Social Security Failed To Disclose Breaches

Tens of thousands of people's identities are exposed to identity theft each year due to an unlikely source: the Social Security Administration (SSA). That's owing to the agency's data entry personnel sometimes misclassifying a person, still living, as having died.

The errors appear to affect fewer than 1% of the 2 million deaths that are reported annually and logged in the SSA's Death Master File (DMF). The file is sold to more than 300 clients by the National Technical Information Service--part of the Department of Commerce--and is meant to help block identity theft and fraud.

But in the past three years, 31,931 living people have had their information included in the DMF, reported Columbus, Ind. newspaper The Republic. As a result, those people have faced everything from frozen bank accounts and rescinded job interview offers to cellphone contract cancellations and loan rejections.

[The White House is shoring up to prevent another Cablegate-type security breach. Read about its plans: Feds Tighten Cybersecurity Policies To Stop Insider Threats.]

Publishing living people's names, social security numbers, and birth dates also constitutes a data breach, as defined by the Identity Theft Resource Center. In particular, it says a breach involves "an event in which an individual name plus social security number (SSN), driver's license number, medical record, or a financial record/credit/debit card is potentially put at risk--either in electronic or paper format."

But many of the affected people don't know that their data has been exposed, or that they've even been included in the DMF database. In part, that's because while 47 out of 50 states now have data breach disclosure laws on their books, those requirements don't cover data handling by federal government agencies.

Furthermore, data breach disclosures aren't quite mandatory for federal agencies, although the Presidential Identity Theft Task Force on May 22, 2007, issued--via the Office of Management and Budget (OMB)--the M-07-16 memorandum, instructing all federal agencies "to develop and implement a breach notification policy within 120 days." It also detailed how agencies should respond in the event that they caused people's personally identifiable information to be exposed. "Agencies should use a best judgment standard to develop and implement a breach notification policy," according to the OMB memo. It further directed agencies to ensure that "proper safeguards are in place to protect the information."

The SSA did not immediately respond to a request for comment about whether the agency had a data breach notification program in place, and what that program stipulated. But lawmakers have begun asking questions.

Notably, in August Sen. Richard Durbin (D-Ill.) wrote to the SSA's commissioner, Michael Astrue, inquiring about the agency's approach to handling incorrectly reported death errors, after reports surfaced about the impact that those errors were having on people's lives. "As you know, if a person is mistakenly placed on this list, it can result in problems with credit agencies, applying for a loan, or even getting a job," he wrote. "In addition, individuals who have been in this situation report that the problem can be difficult to resolve." He also questioned why the number of errors involving Illinois residents had seemed to almost quadruple between 2007 and 2008.

Astrue responded to Durbin in a letter, released last month, saying that the agency couldn't verify the error rate that he was referencing. But he promised that the agency was reviewing its error reporting and data gathering practices. "I take the accuracy of our records and the protection of the personal information that the public entrusts to us very seriously," he said, noting that the agency takes "prompt action" to correct records when it spots or receives notice of data entry mistakes.

Despite the error rates, Astrue also said that the DMF file also serves as a valuable resource. "Government, financial, investigative, credit reporting, medical research, and other organizations use the public DMF to verify death and to prevent fraud, including identity fraud," he said. (Interestingly, the file only became public in 1980, following a Freedom of Information Act request.)

To date, the SSA has seen no cases in which the erroneously published personal information in question has been used for identity theft or fraud. "However, if we did, we would immediately notify the affected individual and offer credit monitoring," said Astrue in his letter. But he also promised that the agency was taking new steps to improve its data handling practices, although he didn't specify exactly what those steps entailed.