Social Security Numbers (“SSN”) were originally established by the Social Security Administration to track earnings and eligibility for Social Security benefits. Because a SSN is a unique personal identifier that rarely changes, federal agencies use SSN for purposes other than Social Security eligibility (e.g., taxes, food stamps, etc.). In 1974, Congress passed legislation requiring federal agencies that collect SSN to provide individuals with notice regarding whether the collection was mandatory and how the agency intended to use the SSN.1 Congress later barred agencies from disclosing SSN to third parties. Federal law does not, however, regulate private-sector use of SSN.

Based upon a growing recognition that SSN can be used to perpetrate identity theft, state legislatures have passed statutes regulating the private sector’s use of SSN. Among other things, these statutes prohibit organizations from printing SSN on consumer cards, sending SSN through the mail, requiring that a consumer transmit SSN unencrypted over the internet, or requiring that individuals use their SSN to access a website without multi-factor authentication. Many states also have statutes that require that companies securely destroy SSN when the information is no longer in use.


Year Social Security Numbers were created.2


Cost on the black market to obtain a dossier with a consumer’s SSN.3

$500 / month

Civil penalty imposed by one state for failing to adopt a privacy policy when collecting SSN.4

Some states have gone beyond regulating the use, disclosure, and destruction of SSN and require that organizations that collect SSN publicly post a privacy policy that explains the following:

  1. how the organization collects SSN,
  2. how the organization uses SSN,
  3. who within the organization will have access to SSN,
  4. how the organization will protect SSN, and
  5. the organization’s limitations on SSN disclosure.

Other states require organizations to internally publish privacy policies as part of their employee handbook or procedures manual. In addition to the topics listed above, the internal policy must establish penalties for employees that misuse SSN.5