I received a letter from an old employer, yesterday. I haven't worked for the company in a decade — it's no longer even in the same business in which I was employed. But the company kept something of me when I quit. My name and Social Security number were kept on a "storage device, which was no longer in use," and that device "was among several pieces of computer hardware taken from our facilities" by a thief. That's a little concerning, considering that Adam Levin at ABC News recently described the Social Security number as "a skeleton key, able to unlock a kingdom of untold riches for identity thieves."
The Electronic Privacy Information Center warns:
The widespread use of the SSN as an identifier and authenticator has lead to an increase in identity theft. According to the Privacy Rights Clearinghouse, identity theft now affects between 500,000 and 700,000 people annually. Victims often do not discover the crime until many months after its occurrence. Victims spend hundreds of hours and substantial amounts of money attempting to fix ruined credit or expunge a criminal record that another committed in their name.
Identity theft litigation also shows that the SSN is central to committing fraud. In fact, the SSN plays such a central role in identification that there are numerous cases where impostors were able to obtain credit with their own name but a victim's SSN, and as a result, only the victim's credit was affected. In June 2004, the Salt Lake Tribune reported: "Making purchases on credit using your own name and someone else's Social Security number may sound difficult—even impossible—given the level of sophistication of the nation's financial services industry…But investigators say it is happening with alarming frequency because businesses granting credit do little to ensure names and Social Security numbers match and credit bureaus allow perpetrators to establish credit files using other people's Social Security numbers." The same article reports that Ron Ingleby, resident agent in charge of Utah, Montana and Wyoming for the Social Security Administration's Office of Inspector General, as stating that SSN-only fraud makes up the majority of cases of identity theft.
Famously, Social Security numbers were not supposed to be used for exactly the sort of universal ID purposes to which they're put, today. The Social Security Administration says, "in 1946, SSA added a legend to the bottom of the card reading 'FOR SOCIAL SECURITY PURPOSES—NOT FOR IDENTIFICATION.' This legend was removed as part of the design changes for the 18th version of the card, issued beginning in 1972." By that time, of course, the assurance was already a joke.
Among the biggest offenders are Medicare, which prints the SSN directly on the card, the Internal Revenue Service, which is responsible for flurries of W-2 forms issuing forth, adorned with SSNs, and the military where, until recently, "soldiers regularly used their SSNs to check out basketballs from on-base gyms, access firing ranges, fill out health forms and track their laundry."
The requirement of SSNs for every conceivable interaction with the government made their adoption by the private sector inevitable. If your employer has to record your Social Security number for tax purposes, why not stick everything else under there, too?
Like a lot of employers, my old company had decommissioned hardware lying around, containing critical information about forgotten employees. With the horse well and truly out of the barn and down the road, the company promises that it is "increasing the security of our data storage devices, incorporating the use of encryption technology, increasing physical security at our facilities, nd updating our data retention policies." That's all nice — good ideas, really. They've also signed up me and the other indentity theft candidates for a service that provides credit monitoring and other safeguards at no cost to us. That's appreciated.
But it remains awfully problematic that a single number extracted from the records of a long-ago job could have such potential impact on my life.
No Federal, State, or local agency may employ, or enter into a contract for the use or employment of, prisoners in any capacity that would allow such prisoners access to the Social Security account numbers of other individuals.
Yeah. That seems wise.
But we're still a long, long way from removing "skeleton key" power from the Social Security number. Which means it's time to go check on that credit-monitoring service.