Fact Sheet 10:
My Social Security Number - How Secure Is It?
Send to Printer
Privacy Rights Clearinghouse
[See also our FAQ on Social Security numbers.]
- Why is my Social Security number used so often as an identification number?
- Am I required to give my Social Security number to government agencies?
- Must I give my Social Security number to private businesses?
- Should I disclose my Social Security number over the Internet?
- Can my employer use my Social Security number as an employee identification number?
- Why do financial transactions require my Social Security number?
- Can a school or college use my Social Security number as an ID number? Do I need to provide my SSN to the school?
- Can a state use my Social Security number as my drivers’ license number?
- How can I protect my Social Security number?
- What information is contained in the Social Security Death Master File ?
History of SSN usage. When Social Security numbers were first issued in 1936, the federal government assured the public that use of their use would be limited to Social Security programs such as calculating retirement benefits.
Today, however, the Social Security number (SSN) has become the de facto national identifier. It is also often used as an authenticator to confirm the identity of individuals. The use of SSNs as both an identifier and an authenticator makes these numbers highly desirable to criminals, such as identity thieves. For more information on this problem, read “Why SSNs Are Not Appropriate for Authentication” at www.privacyrights.org/ar/FTC-SSNworkshop-Speech.htm
Government agencies and private businesses continue to use SSNs for a wide range of non-Social Security purposes — such as employee files, medical records, health insurance accounts, credit and banking accounts, university ID cards, utility accounts, and many more.
You can read interesting historical information about SSNs at www.socialsecurity.gov/history/ssn/ssncards.html.
You can get your Social Security statement online by creating a My Social Security account at https://secure.ssa.gov/RIL/SiView.do. Your Social Security statement provides:
- A list of your lifetime earnings according to Social Security’s records
- The estimated Social Security and Medicare taxes you’ve paid
- Estimates of the benefits you or your family may receive
- General information about Social Security
You can choose to block electronic access to your Social Security record by going to https://secure.ssa.gov/acu/IPS_INTR/blockaccess. When you do this, no one, including you, will be able to see or change your personal information online. You may want to block your information if you:
- have been the victim of domestic violence;
- have been the victim of identify theft; or
- have any reason you do not want your record to be available.
Alternatively, you can opt for extra security to provide your account with an extra level of protection. With this option, you need a cell phone with text messaging each time you sign in.
Periodically checking your Social Security statement online can help you discover whether you might be a victim of a type of identity theft where someone uses your SSN to obtain employment. For example, an undocumented worker might use your SSN to obtain employment.
In February 2012, Social Security resumed mailing paper Statements to workers age 60 and older if they are not already receiving Social Security benefits.
SSNs in state and local government agency records. The U.S. Government Accounting Office (GAO), the investigative arm of Congress, first reported on the potential for identity theft posed by SSNs included in public records in 2006 (www.gao.gov/new.items/d06586t.pdf). GAO estimated that 85 percent of the largest, most populated counties surveyed make records that may contain SSNs available in bulk sales or online. Most often SSNs appear in state and local court files and local property ownership records. (www.gao.gov/new.items/d081009r.pdf)
Agencies generally place no restrictions on the reuse of data included in public records, meaning information can change hands many times and even be outsourced to foreign service providers. Since the GAO’s report, many states are working to limit SSNs in public records. Such belated efforts, however, do nothing to retrieve the millions of SSNs already available through public records. Some jurisdictions are beginning the process of redacting SSNs from old public records. However, this can be a costly and time-consuming process.
Federal agency use. The GAO’s 2006 report found that SSNs are displayed on millions of cards issued by federal agencies, including 42 million Medicare cards, 8 million Department of Defense identification cards and insurance cards, and 7 million Veteran Affairs identification cards. Because the connection between identity theft and widespread use of the SSNs is now indisputable, the federal government has acted to curtail its use.
The President’s Identity Theft Task Force Report (Task Force Report) (September 2008) (www.ftc.gov/os/2008/10/081021taskforcereport.pdf) recognized that the public sector, as a collector and custodian of sensitive consumer information, must play a central role in any coordinated plan to address identity theft. The Task Force’s first recommendation was aimed at reducing the availability of sensitive data by eliminating the unnecessary use of SSN’s in the public sector. The Task Force noted that the SSN is highly valuable for identity thieves because it is often a necessary (if not necessarily sufficient) item of information that a thief needs to open new accounts in the victim’s name.
The Task Force recommended that the federal Office of Management and Budget (OMB) complete its analysis of a government-wide survey it conducted regarding federal agency use of SSNs. OMB finished its analysis and issued a memorandum to all executive departments and agencies titled “Safeguarding Against and Responding to the Breach of Personally Identifiable Information” (OMB Memorandum M-07-6) (May 22, 2007) (http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf). The OMB memorandum required agencies to review their use of SSNs and, among other things, identify instances in which collection or use is unnecessary.
A report entitled “The Military’s
Cultural Disregard for Personal Information,” concludes that the
military’s ubiquitous use of SSNs as identifiers, unnecessarily puts service members
at risk of identity theft. The report may be read at http://smallwarsjournal.com/blog/2010/12/the-militarys-cultural-disrega/.
As of June 1, 2011, SSNs began to disappear from military identification cards. As current cards expire, they are being replaced with new cards having a Department of Defense (DoD) identification number. The DoD identification number is a unique 10-digit number. An 11-digit DoD benefits number will appear on cards of dependents eligible for DoD benefits. The first nine digits are common to the service member and the last two digits will identify a specific person within their family. SSNs currently embedded in the bar codes on the back of identification cards are currently being phased out. For additional information see http://www.army.mil/article/54310/dod-to-drop-social-security-numbers-from-id-cards/. You can read more about military identification cards (Uniformed Services ID Cards) at http://www.cac.mil/uniformed-services-id-card/.
The Internal Revenue Service (IRS) has implemented a Social
Security Number Elimination and Reduction (SSN ER) Plan in response to concerns
over the protection of personal data. An audit report released by the Treasury Inspector General for Tax
Administration (TIGTA) on August 13, 2010, notes that no date has been set by which to eliminate or
reduce the use of SSNs on outgoing correspondence, and that the SSN ER plan lacks milestones for
progress. To view the report go to: http://www.treasury.gov/tigta/auditreports/2010reports/201040098fr.pdf.
Both the IRS and Department of Justice now limit the display of the full SSN in property lien actions filed with county courts.
Veterans Identification Cards (VIC) are issued for use at VA Medical Facilities. VICs issued since 2004 no
longer display your Social Security Number on the front
of the card. However, some bar code readers, including those available as applications on cell
phones, can scan the bar code on the front of the card, and reveal the
Veteran’s social security number. This could make the Veteran subject to
identity theft if the card is lost or stolen. https://www.va.gov/healthbenefits/access/veteran_identification_card.asp
The Social Security Number Protection Act of 2010 (S. 3789) was enacted in December 2010, but will be phased in over 3 years. It will prohibit federal, state, or local agencies from: (1) displaying the Social Security account number of any individual, or any derivative of such number, on any check issued for any payment by the agency; or (2) employing, or entering into a contract for the use or employment of prisoners in any capacity that would allow them access to the Social Security account numbers of other individuals.
There have been several unsuccessful legislative attempts that would have required the Secretary of Health and Human Services (HHS) to remove the SSN from Medicare identification cards. A September 2013 U.S. Government Accountability Office (GAO) report recommended that HHS develop and implement a solution that addresses the removal of SSNs from Medicare cards. http://www.gao.gov/assets/660/657709.pdf
Threat of data breaches. Your SSN is frequently used as your identification number in many computer files, giving access to information you may want kept private and allowing an easy way of linking databases. The files of utility companies are just one example of such usage. In recent years, news stories of data breaches in which SSNs are compromised are a daily occurrence. See the PRC’s data breach Web page: http://www.privacyrights.org/data-breach
Commercial sale of SSNs. A major concern is the sale of SSNs over the Internet by data (information) brokers. In recent years, most data brokers have curtailed the practice of selling SSNs. Over the past few years, several bills have been introduced in the U.S. Congress to prohibit the commercial sale of SSNs. To date, none of these bills has been passed into law.
Use by identity thieves. Identity thieves seek SSNs so they can use these numbers to assume the identity of another person and commit fraud. It’s relatively easy for someone to fraudulently use your SSN to assume your identity and gain access to your bank account, credit accounts, utilities records, and other sources of personal information. Identity thieves also can establish new credit and bank accounts in your name, or use your SSN for employment purposes or to obtain medical care. (See PRC Fact Sheets 17 and 17(a) on identity theft, www.privacyrights.org/identity.htm)
Therefore, it’s wise to limit access to your SSN whenever possible. While the potential sources of SSNs are vast and accessible, you can take steps to keep your SSN out of the hands of potential thieves.
Computer records have replaced paper filing systems in businesses and government agencies. Because more than one person may share the same name, accurate retrieval of information works best if each file is assigned a unique number. Many businesses and government agencies believe the SSN is ideal for this purpose.
However, with the rise in the crime of identity theft and other illegitimate uses of the SSN, this assumption is dangerous. Recent security breaches show that databases containing legally collected SSNs are often inadequately protected against accidental or intentional disclosure.
Beginning in 2003, California laws began requiring firms and organizations that maintain personal information in electronic data files, such as SSNs, to notify any California resident whose information may have been exposed through a data breach. www.privacyrights.org/data-breach.
For more information about this California law, see the resource provided by the California Department of Justice’s Privacy Enforcement and Protection Unit at http://www.oag.ca.gov/sites/all/files/pdfs/privacy/recom_breach_prac.pdf? (CA Civil Code section 1798.29 and sections 1798.82-1798.84).
A majority of states have adopted similar laws. For detaiiled information on state laws, visit http://www.perkinscoie.com/statebreachchart/chart.pdf.
The answer depends upon the agency. Some government agencies, including tax authorities, welfare offices, and state Departments of Motor Vehicles, can require your SSN number as mandated by federal law (42 USC 405 (c)(2)(C)(v) and (i)). Others may request the SSN, leading you to believe you must provide it.
The Privacy Act of 1974 requires all government agencies — federal, state and local — that request SSNs to provide a "disclosure" statement on the form. The statement explains whether you are required to provide your SSN or if it’s optional, how the SSN will be used, and under what statutory or other authority the number is requested (5 USC 552a, note). The U.S. Office of Management and Budget, Office of Information and Regulatory Affairs (OIRA) provides guidance and oversight regarding the Privacy Act of 1974. The text of the Privacy Act can be found at the Web site http://www.justice.gov/opcl/privstat.htm.
The Privacy Act states that you cannot be denied a government benefit or service if you refuse to disclose your SSN unless the disclosure is required by federal law, or the disclosure is to an agency that has been using SSNs before January 1975, when the Privacy Act went into effect. There are other exceptions as well. Read the Code of Federal Regulations section here: http://edocket.access.gpo.gov/cfr_2008/julqtr/28cfr16.53.htm.
If you are asked to give your SSN to a government agency and no disclosure statement is included on the form, you should complain to the agency and cite the Privacy Act of 1974. You can also contact your Congressional representative and U.S. Senators with your complaint. Unfortunately, there appear to be no penalties when a government agency fails to provide a disclosure statement.
A federal program called the Federal Parent Locator Service — and its subset, the National Directory of New Hires — uses computerized databases to provide addresses and SSNs to state and local agencies to help locate parents evading child-support orders or to resolve parental kidnapping and child custody cases. No consent is required. While beneficial, such databases contain the potential for abuse if other purposes are found for such information.
General. Generally, you are not legally required to provide your SSN to most businesses - including most health care providers - unless one of the exceptions below applies. However, some companies might refuse to do business with you if you don’t provide your SSN. But even though you are not legally required to disclose your SSN, the business generally does not have to provide you with service if you refuse to release it. So in a sense, you are strong-armed into giving your SSN.
In most states, there is no law that prevents businesses from requesting your SSN, and there are few restrictions on what businesses can do with it. However, some states have imposed restrictions on a business soliciting your SSN. Read the section below on State laws for information about these laws.
If a business insists on knowing your SSN when you do not see a reason for it, we encourage you to speak to a manager who may be authorized to make an exception or who may know whether company policy requires it. If the company will not allow you to use an alternate number such as your driver’s license number, you may want to take your business elsewhere. Read 5 Places Where You Should Never Give Your Social Security Number for advice on how to avoid giving up your SSN.
SSN required by federal law. Federal law requires private businesses to collect your SSN when (1) you are involved in a transaction in which the Internal Revenue Service requires notification, or (2) you are engaged in a financial transaction subject to federal Customer Identification Program rules (see below Why do financial transactions require my Social Security number?.)
Insurance companies. MediCal and Medicare are government health plans and can require an SSN. Most insurers providing individual insurance policies cannot require your SSN. However, they might refuse to issue a policy if you don’t provide your SSN.
A Mandatory Insurer Reporting Law (Section 111 of Public Law 110-173) requires group health plan insurers to report SSNs in order for Medicare to coordinate payments with other insurance benefits. As a subscriber (or spouse or family member of a subscriber) to a group health plan arrangement, your SSN may be requested in order to meet the requirements of this law if this information is not already on file with your insurer. https://www.cms.gov/Medicare/Coordination-of-Benefits-and-Recovery/Mandatory-Insurer-Reporting-For-Group-Health-Plans/Overview.html
However, there is no language in Section 111 itself that mandates collection or reporting of all SSNs to Medicare. Medicare requires only that insurers send the Medicare ID numbers of Medicare beneficiaries, and that they take appropriate steps to ensure that they tell Medicare about all the Medicare beneficiaries they also provide coverage for.
Similarly, individuals who receive ongoing reimbursement for medical care through no-fault insurance or workers’ compensation or who receive a settlement, judgment or award from liability insurance (including self-insurance), no-fault insurance, or workers’ compensation may be asked to furnish information concerning their SSN.
Credit applications. Credit card applications usually request SSNs. Your number is used primarily to verify your identity in situations where you have the same or a similar name to others. Most credit grantors will insist on having your SSN. But in rare cases, you may be able to find a credit grantor who will provide you credit without knowing your SSN, especially if you are persistent and can provide other forms of identification.
Credit reporting agencies. If you are dealing with a credit reporting agency, such as Experian, Equifax, or TransUnion, you will generally need to give your SSN. They claim that’s how the agency will find your file from among the hundreds of millions of records they maintain. These agencies already have your SSN. When ordering your free annual credit report from the credit bureaus, you can request that the SSN be left off the document when sent to you via postal mail.
Pre-approved credit applications. Unfortunately, you do need to give out your SSN over the telephone to stop receiving pre-approved credit card offers. This becomes an issue when calling (888) 5 OPT-OUT or (888) 567-8688. This is the toll-free line shared by the three credit bureaus whose mailing lists are often used to generate credit card solicitations. You can use the agencies’ online form instead www.optoutprescreen.com. While it doesn’t require the SSN, the credit reporting agencies say that including it will help to ensure your request will be successful.
State laws. In California, state law restricts how certain businesses can display their customers’ Social Security numbers. It does not restrict the collection of SSNs, however, and it doesn’t affect government agencies. California Civil Code §1798.85 prohibits, for example, insurance companies from printing the SSN on identification cards that are carried in the wallet. Similarly, customers of banks and investment companies cannot be required to transmit the SSN over the Internet when conducting business online, unless the number is encrypted. SSNs cannot be printed on documents sent through the mail, with some exceptions.
Other state legislatures and Congress have considered similar laws since passage of California’s landmark law. The New York state legislature passed a similar law in 2007, which was implemented in January 2008 - the New York Social Security Number Protection Law. Read a description at www.jonesday.com/pubs/pubs_detail.aspx?pubID=S3778 .
New York lawmakers, in amendments to the state's labor law, further restricted private businesses' use of Social Security Numbers as well as employees' "personal identifying information." Personal identifying information includes not only the SSN but, among other things, an employee's home address and phone number, personal e-mail address, Internet access information, and the employee's parents' names. Effective January 2010, New York state government offices along with city and county agencies had to follow the same standards as apply to private businesses.
Another New York law limits the ability of entities to collect individuals’ SSNs. The law's provisions are subject to multiple exceptions, including use of SSNs for government requirements, use for internal verification or fraud investigation, use related to banking and credit-related activities, use in connection with employment, insurance or tax purposes, and other instances. Read more about this law at http://www.governor.ny.gov/press/08142012-protect-ny-privacy and http://www.jacksonlewis.com/resources.php?NewsID=4171.
Additional state-specific information on laws restricting the use of Social Security numbers can be found at http://www.mofo.com/State-Statutes-Restricting-or-Prohibiting-the-Use-of-Social-Security-Numbers-11-07-2007/ and http://www.consumersunion.org/news/state-laws-restricting-private-use-of-social-security-numbers/.
Visit the Web site of the National Conference of State Legislatures to obtain information on SSN-related legislation in other states, at www.ncsl.org . Use the site’s search engine for the term “social security number legislation” to obtain state-by-state results.
When you use the Internet, you may find Web sites that require your SSN when, for example, you apply for a credit card online or seek an insurance quote. We advise that you take extra precautions to determine that your personal data is transmitted securely and that it’s stored safely by the online business. Make sure you have a firewall the latest anti-virus and spyware software installed on your computer.
Only conduct business transactions with well-known, reputable companies. Look for the closed padlock symbol on the bottom of the page that indicates it is a secure connection. Click on the padlock to determine if the security certificate is up-to-date.
Beware of spam (unsolicited e-mail messages) that asks for your SSN or other personal information. Many people receive e-mail messages that appear to be from a government agency like the Internal Revenue Service, from a bank, Amazon, eBay, or PayPal. The message typically says that the company or agency is updating its records or has detected fraudulent activity with your account and needs personal information from you, such as your Social Security number, account number, password, mother’s maiden name, and so on. It may direct you to an official-looking Web site through a link contained in the message.
Do not respond to such messages! These are called “phishing” scams. Although they appear to be legitimate, these messages and Web sites are scams to get your personal information. No reputable company or government agency sends e-mail messages asking for sensitive personal data. For more information, visit the following Web site: www.lookstoogoodtobetrue.gov.
Yes, in most states. However, the Social Security Administration discourages employers from displaying SSNs on documents that are viewed by other people — such as badges, parking permits, or on lists distributed to employees. Employers do, however, need each employee’s SSN to report earnings and payroll taxes.
In California and New York, as explained above, employers cannot display the employee’s SSN in certain situations. For further information, visit:
- California SSN law, recommended practices for compliance: http://www.oag.ca.gov/sites/all/files/pdfs/privacy/protecting_ssns.pdf?
- New York: Read a description at www.jonesday.com/pubs/pubs_detail.aspx?pubID=S3778
In 1961 the Internal Revenue Service began using SSNs as taxpayer ID numbers (TIN). Therefore, SSNs are required on transactions in which the IRS may be interested. That includes most banking, stock market and other investments, real estate purchases, automobile purchases over $10,000, many insurance documents, and other financial transactions as well as employment records.
Financial institutions are required by federal law to participate in Customer Identification Programs (CIPs). Banks must keep records of identifying information and check customer names against terrorist lists. This applies to anyone who opens a new account.
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, (USA PATRIOT Act), Pub.L. 107-56, includes measures to undercut terrorist financing and combat money laundering. Customer identification programs (CIPs) for financial institutions are required by §326 of the PATRIOT Act, with the details spelled out in regulations published by multiple federal agencies. For additional information about CIPs, read Fact Sheet 31, www.privacyrights.org/fs/fs31-CIP.htm .
Because your SSN must be included on all of these sensitive financial documents, it’s important to limit other uses of the number.
Publicly-funded schools and those that receive federal funding must comply with the Family Educational Rights and Privacy Act in order to retain their funding. FERPA is also known as the "Buckley Amendment," enacted in 1974, 20 USC 1232g.
One of FERPA's provisions requires written consent for the release of “educational records” or personally identifiable information, with some exceptions. The courts have stated that SSNs fall within this provision. (See Krebs v. Rutgers, 797 F. Supp. 1246 (D.N.J. 1992)).
The FERPA text can be found at the Web site http://cpsr.org/prevsite/cpsr/privacy/ssn/ferpa.buckley.html. You can read the Department of Education’s FERPA guide for students at http://www2.ed.gov/policy/gen/guid/fpco/ferpa/students.html .
FERPA applies to state colleges, universities, and technical schools that receive federal funding. An argument can be made that if such a school displays students' SSNs on identification cards or distributes class rosters or grades listings containing SSNs, it would be a violation of FERPA. However, some schools and universities have not interpreted the law this way and continue to use SSNs as a student identifier. To succeed in obtaining an alternate number to the SSN, you will probably need to be persistent and cite the law.
Public schools, colleges, and universities fall within the provisions of another federal law, the Privacy Act of 1974. This act requires such schools to provide a disclosure statement telling students how the SSN is used. If you are required to provide your SSN, be sure to look for the school's disclosure statement. If one is not offered, you may want to file a complaint with the school, citing the Privacy Act of 1974.
When the school is a private institution, your only recourse is to work with the administration to change the policy or at least to let you use an alternate identification number as your student ID.
In July 2010, the Social Security Administration’s Inspector General issued an audit report examining schools’ collection and use of Social Security numbers for kindergarten through grade 12. Auditors reviewed various state and federal laws regarding collection and use of SSNs and identified risks associated with widespread use of the number, both as a student identifier and as a matter of convenience for schools.
The Social Security Administration, the report acknowledges, cannot prohibit states or schools from collecting and using SSNs. Auditors, nonetheless, recommended a coordinated effort to inform schools about the risks associated with SSNs, reduce unnecessary collection and use of SSNs, and implement stringent safeguards to protect SSNs when collected. To read the full audit report, go to http://oig.ssa.gov/kindergarten-through-12th-grade-schools-collection-and-use-social-security-numbers.
Many colleges and universities are looking for ways to eliminate the SSN as primary identifiers for not only students but facility and staff as well. For more to such plans, see: http://www.educause.edu/library/resources/planning-elimination-social-security-numbers-primary-identifiers.
The California College and University Social Security Task Force published a report on the use of Social Security numbers in California colleges and universities in July, 2010. To read the report, visit http://www.oag.ca.gov/sites/all/files/pdfs/privacy/ssn_colluniv.pdf?
And some universities have voluntarily begun using numbers other than SSNs on student IDs. For more information on education-related privacy issues, see our Fact Sheet 29, www.privacyrights.org/fs/fs29-education.htm.
Internal Revenue Service (IRS) regulations adopted under the Tax Payer Relief Act of 1997 implement provisions of the Hope Scholarship Credit and the Lifetime Learning Credit. Educational institutions are required to transmit student SSNs to the IRS under these regulations. These requirements apply to any student, regardless of whether the student intends to seek the Hope Scholarship Credit. SSNs may also be obtained by colleges and universities for students who have university jobs and/or receive federal financial aid.
The Intelligence Reform and Terrorism Prevention Act of 2004 prohibits states from displaying your SSN on drivers' licenses, state ID cards, or motor-vehicle registrations. The law went into effect December 17, 2005, and applies to all licenses, registrations, and identification cards issued after that date.
If your license still uses your SSN as the ID number, you can request this be changed. You don’t need to wait until it expires to get one with a different number, though you may be charged a fee for the new issuance.
More information on the Intelligence Reform and Terrorism Prevention Act of 2004 is available as follows:
- Social Security Administration, www.ssa.gov/legislation/legis_bulletin_010705.html
- Congressional Research Service, www.fas.org/irp/crs/RL32722.pdf.
Although your SSN may not be used as your ID number on your license, under the Real ID Act of 2005 states must require proof of a person’s SSN (or verification that the person is not eligible for an SSN) when issuing a license.
- Adopt a policy of not giving out your SSN unless you are convinced it’s required or is to your benefit. Ask any requestor to explain why it is needed.
- Never print or write your Social Security number on your checks, business cards, address labels or other identifying information.
- Do not carry your SSN card in your wallet except for situations when it is required, such as the first day of a new job. If possible, do not carry any items in your wallet that include your SSN, such as insurance cards, except when they are needed to receive healthcare services. Your wallet could be lost or stolen, resulting in your SSN being vulnerable to fraudulent use.
A California law places restrictions on the display and transmission of SSNs by companies. For more information, read the California Department of Justice’s Privacy Enforcement and Protection Unit's guide on SSN “recommended practices,” at http://www.oag.ca.gov/sites/all/files/pdfs/privacy/protecting_ssns.pdf?. If you feel that you must carry a health insurance card that includes your SSN or a Medicare card with you at all times, photocopy the original card and cut it down to wallet size. Then blacken out or cut out the last four digits of the SSN on the copy. Carry the copy with you rather than the actual card.
- Order a copy of your free credit reports each year by calling (877) 322-8228 and using the automated telephone system to process your request. If you are a victim of identity theft, the credit report will likely contain evidence of credit or banking fraud committed using your name and SSN. It will also show other SSNs or names associated with you. For additional information, read PRC Fact Sheet 6 on credit reporting, www.privacyrights.org/fs/fs6-crdt.htm. For more information on free credit reports, visit www.annualcreditreport.com/.
- If a private business requests your SSN:
- Leave the space for the SSN on the form blank or write "refused" or “N/A” in that space.
- Speak to someone in management or write to the business and explain why you do not want your SSN used to identify you. If you don’t receive satisfaction from the first person you contact, go to someone in the organization with more authority.
- Insist that the company document its policy of why they are requiring a SSN. If a written policy cannot be found or too much time is taken looking for one, maybe the business will allow you to use an alternate number.
- Ask why your SSN is requested and suggest alternatives like using your driver’s license number.
- If the company insists on having your SSN, explain that you will take your business elsewhere. If the company persists, follow through on your promise.
- If your employer releases or displays your SSN, explain why you disapprove of this practice. Some employers do not treat SSNs as confidential information. They may be willing to change their policy when they understand the twin dangers of invasion of privacy and potential for fraud. As explained above, laws in California and New York place restrictions on the display and transmission of SSNs by companies.
- If your bank, credit union or other financial service provider uses your Social Security number as a personal identification number (PIN) or as the identifier for banking by phone or the Internet, write a letter of complaint. Demand to have a different PIN and/or identification number assigned. Explain why the SSN is an extremely poor choice for a password or security code. If you voluntarily use the last four digits of your SSN as your PIN for ATM and other banking or credit transactions, change it to something else, but not to a common number such as your birthdate, telephone number, or ZIP code.
- Federal law requires state Motor Vehicles departments to use a number other than the SSN for the driver’s license number. If your license has not been renewed for several years and still shows your SSN as the ID number, you can request this be changed. You don’t need to wait until it expires to get one with a different number, though you may be charged a fee for the new issuance.
- If you fear your SSN has gotten into the wrong hands, take the following steps to reduce the risk of new accounts being opened in your name:
- Place a 90-day fraud alert on your credit reports by calling one of the three credit bureaus: TransUnion (800) 680-7289; Equifax (888) 766-0008; Experian (888) 397-3742. Then renew the fraud alert every 90 days.
- Monitor your credit reports very closely. Placing the fraud alert allows you to order a free credit report within 90 days.
- Consider "freezing" your credit reports with Equifax, Experian, and TransUnion. By freezing your credit reports, you can prevent credit issuers from accessing your credit files except when you give permission. This effectively prevents thieves from opening up new credit card and loan accounts. See http://www.consumer-action.org/english/articles/freeze_your_credit_file#Topic_04 for more information.
- If you have evidence of actual or attempted identity theft, additional steps are needed, such as notifying the police and the Federal Trade Commission and establishing a seven-year fraud alert. See our Fact Sheet 17(a) “Identity Theft: What to Do if It Happens to You,” www.privacyrights.org/fs/fs17a.htm.
- Despite recommendations by the Social Security Administration’s Inspector General, the SSN continues to be displayed on Medicare cards issued to millions of senior citizens. (http://oig.ssa.gov/sites/default/files/audit/full/html/A-08-08-18026.html) To change this practice, you should complain to your Congressional representative and to your U.S. Senators, and demand that they pass laws to prohibit the display of your SSN on Medicare cards.
- Avoid sharing your birthday, age, or place of birth on the Internet. A research study by Carnegie Mellon University found that Social Security numbers can be predicted based on publicly-available information, including your birthday, age and place of birth. The Social Security Administration began assigning randomized number series on June 25, 2011. Unfortunately, the more predictable Social Security numbers will remain in effect for individuals born before June 25, 2011.
11. What information is contained in the Social Security Death Master File?
The Social Security Administration’s (SSA) Death Master File (DMF) contains records of deaths that have been reported to SSA. SSA receives death reports from various sources, including family members, funeral homes, hospitals, and financial institutions. The DMF was created under a 1980 consent judgment from a lawsuit brought by a citizen under the Freedom of Information Act. The consent judgment requires that identifying information of decedents, including their Social Security numbers (SSN) be divulged.
The DMF includes the following information on each decedent, if the data are available to the SSA: SSN, name, date of birth, date of death, state or country of residence (February 1988 and prior), ZIP code of last residence, and ZIP code of any lump sum payment. The SSA does not have a death record for all persons. Therefore, SSA does not guarantee the accuracy of the file. The absence of a particular person from the DMF is not proof that a person is alive.
For years, the DMF included death records provided by the states. In 2011, the SSA determined that state death records were exempt from public disclosure. They could, however, be made available to other federal agencies, such as the Internal Revenue Service and the Centers for Medicare and Medicaid Services, in order that they could determine whether to pay or discontinue benefits. In November 2011, four million deaths were deleted from the publicly available DMF. This was motivated in part by the desire to reduce identity theft. http://www.nytimes.com/2012/10/09/us/social-security-death-record-limits-hinder-researchers.html?_r=0
Although the DMF is not available online, the DMF Extract is available for a fee from the United States Department of Commerce’s National Technical Information Service (NTIS) at http://www.ntis.gov/products/ssa-dmf.aspx.
The DMF is used to prevent fraud to help prevent stealing the identity of a dead person. The DMF is used by credit reporting agencies (CRA), as well as government, financial, investigative, medical research organizations to verify death and to prevent fraud. NTIS and SSA are working together to offer the DMF updates more frequently and in alternative formats. By running credit and other applications against the DMF, CRAs and other organizations are better able to identify and prevent identity fraud.
Conversely, the DMF can be used by identity thieves to obtain tax refunds for deceased persons or to apply for credit cards or obtain cell phones. Approximately 2.4 million deceased Americans have their identities stolen each year. http://money.cnn.com/2012/07/18/pf/identity-theft-deceased/index.htm?iid=Lead.
A July 2012 SSA Inspector General's report found that SSA did not record death information in its Numident database for approximately 1.2 million deceased beneficiaries. SSA uses the Numident database to update the DMF. Read the report at http://oig.ssa.gov/sites/default/files/audit/full/pdf/A-09-11-21171.pdf.
Of the approximately 2.8 million death reports SSA receives annually, about 14,000 are incorrectly entered into its DMF. The DMF contained 36,657 death entries between May 2007 and April 2010 for people who were in fact alive. http://money.cnn.com/2011/08/17/pf/social_security_deaths_mistakes/index.htm?iid=HP_LN. Read the stories of four persons declared dead by SSA in this CNN article: http://money.cnn.com/galleries/2011/pf/1108/gallery.social_security_death_errors/index.html
Erroneous death entries can lead to benefit termination and closing or freezing of bank accounts, causing financial hardship. They also result in the publication of living individuals' personal identifying information in the DMF. While those who are declared dead generally lose their ability to apply for credit, they may be at risk for other types of identity theft now that their personally-identifying information has been made public.
If you find out that your name is on the DMF, your first priority is to find out who reported your death, when, and why. You must take appropriate steps to correct the information at the originating source. You will need to take steps to locate and amend the death certificate and then remove your name from the DMF.
- California Department of Justice’s Privacy Enforcement and Protection Unit, “Recommended Practices for Protecting the Confidentiality of Social Security Numbers,” http://www.oag.ca.gov/sites/all/files/pdfs/privacy/protecting_ssns.pdf?
- California College and University Social Security Task Force, "The Use of Social Security Numbers in California Colleges and Universities: A Report to the California State Senate and Assembly Judiciary Committees and to the California Office of Privacy Protection." (July 2010) http://www.oag.ca.gov/sites/all/files/pdfs/privacy/ssn_colluniv.pdf?
- Social Security Administration, “Historical Information: Social Security Numbers,”
- Federal Trade Commission. "Security in Numbers -- SSNs and ID Theft" (December 2008). An FTC report recommending five measures to help prevent SSNs from being used for identity theft.
- Many universities have established SSN usage policies and have adopted ID numbers other than the SSN. For a list of such universities, and access to their policies, visit the Educause Web site:
- The federal Identity Theft Task Force, established in 2006 by the President’s executive order, recommends and reports on efforts to reduce the unnecessary use of the SSN in the public sector. To read the full reports, visit the Identity Theft Task Force Web site: www.idtheft.gov.
- The U.S. General Accounting Office Report, "Social Security Numbers: Federal and State Laws Restrict Use of SSNs, Yet Gaps Remain" can be read at http://www.gao.gov/new.items/d051016t.pdf.
Browse Privacy Topics
Background Checks & Workplace
Banking & Finance
Credit & Credit Reports
Harassment & Stalking
Identity Theft & Data Breaches
Online Privacy & Technology
Privacy When You Shop
Public Records & Info Brokers
Social Security Numbers
Who We Are
We are a nationally recognized consumer education and advocacy nonprofit dedicated to protecting the privacy of American consumers.