On December 17, 2008, the Federal Trade Commission (“FTC” or the “Commission”) issued a report focusing on the private use of Social Security (“SSNs”) numbers and recommending five measures to help prevent SSNs from being used for identity theft. The report was developed in response to a recommendation made by the President’s Identity Theft Task Force. In the report, the FTC concluded that a comprehensive approach would best address the issue of SSNs and identity theft. The Commission indicated that a multi-faceted approach could include comprehensive federal legislation and an extension of safeguards similar to those in place in the financial sector to entities not subject to bank regulatory agencies. Below follows a summary of the Commission’s recommendations.
Recommendation 1: Improve Consumer Authentication
The Commission recommended that Congress consider establishing national consumer authentication standards that would cover all private sector entities that maintain consumer accounts other than financial institutions, which the FTC explained are already under the jurisdiction of bank regulatory agencies that require such standards. In developing the authentication standards, the Commission stated that Congress should consider several factors. First, the FTC said that the cost of implementing new standards should be evaluated by determining what is “reasonable.” Second, the Commission stated that consumer convenience should be included in the reasonableness determination. Third, the Commission observed that the use of authentication procedures that require consumers to provide additional information about themselves may raise privacy concerns.
Recommendation 2: Restrict the Public Display and the Transmission of SSNs
The Commission recommended that Congress consider creating national standards for the public display and transmission of SSNs. The FTC also expressed support for federal legislation to establish a national approach to decrease the unnecessary exposure and transmission of SSNs. The Commission suggested that various federal agencies develop more precise standards through the rulemaking process. Additionally, the FTC stated that such standards should permit the display and transference of SSNs when required by law or when a substantial business need outweighs exposure risks.
Recommendation 3: Establish National Standards for Data Protection and Breach Notification
The Commission expressed support of its prior recommendation that Congress consider establishing national security breach notification standards. The FTC suggested that such standards should require private sector entities to provide public notice when the entity suffers a security breach of consumers’ personal identifying information and that breach creates a significant risk of identity theft or other harms.
Recommendation 4: Conduct Outreach to Businesses and Consumers
The Commission recommended increasing education and providing guidance on additional steps to reduce the use of SSNs in identity theft. The FTC noted that it anticipated disseminating additional guidance to businesses and consumers on what they can do to reduce their use of SSNs and to provide greater protection of such identifiers when they are used.
Recommendation 5: Promote Coordination and Information Sharing on Use of SSNs
The Commission recommended that appropriate governmental entities explore assisting private sector organizations establish a clearinghouse of best practices. The FTC explained that such practices would enable organizations to share approaches to SSN usage and protection, fraud prevention, and consumer authentication.