Federal contractors who have access to individual Social Security numbers (SSNs) present a potentially serious security risk, and greater protection of the sharing of numbers is needed, according to a new report from the Government Accountability Office (GAO).
Although private industry relies on contractual agreements and the usage of "best practices" standards to ensure contractor agencies do not have unauthorized access to SSNs or use them for purposes other than their task requires, there are "gaps" in the oversight and regulation of SSN sharing among industries such as the finance, telecommunications, maintenance, and tax preparation sectors, the GAO found.
Agencies such as the Federal Communications Commission (FCC), the Internal Revenue Service (IRS), and the Federal Trade Commission (FTC) all have differing regulations and enforcement ability regarding the use of SSNs in their jurisdiction.
"Companies and their contractors must adequately protect SSNs at every step of a business transaction," said Rep. Jim McCrery (R-LA), Chairman of the House Ways and Means Subcommittee on Social Security, which requested the report.
The GAO report examined the circumstances by which private companies share SSNs with third-party contractors.
Banks and financial institutions employed contractors for a wide variety of functions, from verifying new customer identities to outsourced debt collection processes.
Tax preparation companies will maintain databases of customers both past and present, including SSNs, in order to track possible errors their preparers might have made.
As each of the examined industries falls under a different area of federal regulation, the laws governing the use of SSNs are different for each industry.
Tax preparers, for instance, fall under IRS and FTC guidelines for disclosing and sharing taxpayer information with one another or third parties. Under the Gramm-Leach-Bliley Act (GLBA), the FTC mandates that tax preparers regulate their contractors "bytaking reasonable steps" to recruit and contract with companies that won't present security risks.
The IRS lacks resources for regular review of outsourced tax preparers, according to the GAO report. The agency relies on investigating complaints from taxpayers or local offices.
Another IRS trouble spot involves the lack of regulations for third-party tax preparers who file returns electronically.
One association of professional tax preparers told the GAO that "there were no explicit provisions restricting what various third party providers participating in electronic filing could do with taxpayer information once they possess it."
The IRS claimed that existing regulations covered sharing data from electronic tax filings, and that the agency was introducing new regulations to notify contractors that criminal penalties for unauthorized disclosure of information would apply to them.
The IRS is planning to outsource much of its debt collection enforcement to private companies throughout 2006, a move that is being criticized by longtime Treasury Dept. employees as dangerous.
At least one contracting vendor with the IRS was collecting data on taxpayers' political preferences while building a database on delinquent taxpayers.
Telecommunications companies such as Verizon and Sprint Nextel present an even bigger gap in oversight of contracting.
Although the FCC has restrictions against the sharing or sale of customer proprietary network information (CPNI), the agency told the GAO that it "[knows] of no federal law that restricts the sharing of SSNs by telecommunications firms with their contractors, and that they do not regulate or oversee the privacy of customer information maintained or shared by telecommunications firms unless the information is included inCPNI."
The FCC claimed that the "limited jurisdiction" over CPNI prevents the agency from taking action when SSNs are disclosed or shared by third party contractors. However, the FTC can take enforcement action against contracting companies if the company is demonstrated to have violated its own privacy policies regarding information disclosure.
The major telecom companies have grown increasingly reliant on third-party companies such as Amdocs for recording and storing customer billing records. Sprint Nextel recently secured a preliminary agreement with Amdocs to handle the customer billing and service for its 45.6 million subscribers.
Amdocs has been the center of investigations by the Federal Bureau of Investigation (FBI) for possible criminal misuse or lax security regarding the CPNI data it collects.
Although the company is not mentioned specifically by name in the GAO report, the report notes that the FBI has requested the FCC consider greater regulation of overseas-based companies that collect and store CPNI data.
The scandal involving private companies selling customer cellphone records to any buyer centers around the unauthorized sharing of CPNI data collected by telecom companies. Speculation runs rampant that rogue employees of major companies may be selling this data on the side, or that third-party overseas companies are dealing the data out to companies such as Locatecell.com and Celltolls.com.
"Taking Every Precaution"
The report also discusses the impact that state laws governing the transmittal and disclosure of SSNs have had on developing industry-wide guidelines.
One company claimed that it was easier to take one state's laws -- such as California's 2004 law mandating disclosure of security breaches -- and apply them on a nationwide basis, rather than create rules for each state.
The GAO analysis concluded that although many of the industries examined in the report do provide measures of protecting SSNs in dealing with third-party contractors, the volumes of data involved and differing regulations leave wide loopholes for potential abuse and misuse.
The agency recommended that Congress consider drafting laws to close the gaps between the differing federal regulations, or to consider adding provisions to existing law that deal explicitly with third-party contractors.
In the GAO's words, "it is vital that any entity with access to personal information, especially to SSNs, take every precaution to protect this information from misuse."
"The personal information of millions of Americans has been compromised by data breaches at a wide variety of businesses," Rep.McCrery said in a press statement. "Congress must carefully examine any gaps in the law for safeguarding SSNs."