House panel looks at ditching the SSN

In light of recent data breaches, some on Capitol Hill are looking at accelerating the move away from widespread reliance on social security numbers in government systems.

While the numbers serve as a unique identifier for Americans, they were never intended to serve as a proxy ID, and their use exposes citizens to risks of identity theft.

"We need to break the link between identification and authentication," said chairman Sam Johnson (R-Texas) at a May 17 House Ways and Means Subcommittee hearing. "We need to figure out how to make the numbers less valuable to criminals in the first place."

Acting Social Security Administration Commissioner Nancy Berryhill called limiting the widespread use of social security numbers and related identity theft "a broad public policy issue that must be addressed."

"As long as the SSN remains key to accessing things of value, particularly credit, the SSN itself will have commercial value and will continue to be targeted by fraudsters," she said.

Since the 2015 OPM breach, which exposed some 22 million personnel records, Congress passed a law prohibiting agencies from sending documents with social security numbers on them unless necessary, and now the Department of Health and Human Services has discontinued sending Medicare cards displaying SSNs.

Berryhill called these measures "an important step," but said that "addressing identity theft requires a unified effort that includes this subcommittee and Congress, the administration and public and private experts throughout the country."

The reason social security numbers are so valuable for hackers, making them targets in data breaches, is relatively simple, McAfee Chief Technology Officer Steve Grobman said.

"Cybercrime is a market-driven enterprise," he said. "One of the practical ways to stop the theft is to devalue what they’re going after."

But because of the number's widespread use throughout the public and private sectors, simply limiting its use is easier said than done. For one, "there are many federal requirements to provide an SSN" for a range of purposes, noted Elizabeth Curda, director of education, workforce and income security at the Government Accountability Office.

Additionally, replacing a social security number is generally a "last resort," said Berryhill, because that replacement process "may cause the victim greater problems than the ones they are trying to solve."

Agencies have also pointed to complex technological challenges — such as legacy systems and software applications — as impediments to reducing their reliance on the number.

Jeremy Grant, coordinator of the Better Identity Coalition, said because government "is in the identity business," consumers should be able to ask SSA or other agencies to "vouch for them with parties they seek to do business with."

"Having agencies like SSA accept their role here may be the most impactful thing government could do to help solve our identities challenges," he said.

As far as alternatives, Sam Lester, consumer privacy counsel with the Electronic Privacy Information Center, raised the possibility of creating more identification numbers for different purposes, and called on Congress to codify privacy protections.