Publications

---

A new Federal Trade Commission (FTC) report, Security in Numbers: SSNs and ID Theft (Report), urges Congress to draft legislation establishing streamlined data protection, encryption, data breach notification and authentication standards for all private sector entities that maintain sensitive consumer information, such as social security numbers (SSNs).

The Report, released in December 2008, calls for federal legislative measures that would improve authentication, reduce unnecessary SSN display and transmission, improve data security and require breach notification. The FTC asks Congress to 1) establish national standards that would be delineated further through agency rulemakings and 2) grant it authority to impose civil penalties for violations of the new rules.

Report Makes Five Recommendations

The Report sets forth five recommendations to help prevent SSNs from being used for identity theft:

1. Improve Consumer Authentication. The FTC asks Congress to consider establishing “reasonable” national consumer authentication standards covering all private sector entities that maintain consumer accounts. These standards - which should be consistent with those currently mandated for financial institutions - should require the creation of a written program establishing reasonable, flexible and technology-neutral procedures to authenticate new or existing customers. Such programs should be compatible with the size and nature of the business of, as well as the specific authentication risks faced by private sector entities.

2. Restrict the Public Display and the Transmission of SSNs. The Report recommends that steps be taken to reduce the unnecessary display and transmission of SSNs, but noted that such restrictions must be approached carefully. The Report acknowledges that, because many functions in the US economy depend on using and accessing SSNs, overly restrictive attempts to limit the availability of SSNs could unintentionally harm the economy. Nevertheless, the Report recommends that Congress consider creating national standards governing the public display and transmission of SSNs, including, for example, prohibitions against:

• publicly posting or displaying SSNs;
• placing SSNs on cards or documents required for an individual to access products or services provided by a covered entity, including student ID cards, employee ID cards and insurance cards;
• transmitting (or requiring an individual to transmit) an SSN over the Internet, unless the connection is secure from unauthorized access or is protected by other technologies that render the data generally unreadable;
• printing an individual’s SSN in materials mailed to the individual; and
• printing an individual’s SSN on the outside of an envelope or other mailer, or in a location that is visible without opening the envelope or mailer.

3. Establish National Standards for Data Protection and Breach Notification. Forty-four states and the District of Columbia have now passed breach notification laws, but currently there is no federal breach notification law. The FTC reiterated its prior recommendation that Congress consider establishing national data breach notification standards. Such standards would require private sector entities to provide public notice when they suffer a breach involving consumers’ personal information and the breach creates a significant risk of identity theft or other harm.

4. Conduct Outreach to Businesses and Consumers. The FTC anticipates issuing guidance to businesses on reducing usage of SSNs and safeguarding the SSNs in their possession. In addition, as part of its overall educational outreach efforts, the Commission expects to disseminate explanatory materials on any newly created federal standards for authentication, SSN display and transmission, data protection and breach notification.

5. Promote Coordination and Information Sharing on Use of SSNs. Appropriate governmental entities should explore the possibility of helping private sector entities establish a clearinghouse of best practices, enabling those entities to share approaches and technologies on SSN usage and protection, fraud prevention and consumer authentication.

In Light of FTC Recommendations, Assess Your Current Procedures

Although its Report encourages Congress to enact national authentication, SSN display and transmission, security breach and data security standards, the FTC has not specifically delineated such standards. Instead, the FTC has made broad recommendations, the details of which would be addressed by Congress and in subsequent agency rulemakings.

In light of the Report, we recommend assessing your current data protection, encryption, data breach notification, and authentication procedures and considering ways in which modifying such procedures might be necessary if and when Congress takes action. We will continue to monitor these developments. In the meantime, please do not hesitate to contact us with any questions.