Identification numbers issued by the U.S. government that have long been required for Americans to engage in a broad range of activities, such as setting up telephone service, obtaining a driver's license, or banking. SSNs also have a vital role in establishing an individual's identity. Indeed, the easiest and most common way for someone to steal the identity of another person is by obtaining that person's SSN. With the SSN, a thief can open up and access the bank accounts of that other person. SSNs are attractive to identity thieves because they provide access to a victim's private information and because SSNs are commonly used as a national identifier for everything from car rentals to credit card applications. Often a thief needs only a name and an SSN to open up a credit card account or to gain access to an existing account. Identity thieves are also able to use another person's SSN for employment purposes or to obtain medical care.

Individuals should limit access to their SSN as much as possible. While the potential sources of SSNs are vast and accessible, people can take prudent and reasonable action to prevent thieves from accessing their SSNs.

Social Security numbers (SSNs) were first issued in 1936, pursuant to the Social Security Act, 49 Stat. 620 (1935). At the time, the federal government said that these numbers would be used only for Social Security programs. Over time, however, the SSN became the de facto national identification number and was used for a broad range of non-Social-Security-related purposes. SSNs are widely used to identify individuals and authenticate information. As an identifier, the SSN answers the question, “Who are you?” As an authenticator, the SSN answers the demand, “Prove who you are.”

The SSN is used as an identification number in many computer files, allowing a convenient way of linking databases but also giving access to information that an individual may wish to keep private. The files of utility companies are an example of such usage. In recent years, data breaches in which SSNs are compromised have become increasingly common.

In 2006, the U.S. Government Accountability Office (GAO) described the potential for identity theft posed by SSNs contained in public records. The GAO estimated that 85 percent of the largest, most populated counties surveyed make records that may have SSNs available in bulk sales or online. Frequently SSNs appear in state and local court files and local property ownership records.

Government agencies generally impose no restrictions on the reuse of data included in public records, which means that information may be transferred between individuals multiple times and even be outsourced to foreign service providers. Recently, many states have sought to limit the accessibility of SSNs contained in public records. Nonetheless, millions of SSNs are already available in public records. Some jurisdictions have started redacting SSNs from older public records, a costly and time-consuming process.

The GAO's report found that SSNs were displayed on millions of cards issued by federal agencies, including 42 million Medicare cards, 8 million Department of Defense identification cards and insurance cards, and 7 million Veteran Affairs identification cards.

Because the connection between identity theft and widespread use of SSNs is well established, the federal government has been curtailing its use. In 2007, the Office of Management and Budget (OMB) issued a memorandum that required agencies to review their use of SSNs and identify instances in which collection or use is unnecessary. Thus, federal agencies have been greatly reducing unnecessary SSN use. SSNs have not appeared on military identification cards since 2011. As of 2015, it is required that SSNs be removed from Medicare cards and that they be replaced with randomly generated Medicare beneficiary identifiers. Some government agencies, however, such as tax authorities, welfare offices, and state departments of motor vehicles, still require a person's SSN due to federal law [42 USC 405 (c)(2)(C)(v) and (i)].

The Privacy Act of 1974, as amended at 5 U.S.C. 552a, protects records that can be retrieved from a system of records by personal identifiers such as a name, social security number, or other identifying number or symbol. The Privacy Act of 1974 requires all government agencies (federal, state, and local) that request SSNs to provide a “disclosure” statement that explains whether an individual is required to provide an SSN or, if it is optional, how the SSN will be used and under what statutory or other authority the number is requested (5 USC 552a, note). The Privacy Act states that individuals may not be denied a government benefit or service if they refuse to disclose their SSN unless federal law requires such disclosure or the disclosure is to an agency that had been using SSNs prior to January 1975, when the Privacy Act became effective.

Generally individuals are not legally required to provide their SSNs to private businesses. There is no law, however, that prevents businesses from requesting an individual's SSN, and businesses have few restrictions on what they may do with it once they have it. Even though an individual may not legally be required to disclose his or her SSN, the business is not required to provide the individual with goods or services if the person refuses to release the SSN. In some cases there may be alternate numbers that a person can provide to the company, such as a driver's license number.

Federal law requires private businesses to submit the SSNs of individuals when (1) the individual is involved in a transaction for which the Internal Revenue Service (IRS) requires notification, or (2) the individual is engaged in financial transactions covered by federal Customer Identification Program rules.

Medicaid and Medicare may require that an individual provide an SSN. Commercial insurance companies may request the SSN of an individual client if that individual is covered by group insurance through his or her employer or if he or she purchased an Affordable Care Act (ACA) plan through a state or federal marketplace.

Beginning in the 2015 tax year, health insurance companies are required to provide Form 1095-B to the IRS. The information will be used to verify information on the individual income tax return under the ACA, 124 Stat. 119 through 124 Stat. 1025 (2010). If the information the insured provides on the tax return cannot be verified, the individual may receive a notice from the IRS indicating that he or she is liable for a shared responsibility payment under the ACA.

Credit card applications usually request SSNs. The individual's number is used primarily to verify the identity of a person who has a name similar to or the same as the name of other persons. Most credit grantors will insist that applicants provide their SSN.

Credit-reporting agencies generally require that customers provide their SSN. They claim that the SSN is necessary to retrieve the correct files from among the many records they maintain. These agencies already have customer SSNs. When requesting an annual credit report from any of the established credit bureaus, individuals may request that the SSN be omitted from the document when sent through the mail.

Some websites request an SSN from individuals applying for a credit card or seeking an insurance quote online. Individuals should be cautious about determining that personal data is transmitted securely and that it is stored safely by the online business. Individuals should ensure that the latest antivirus and anti-spyware software is installed on their own computers. Customers should conduct commercial transactions only with well-known, reputable companies. Individuals should read the company's privacy policy, which should indicate how it safeguards personal data. It is not reasonable or prudent to transact business with a company that does not appear to protect customer data.

Customers should not respond to spam (unsolicited email messages) asking for an SSN or other personal information. Individuals may receive many email messages that appear to originate from a government agency such as the Internal Revenue Service or from a bank or company. The message typically says that the company or agency is updating its records or has detected fraudulent activity on an individual's account and needs personal information, such as an SSN, account number, password, or mother's maiden name. It may also direct the customer to an official-looking website through a link in the message. Customers should not respond to such messages because they are phishing scams. Although they appear to be legitimate, these messages and websites are schemes to obtain personal information for fraudulent purposes. No reputable company or government agency sends email messages requesting sensitive personal data.

In many states employers may use an employee's SSN as an employee identification number. Employers should not display SSNs on documents that may be seen by other people—such as badges, parking permits, or lists distributed to employees. Employers do need each employee's SSN, however, to report income and payroll taxes.

In 1961, the Internal Revenue Service began using SSNs as taxpayer identification numbers. Therefore, SSNs are required on transactions in which the IRS has jurisdiction. That includes most banking transactions, the stock market and other investments, real estate purchases, many automobile purchases, many insurance documents, and other financial transactions as well as employment records.

To retain their funding, publicly funded schools and those that receive federal funding must comply with the Family Educational Rights and Privacy Act (FERPA) (1974), codified as 20 USC 1232g. FERPA requires written consent for the release of educational records or personally identifiable information, with some exceptions. The courts have ruled that SSNs are covered in this provision. (See Krebs v. Rutgers, 797 F. Supp. 1246 (D.N.J. 1992).

FERPA applies to state colleges, universities, and technical schools that receive federal funding. If such a school displays students' SSNs on identification cards or distributes class rosters or grade listings with SSNs, this might violate FERPA. Some schools and universities nevertheless continue to use an SSN as a student identifier.

Public schools, colleges, and universities are also covered by the Privacy Act of 1974, which requires these schools to provide a disclosure statement explaining how SSNs are used. If the school is a private institution, the administration would set the policy and may allow students to use an alternate identification number as a student ID. The U.S. Department of Education and Department of Justice interpret the Privacy Act as prohibiting a public school district from requiring a pupil or parent to provide an SSN or denying admittance because a pupil does not provide an SSN. Many colleges and universities have sought to eliminate the SSN as primary identifiers for students, faculty members, and staff members.

The Intelligence Reform and Terrorism Prevention Act of 2004, 118 Stat. 3638, prohibits states from including SSNs on driver's licenses, state identification cards, or motor vehicle registrations. The law applies to all licenses, registrations, and identification cards issued after 2005. Drivers with licenses that still have the SSN as the ID number may request that this be changed. Although a person's SSN may not be used as the ID number on his or her license, under the Real ID Act of 2005, 119 Stat. 302 (2005), states must require proof of a person's SSN (or verification that the individual is not eligible for an SSN) when issuing a license.

Further Reading

See also: Affordable Care Act; Family Educational Rights and Privacy Act of 1974 (FERPA); Financial information, privacy right to; Privacy Act of 1974; Spam