Fact Sheet 10:
History of Social Security Number use. When Social Security numbers were first issued in 1936, the federal government assured the public that use of their use would be limited to Social Security programs such as calculating retirement benefits.
Today, however, the Social Security number (SSN) has become the de facto national identifier. SSNs are often used both an identifier and an authenticator. As an identifier, the SSN is provided by individuals to answer the question, “Who are you?” As an authenticator, the SSN is provided by individuals in response to a challenge: “Prove who you are.”
Government agencies and private businesses continue to use SSNs for a wide range of non-Social Security purposes — such as employee files, medical records, health insurance accounts, credit and banking accounts, university ID cards, utility accounts, and many more.
Threat of data breaches. Your SSN is frequently used as your identification number in many computer files, giving access to information you may want kept private and allowing an easy way of linking databases. The files of utility companies are just one example of such usage. In recent years, news stories of data breaches in which SSNs are compromised are a daily occurrence.
Identity theft. Identity thieves seek SSNs so they can use these numbers to assume the identity of another person and commit fraud. It’s relatively easy for someone to fraudulently use your SSN to assume your identity and gain access to your bank account, credit accounts, utilities records, and other sources of personal information. Identity thieves also can establish new credit and bank accounts in your name, or use your SSN for employment purposes or to obtain medical care.
Therefore, it’s wise to limit access to your SSN whenever possible. While the potential sources of SSNs are vast and accessible, you can take steps to keep your SSN out of the hands of potential thieves.
2. How do government agencies use my Social Security number?
SSNs in state and local government agency records. The U.S. Government Accounting Office (GAO), the investigative arm of Congress, first reported on the potential for identity theft posed by SSNs included in public records in 2006. GAO estimated that 85 percent of the largest, most populated counties surveyed make records that may contain SSNs available in bulk sales or online. Most often SSNs appear in state and local court files and local property ownership records.
Agencies generally place no restrictions on the reuse of data included in public records, meaning information can change hands many times and even be outsourced to foreign service providers. Since the GAO’s report, many states are working to limit SSNs in public records. Such belated efforts, however, do nothing to retrieve the millions of SSNs already available through public records. Some jurisdictions are beginning the process of redacting SSNs from old public records. However, this can be a costly and time-consuming process.
Federal agency use. The GAO’s 2006 report found that SSNs are displayed on millions of cards issued by federal agencies, including 42 million Medicare cards, 8 million Department of Defense identification cards and insurance cards, and 7 million Veteran Affairs identification cards. Because the connection between identity theft and widespread use of the SSNs is now indisputable, the federal government has acted to curtail its use.
The federal Office of Management and Budget (OMB) issued a memorandum to all executive departments and agencies titled “Safeguarding Against and Responding to the Breach of Personally Identifiable Information” (OMB Memorandum M-07-6) (May 22, 2007) The OMB memorandum required agencies to review their use of SSNs and, among other things, identify instances in which collection or use is unnecessary. Since issuance of the OMB memorandum, agencies have taken steps to reduce unnecessary SSN use.
Military. SSNs began to disappear from military identification cards in 2011. As cards expire, they are replaced with new cards having a Department of Defense (DoD) identification number. The DoD identification number is a unique 10-digit number. An 11-digit DoD benefits number will appear on cards of dependents eligible for DoD benefits. SSNs embedded in the bar codes on the back of identification cards are currently being phased out .
Internal Revenue Service (IRS). The IRS implemented a Social Security Number Elimination and Reduction (SSN ER) Plan in response to concerns over the protection of personal data. An audit report released by the Treasury Inspector General for Tax Administration (TIGTA) on August 13, 2010, notes that no date has been set by which to eliminate or reduce the use of SSNs on outgoing correspondence, and that the SSN ER plan lacks milestones for progress.
Veterans. Veteran Health Identification Cards (VHIC) are issued for use by veterans at VA Medical Facilities. The VHIC replaces the Veteran Identification Card (VIC) which contained the veteran's SSN in the bar code on the card. VHICs do not contain your SSN.
Government checks. The Social Security Number Protection Act of 2010 (S. 3789) prohibits federal, state, or local agencies from displaying the Social Security account number of any individual, or any derivative of such number, on any check issued for any payment by the agency.
Medicare cards. Legislation signed in April 2015 requires that SSNs be removed from Medicare cards. Medicare will replace SSNs with randomly generated Medicare beneficiary identifiers. The process will take up to 8 years, beginning with Medicare cards for new Medicare beneficiaries.
3. Am I required to give my Social Security number to government agencies?
The answer depends upon the agency. Some government agencies, including tax authorities, welfare offices, and state Departments of Motor Vehicles, can require your SSN number as mandated by federal law (42 USC 405 (c)(2)(C)(v) and (i)). Others may request the SSN, leading you to believe you must provide it.
The Privacy Act of 1974 requires all government agencies — federal, state and local — that request SSNs to provide a "disclosure" statement on the form. The statement explains whether you are required to provide your SSN or if it’s optional, how the SSN will be used, and under what statutory or other authority the number is requested (5 USC 552a, note). The U.S. Office of Management and Budget, Office of Information and Regulatory Affairs (OIRA) provides guidance and oversight regarding the Privacy Act of 1974.
The Privacy Act states that you cannot be denied a government benefit or service if you refuse to disclose your SSN unless the disclosure is required by federal law, or the disclosure is to an agency that has been using SSNs before January 1975, when the Privacy Act went into effect. There are other exceptions as well.
If you are asked to give your SSN to a government agency and no disclosure statement is included on the form, you should complain to the agency and cite the Privacy Act of 1974. Unfortunately, there appear to be no penalties when a government agency fails to provide a disclosure statement.
4. Must I give my Social Security number to private businesses?
General. Usually you are not legally compelled to provide your SSN to private businesses. There is no law, however, that prevents businesses from requesting your SSN, and there are few restrictions on what businesses can do with it. But even though you are not legally required to disclose your SSN, the business does not have to provide you with service if you refuse to release it. So in a sense, you are strong-armed into giving your SSN.
But don't give up. Be sure to ask if there is an alternate number that you can provide to the company, such as your driver's license number. Also ask if you can provide a deposit rather than giving your SSN to the company.
If a business insists on knowing your SSN when you do not see a reason for it, we encourage you to speak to a manager who may be authorized to make an exception or who may know whether company policy requires it. If the company will not allow you to use an alternate number such as your driver’s license number, you may want to take your business elsewhere. Read 5 Places Where You Should Never Give Your Social Security Number for advice on how to avoid giving up your SSN and Why you shouldn't give your doctor your Social Security number.
SSN required by federal law. Federal law requires private businesses to collect your SSN when (1) you are involved in a transaction in which the Internal Revenue Service requires notification, or (2) you are engaged in a financial transaction subject to federal Customer Identification Program rules.
MediCal and Medicare are government health plans and can require an SSN.
Commercial insurance companies can ask for your SSN, if you are covered by group insurance through your employer or if you bought an Affordable Care Act plan through a state or federal marketplace.
A Mandatory Insurer Reporting Law (Section 111 of Public Law 110-173) requires group health plan insurers to report SSNs to the Centers for Medicare and Medicaid Services for both subscribers and covered dependents. This information is used to coordinate Medicare payments with other insurance benefits. However, there is no language in Section 111 itself that mandates collection or reporting of all SSNs to Medicare. Medicare requires only that insurers send the Medicare ID numbers of Medicare beneficiaries, and that they take appropriate steps to ensure that they tell Medicare about all the Medicare beneficiaries they also provide coverage for.
Similarly, individuals who receive ongoing reimbursement for medical care through no-fault insurance or workers’ compensation or who receive a settlement, judgment or award from liability insurance (including self-insurance), no-fault insurance, or workers’ compensation may be asked to furnish information concerning their SSN.
Beginning with the 2015 tax year, your health insurance company will be required to provide Form 1095-B to you and to the Internal Revenue Service (IRS). The law requires SSNs to be reported on Form 1095-B. You will use the form to prepare your income tax return. The information will be used to verify information on your individual income tax return under the Affordable Care Act (ACA). If the information you provide on your tax return cannot be verified, you may receive a notice from th IRS indicating that you are liable for a shared responsibility payment under the ACA.
Credit applications. Credit card applications usually request SSNs. Your number is used primarily to verify your identity in situations where you have the same or a similar name to others. Most credit grantors will insist on having your SSN. But in rare cases, you may be able to find a credit grantor who will provide you credit without knowing your SSN, especially if you are persistent and can provide other forms of identification.
Credit reporting agencies. If you are dealing with a credit reporting agency, such as Experian, Equifax, or TransUnion, you will generally need to give your SSN. They claim that’s how the agency will find your file from among the hundreds of millions of records they maintain. These agencies already have your SSN. When ordering your free annual credit report from the credit bureaus, you can request that the SSN be left off the document when sent to you via postal mail.
Pre-approved credit applicati ons. You need to give out your SSN over the telephone to stop receiving pre-approved credit card offers when calling (888) 5 OPT-OUT or (888) 567-8688. This is the toll-free line shared by the three credit bureaus whose mailing lists are often used to generate credit card solicitations. You can use the agencies’ online form instead. While it doesn’t require the SSN, the credit reporting agencies say that including it will help to ensure your request will be successful.
State laws. In California. state law restricts how certain businesses can display their customers’ Social Security numbers. It does not restrict the collection of SSNs, however, and it doesn’t affect government agencies. California Civil Code §1798.85 prohibits, for example, insurance companies from printing the SSN on identification cards that are carried in the wallet. Similarly, customers of banks and investment companies cannot be required to transmit the SSN over the Internet when conducting business online, unless the number is encrypted. SSNs cannot be printed on documents sent through the mail, with some exceptions.
Other state legislatures and Congress have considered similar laws since passage of California’s landmark law. The New York state legislature passed a similar law in 2007.
New York lawmakers, in amendments to the state's labor law, further restricted private businesses' use of Social Security Numbers as well as employees' "personal identifying information." Personal identifying information includes not only the SSN but, among other things, an employee's home address and phone number, personal e-mail address, Internet access information, and the employee's parents' names. Effective January 2010, New York state government offices along with city and county agencies had to follow the same standards as apply to private businesses.
Another New York law limits the ability of entities to collect individuals’ SSNs. The law's provisions are subject to multiple exceptions, including use of SSNs for government requirements, use for internal verification or fraud investigation, use related to banking and credit-related activities, use in connection with employment, insurance or tax purposes, and other instances.
Visit the Web site of the National Conference of State Legislatures to obtain information on SSN-related legislation in other states. Use the site’s search engine for the term “social security number legislation” to obtain state-by-state results. The Data Quality Campaign has has a summary table of state SSN protection laws.
5. Should I disclose my Social Security number over the Internet?
When you use the Internet, you may find Web sites that require your SSN when, for example, you apply for a credit card online or seek an insurance quote. We advise that you take extra precautions to determine that your personal data is transmitted securely and that it’s stored safely by the online business. Make sure you have a firewall the latest anti-virus and spyware software installed on your computer.
Only conduct business transactions with well-known, reputable companies. Look for the closed padlock symbol on the bottom of the page that indicates it is a secure connection. Click on the padlock to determine if the security certificate is up-to-date.
Beware of spam (unsolicited e-mail messages) that asks for your SSN or other personal information. Many people receive e-mail messages that appear to be from a government agency like the Internal Revenue Service, from a bank, Amazon, eBay, or PayPal. The message typically says that the company or agency is updating its records or has detected fraudulent activity with your account and needs personal information from you, such as your Social Security number, account number, password, mother’s maiden name, and so on. It may direct you to an official-looking Web site through a link contained in the message.
Do not respond to such messages! These are called “phishing” scams. Although they appear to be legitimate, these messages and Web sites are scams to get your personal information. No reputable company or government agency sends e-mail messages asking for sensitive personal data.
6. Can my employer use my Social Security number as an employee identification number?
Yes, in most states. However, the Social Security Administration discourages employers from displaying SSNs on documents that are viewed by other people — such as badges, parking permits, or on lists distributed to employees. Employers do, however, need each employee’s SSN to report earnings and payroll taxes.
In California and New York, as explained above, employers cannot display the employee’s SSN in certain situations.
7. Why do financial transactions require my Social Security number?
In 1961 the Internal Revenue Service began using SSNs as taxpayer ID numbers (TIN). Therefore, SSNs are required on transactions in which the IRS may be interested. That includes most banking, stock market and other investments, real estate purchases, automobile purchases over $10,000, many insurance documents, and other financial transactions as well as employment records.
Financial institutions are required by federal law to participate in Customer Identification Programs (CIPs). Banks must keep records of identifying information and check customer names against terrorist lists. This applies to anyone who opens a new account.
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, (USA PATRIOT Act), Pub.L. 107-56, includes measures to undercut terrorist financing and combat money laundering. Customer identification programs (CIPs) for financial institutions are required by §326 of the PATRIOT Act, with the details spelled out in regulations published by multiple federal agencies. For additional information about CIPs, read PRC Fact Sheet 31 .
Because your SSN must be included on all of these sensitive financial documents, it’s important
to limit other uses of the number.
8. Can a school or college use my Social Security number as an identification number?
Publicly-funded schools and those that receive federal funding must comply with the Family Educational Rights and Privacy Act in order to retain their funding. FERPA is also known as the "Buckley Amendment," enacted in 1974, 20 USC 1232g.
One of FERPA's provisions requires written consent for the release of “educational records” or personally identifiable information, with some exceptions. The courts have stated that SSNs fall within this provision. (See Krebs v. Rutgers. 797 F. Supp. 1246 (D.N.J. 1992)).
FERPA applies to state colleges, universities, and technical schools that receive federal funding. An argument can be made that if such a school displays students' SSNs on identification cards or distributes class rosters or grades listings containing SSNs, it would be a violation of FERPA. However, some schools and universities have not interpreted the law this way and continue to use SSNs as a student identifier. To succeed in obtaining an alternate number to the SSN, you will probably need to be persistent and cite the law.
Public schools, colleges, and universities fall within the provisions of another federal law, the Privacy Act of 1974. This act requires such schools to provide a disclosure statement telling students how the SSN is used. If you are required to provide your SSN, be sure to look for the school's disclosure statement.
When the school is a private institution, your only recourse is to work with the administration to change the policy or at least to let you use an alternate identification number as your student ID.
The U.S. Department of Education and Department of Justice interpret the Privacy Act as prohibiting a public school district from requiring a pupil or parent to provide an SSN or denying admittance because a pupil does not provide an SSN.
Many colleges and universities are looking for ways to eliminate the SSN as primary identifiers for not only students but facility and staff as well. The California College and University Social Security Task Force published a report on the use of Social Security numbers in California colleges and universities in July, 2010.
9. Can a state use my Social Security number as my drivers' license number?
The Intelligence Reform and Terrorism Prevention Act of 2004 prohibits states from displaying your SSN on drivers' licenses, state ID cards, or motor-vehicle registrations. The law went into effect December 17, 2005, and applies to all licenses, registrations, and identification cards issued after that date.
If your license still uses your SSN as the ID number, you can request this be changed. You don’t need to wait until it expires to get one with a different number, though you may be charged a fee for the new issuance.
Although your SSN may not be used as your ID number on your license, under the Real ID Act of 2005 states must require proof of a person’s SSN (or verification that the person is not eligible for an SSN) when issuing a license.
10. How can I obtain my Social Security Statement?
You can obtain your Social Security statement online by creating a My Social Security account. Your Social Security statement provides:
- A list of your lifetime earnings according to Social Security’s records
- The estimated Social Security and Medicare taxes you’ve paid
- Estimates of the benefits you or your family may receive
- General information about Social Security
You can also choose to block electronic access to your Social Security record. When you do this, no one, including you, will be able to see or change your personal information online. You may want to block your information if you:
- have been the victim of domestic violence;
- have been the victim of identify theft; or
- have any reason you do not want your record to be available.
Alternatively, you can opt for extra security to provide your account with an extra level of protection. With this option, you need a cell phone with text messaging each time you sign in.
Periodically checking your Social Security statement online can help you discover whether you might be a victim of a type of identity theft where someone uses your SSN to obtain employment. For example, an undocumented worker might use your SSN to obtain employment.
The Social Security Administration (SSA) mails statements to workers attaining ages 25, 30, 35, 40, 45, 50, 55, and 60 who are not receiving Social Security benefits and do not yet have a my Social Security account. After age 60, SSA mails annual statements. SSA mails the statements three months prior to the workers’ birthday.
11. Can I change my Social Security number?
The Social Security Administration (SSA) will issue a new number only in certain very extreme cases. A new SSN may be issued if you can prove that someone has stolen your number and is using it illegally. You must provide evidence that the number is actually being misused, and that the misuse is causing you significant harm on an ongoing basis. If your card has been lost or your number has fallen into the wrong hands, that's not enough. Further, SSA will not give you a new SSN to aid in avoiding legal responsibility, or in hiding bad credit or a criminal record.
SSA may also assign a different number if:
- Sequential numbers assigned to members of the same family are causing problems
- More than one person is assigned or using the same number
- There is a situation of harassment, abuse or life endangerment
To get a new Social Security number, you must visit your local Social Security field office and provide the required documentation.
12. What information is contained in the Social Security Death Master File?
The Social Security Administration’s (SSA) Death Master File (DMF) contains records of deaths that have been reported to SSA. SSA receives death reports from various sources, including family members, funeral homes, hospitals, and financial institutions. The DMF was created under a 1980 consent judgment from a lawsuit brought by a citizen under the Freedom of Information Act. The consent judgment requires that identifying information of decedents, including their Social Security numbers (SSN) be divulged.
The DMF is used by government, financial, investigative, credit reporting organizations, medical research and other industries to verify deaths and to prevent fraud and comply With the USA Patriot Act.
The DMF includes the following information on each decedent, if the data are available to the SSA: SSN, name, date of birth, date of death, state or country of residence (February 1988 and prior), ZIP code of last residence, and ZIP code of any lump sum payment. The SSA does not have a death record for all persons. Therefore, SSA does not guarantee the accuracy of the file. The absence of a particular person from the DMF is not proof that a person is alive.
For years, the DMF included death records provided by the states. In 2011, the SSA determined that state death records were exempt from public disclosure. They could, however, be made available to other federal agencies, such as the Internal Revenue Service and the Centers for Medicare and Medicaid Services, in order that they could determine whether to pay or discontinue benefits. In November 2011, four million deaths were deleted from the publicly available DMF. This was motivated in part by the desire to reduce identity theft.
Although the DMF is not available online, the DMF Extract is available for a fee from the United States Department of Commerce’s National Technical Information Service (NTIS).
The DMF is used to prevent fraud to help prevent stealing the identity of a dead person. The DMF is used by credit reporting agencies (CRA), as well as government, financial, investigative, medical research organizations to verify death and to prevent fraud. NTIS and SSA are working together to offer the DMF updates more frequently and in alternative formats. By running credit and other applications against the DMF, CRAs and other organizations are better able to identify and prevent identity fraud.
Conversely, the DMF can be used by identity thieves to obtain tax refunds for deceased persons or to apply for credit cards or obtain cell phones. Approximately 2.4 million deceased Americans have their identities stolen each year.
As of March 27, 2014, access to decedent information during the three-calendar-year period following that individual’s death is limited to certified subscribers with a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty.
A July 2012 SSA Inspector General's report found that SSA did not record death information in its Numident database for approximately 1.2 million deceased beneficiaries. SSA uses the Numident database to update the DMF. A March 2015 SSA Inspector General's report found that at least 6.5 million active Social Security numbers belong to people who are at least 112 years old and likely deceased.
Of the approximately 2.8 million death reports SSA receives annually, about 14,000 are incorrectly entered into its DMF. The DMF contained 36,657 death entries between May 2007 and April 2010 for people who were in fact alive.
Erroneous death entries can lead to benefit termination and closing or freezing of bank accounts, causing financial hardship. They also result in the publication of living individuals' personal identifying information in the DMF. While those who are declared dead generally lose their ability to apply for credit, they may be at risk for other types of identity theft now that their personally-identifying information has been made public.
If you find out that your name is on the DMF, your first priority is to find out who reported your death, when, and why. You must take appropriate steps to correct the information at the originating source. You will need to take steps to locate and amend the death certificate and then remove your name from the DMF.
13. How can I protect my Social Security number?
- Adopt a policy of not giving out your SSN unless you are convinced it’s required or is to your benefit. Ask any requestor to explain why it is needed. Never give out your SSN in response to a phone call that you did not initiate.
A California law places restrictions on the display and transmission of SSNs by companies. For more information, read the California Department of Justice’s Privacy Enforcement and Protection Unit's guide on SSN “recommended practices,” at http://www.oag.ca.gov/sites/all/files/pdfs/privacy/protecting_ssns.pdf?. If you feel that you must carry a health insurance card that includes your SSN or a Medicare card with you at all times, photocopy the original card and cut it down to wallet size. Then blacken out or cut out the last four digits of the SSN on the copy. Carry the copy with you rather than the actual card. However, the first time that you visit your healthcare provider, bring the original Medicare card with you. The office is likely to want to photocopy or scan it for its files.
- Place a 90-day fraud alert on your credit reports by calling one of the three credit bureaus: TransUnion (800) 680-7289; Equifax (888) 766-0008; Experian (888) 397-3742. Then renew the fraud alert every 90 days.
- If you have evidence of actual or attempted identity theft, additional steps are needed, such as notifying the police and the Federal Trade Commission and establishing a seven-year fraud alert. See our Fact Sheet 17(a) “Identity Theft: What to Do if It Happens to You”.
- Congressional Research Service. "The Social Security Number: Legal Developments Affecting Its Collection, Disclosure, and Confidentiality " (February 2014). This report provides a comprehensive list of federal developments affecting use of the social security number, from 1935 to the present. This list includes federal statutes regulating the collection and disclosure of SSNs, as well as specific authorizations for the use of SSNs, confidentiality provisions, and criminal provisions relating to SSN misuse. California Department of Justice’s Privacy Enforcement and Protection Unit , “Recommended Practices for Protecting the Confidentiality of Social Security Numbers , California College and University Social Security Task Force. "The Use of Social Security Numbers in California Colleges and Universities: A Report to the California State Senate and Assembly Judiciary Committees and to the California Office of Privacy Protection " (July 2010) Social Security Administration. “Historical Information: Social Security Numbers ” Federal Trade Commission. "Security in Numbers -- SSNs and ID Theft " (December 2008). An FTC report recommending five measures to help prevent SSNs from being used for identity theft. Many universities have established SSN usage policies and have adopted ID numbers other than the SSN. U.S. General Accounting Office. "Social Security Numbers: Federal and State Laws Restrict Use of SSNs, Yet Gaps Remain "