field office visits.

Also, SSA employees cannot use BNCs to query the Online Retrieval System where they store electronic copies of mailed notices. Instead, they must must cross-check the BNC with the SSN, adding a step to the process.

An SSA workgroup formed in June 2015 recommended delaying the removal of SSNs from all notices until the agency has enough resources. The workgroup estimated it would cost about $14 million to replace SSNs with BNCs on mailed notices, but the IG said the group did not provide documentation to support that estimate.

Ultimately, the IG stressed the importance of protecting people from the risk of identity theft associated with sending personally identifiable information through the mail.

"Convenience should not come before the security of individuals' private and sensitive information," the report states.