Fact Sheet 10:
My Social Security Number - How Secure Is It?
Send to Printer
Privacy Rights Clearinghouse
- How do government agencies use my Social Security number?
- Am I required to give my Social Security number to government agencies?
- Must I give my Social Security number to private businesses?
- Can a school or college use my Social Security number as an ID number?
- Can I change my Social Security number?
- What information is contained in the Social Security Death Master File?
When Social Security numbers were first issued in 1936, the federal government assured the public that their use would be limited to Social Security programs. Today, however, the Social Security number (SSN) has become the de facto national identifier.
Government agencies and private businesses use SSNs for a wide range of non-Social Security purposes, such as employee files, medical records, health insurance accounts, credit and banking accounts, and utility accounts.
Identity thieves seek SSNs so they can assume the identity of another person and commit fraud. It’s relatively easy for someone to fraudulently use your SSN to assume your identity and gain access to your personal information. Identity thieves also can establish new credit and bank accounts in your name, or use your SSN for employment purposes or to obtain medical care.
Therefore, it’s wise to limit access to your SSN whenever possible. Unfortunately, your SSN is often saved in numerous databases which may be subject to compromise by hackers or other means. Data breaches involving the compromise of SSNs are a frequent occurrence.
Federal agency use. SSNs have been displayed on millions of cards issued by federal agencies, including Medicare cards and Department of Defense identification cards. Because the connection between identity theft and widespread use of the SSNs is indisputable, the federal government has acted to curtail its use.
- Medicare cards. Legislation signed in April 2015 requires that SSNs be removed from Medicare cards. Medicare will replace SSNs with randomly generated Medicare beneficiary identifiers. The process will take up to 8 years, beginning with Medicare cards for new Medicare beneficiaries during the first 4 years and then for existing beneficiaries within the next four years.
- Military ID cards. SSNs began to disappear from military identification cards in 2011. As cards expire, they are replaced with new cards having a Department of Defense (DOD) identification number. The DOD identification number is a unique 10-digit number. An 11-digit DOD benefits number will appear on cards of dependents eligible for DOD benefits.
State and local government agency records. State and local agencies generally place no restrictions on the reuse of data included in public records, meaning information can change hands many times and even be outsourced to foreign service providers. Many states are working to limit SSNs in public records. Such efforts, however, do nothing to retrieve the millions of SSNs already available in existing public records. Some jurisdictions are beginning the process of redacting SSNs from old public records. This can be a costly and time-consuming process.
The answer depends upon the agency. Some government agencies, including tax authorities, welfare offices, and state Departments of Motor Vehicles, can require your SSN. Others may request the SSN, leading you to believe you must provide it.
Under the Real ID Act of 2005, states must require proof of a person’s SSN (or verification that the
person is not eligible for an SSN) when issuing a driver's license. However, the Intelligence Reform and Terrorism Prevention Act of 2004
prohibits states from displaying your SSN on driver's license, state
ID cards, or motor vehicle registrations.
The Privacy Act of 1974 requires all government agencies — federal, state and local — that request SSNs to provide a disclosure statement on the form. The statement explains whether you are required to provide your SSN or if it’s optional, how the SSN will be used, and under what statutory or other authority the number is requested (5 USC 552a, note). The U.S. Office of Management and Budget, Office of Information and Regulatory Affairs provides guidance and oversight regarding the Privacy Act.
The Privacy Act of 1974 states that you cannot be denied a government benefit or service if you refuse to disclose your SSN unless the disclosure is required by federal law, or the disclosure is to an agency that has been using SSNs before January 1975, when the Privacy Act went into effect. There are other exceptions as well.
If you are asked to give your SSN to a government agency and no disclosure statement is included on the form, you should complain to the agency and cite the Privacy Act of 1974. Unfortunately, there appear to be no penalties when a government agency fails to provide a disclosure statement.
Generally. Except in those few situations where your SSN is required by federal law (see below), you are not legally compelled to provide your SSN to private businesses. There is no law, however, that prevents businesses from requesting your SSN, and there are few restrictions on what businesses can do with it. But even though you are not legally required to disclose your SSN, the business does not have to provide you with service if you refuse to release it. So in a sense, you are strong-armed into giving your SSN.
But don't give up. Be sure to ask if there is an alternate number that you can provide to the company, such as your driver's license number. Also ask if you can provide a deposit rather than giving your SSN to the company.
If a business insists on knowing your SSN when you do not see a reason for it, we encourage you to speak to a manager who may be authorized to make an exception or who may know whether company policy requires it. If the company will not allow you to use an alternate number such as your driver’s license number, you may want to take your business elsewhere.
Your SSN is sometimes required by federal law. Federal law requires private businesses to collect your SSN when (1) you are involved in a transaction in which the Internal Revenue Service requires notification, or (2) you are engaged in a financial transaction subject to federal Customer Identification Program rules.
required on transactions in which the Internal Revenue Service (IRS) may be interested. That
includes most banking, stock market and other investments, real estate
purchases, many insurance documents, and other financial transactions as
well as employment records.
Financial institutions are also required by federal law to participate in Customer Identification Programs (CIPs). Banks must keep records of identifying information and check customer names against terrorist lists. This applies to anyone who opens a new account. The CIP Rule does not require financial institutions to report your dealings to the government. However, sections of the Bank Secrecy Act do require transactions over a certain dollar amount to be either reported to the Financial Crimes Enforcement Network (FinCEN), a branch of the U.S. Department of the Treasury, or documented by the bank. Reporting requirements may vary depending on the type of financial institution.
Health insurance companies. The company providing your medical insurance will ask you to provide your SSN.
- MediCal and Medicare are government health plans and can require an SSN for enrollment.
- Commercial insurance companies can ask for your SSN. Beginning with the 2015 tax year, the Affordable Care Act requires every provider of minimum essential coverage to report that coverage. Your health insurance company will provide Form 1095-B to you and to the IRS. The law requires SSNs to be reported on Form 1095-B. You will use the form to prepare your income tax return. The information will be used to verify information on your individual income tax return under the Affordable Care Act.
- If you are covered by group insurance through your employer, a Mandatory Insurer Reporting Law (Section 111 of Public Law 110-173) requires insurers to report SSNs to the Centers for Medicare and Medicaid Services for both subscribers and covered dependents. This information is used to coordinate Medicare payments with other insurance benefits. However, there is no language in Section 111 itself that mandates collection or reporting of all SSNs to Medicare. Medicare requires only that insurers send the Medicare ID numbers of Medicare beneficiaries, and that they take appropriate steps to ensure that they tell Medicare about all the Medicare beneficiaries they also provide coverage for.
- Individuals who receive ongoing reimbursement for medical care through no-fault insurance or workers’ compensation or who receive a settlement, judgment or award from liability insurance (including self-insurance), no-fault insurance, or workers’ compensation may also be asked to provide their SSN.
Credit applications. Credit card applications usually request SSNs. Your number is used primarily to verify your identity in situations where you have the same or a similar name to others. Most credit grantors will insist on having your SSN. But in rare cases, you may be able to find a credit grantor who will provide you credit without knowing your SSN, especially if you are persistent and can provide other forms of identification.
State laws. In California, state law restricts how certain businesses can display their customers’ Social Security numbers. It does not restrict the collection of SSNs, however, and it doesn’t affect government agencies. California Civil Code §1798.85 prohibits, for example, insurance companies from printing the SSN on identification cards that are carried in the wallet. Similarly, customers of banks and investment companies cannot be required to transmit the SSN over the internet when conducting business online, unless the number is encrypted. SSNs cannot be printed on documents sent through the mail, with some exceptions.
In most states, your employer can use your SSN as an employee ID number. However, the Social Security Administration discourages employers from displaying SSNs on documents that are viewed by other people — such as badges, parking permits, or on lists distributed to employees. Employers do, however, need each employee’s SSN to report earnings and payroll taxes. In California and New York, as explained above, employers cannot display the employee’s SSN in certain situations.
Publicly-funded schools and those that receive federal funding must comply with the Family Educational Rights and Privacy Act (FERPA) in order to retain their funding. One of FERPA's provisions requires written consent for the release of “educational records” or personally identifiable information, with some exceptions. The courts have stated that SSNs fall within this provision.
FERPA applies to state colleges, universities, and technical schools that receive federal funding. An argument can be made that if such a school displays students' SSNs on identification cards or distributes class rosters or grades listings containing SSNs, it would be a violation of FERPA. However, some schools and universities have not interpreted the law this way and continue to use SSNs as a student identifier. To succeed in obtaining an alternate number to the SSN, you will probably need to be persistent and cite the law.
Public schools, colleges, and universities fall within the provisions of the Privacy Act of 1974. This act requires schools to provide a disclosure statement telling students how the SSN is used. If you are required to provide your SSN, be sure to look for the school's disclosure statement.
When the school is a private institution, your only recourse is to work with the administration to change the policy or at least to let you use an alternate identification number as your student ID.
The U.S. Department of Education and Department of Justice interpret the Privacy Act of 1974 as prohibiting a public school district from requiring a pupil or parent to provide an SSN or denying admittance because a pupil does not provide an SSN.
The Social Security Administration (SSA) will issue a new number only in certain very extreme cases. A new SSN may be issued if you can prove that someone has stolen your number and is using it illegally. You must provide evidence that the number is actually being misused, and that the misuse is causing you significant harm on an ongoing basis. If your card has been lost or your number has fallen into the wrong hands, that's not enough. Further, SSA will not give you a new SSN to aid in avoiding legal responsibility, or in hiding bad credit or a criminal record.
SSA may also assign a different number if:
- Sequential numbers assigned to members of the same family are causing problems
- More than one person is assigned or using the same number
- There is a situation of harassment, abuse or life endangerment
To get a new Social Security number, you must visit an SSA office.
SSA maintains a Death Master File (DMF). The DMF contains records of deaths that have been reported to SSA from various sources, including family members, funeral homes, hospitals, and financial institutions.
SSA does not guarantee the accuracy of the DMF. The absence of a particular person from the DMF is not proof that a person is alive. Some individuals listed in the DMF are in fact alive.
The DMF is used to prevent fraud to help prevent stealing the identity of a dead person. It is used by credit reporting agencies, as well as government, financial, investigative, medical research organizations to verify death and to prevent fraud. Conversely, information from the DMF can be used by identity thieves to obtain tax refunds for deceased persons or to apply for credit cards or obtain cell phones.
Erroneous death entries can lead to benefit termination and closing or freezing of bank accounts, causing financial hardship. They also result in the publication of living individuals' personal identifying information in the DMF. While those who are declared dead generally lose their ability to apply for credit, they may be at risk for other types of identity theft now that their personally-identifying information has been made public.
If you find out that your name is on the DMF, your first priority is to find out who reported your death, when, and why. You must take appropriate steps to correct the information at the originating source. You will need to take steps to locate and amend the death certificate and then remove your name from the DMF.
- Congressional Research Service, The Social Security Number: Legal Developments Affecting Its Collection, Disclosure, and Confidentiality
- California Department of Justice’s Privacy Enforcement and Protection Unit, Recommended Practices for Protecting the Confidentiality of Social Security Number
- California College and University Social Security Task Force, The Use of Social Security Numbers in California Colleges and Universities: A Report to the California State Senate and Assembly Judiciary Committees and to the California Office of Privacy Protection
Browse Privacy Topics
Background Checks & Workplace
Banking & Finance
Credit & Credit Reports
Harassment & Stalking
Identity Theft & Data Breaches
Online Privacy & Technology
Privacy When You Shop
Public Records & Info Brokers
Social Security Numbers
Who We Are
We are a nationally recognized consumer education and advocacy nonprofit dedicated to protecting the privacy of American consumers.