CUNA Regulatory Comment Call

August 2, 2007

EXECUTIVE SUMMARY

• The Federal Trade Commission (FTC) is requesting comments on the use of Social Security numbers (SSNs) in the private sector in order to reduce the incidence of identity theft.
• The President’s Identity Theft Task Force (Task Force) recently issued a strategic plan to address the identity theft problem. In the report, the Task Force recommended that federal agencies develop a comprehensive record on the use of SSNs in the private sector and analyze the necessity for those uses. The goal of such an effort will be to limit the unnecessary uses of SSNs. This request for comments is intended to facilitate this effort.
• Comments are due by September 5, 2007. Please submit your comments to CUNA by August 24, 2007.

Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Senior Vice President and Deputy General Counsel Mary Dunn at mdunn@cuna.com and to Senior Assistant General Counsel Jeff Bloch at jbloch@cuna.com; or mail them to Mary and Jeff in c/o CUNA’s Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6032, if you would like more information about the request for comments or you may obtain additional information here.

BRIEF DESCRIPTION OF THE REQUEST FOR COMMENTS

The FTC is requesting comments on the use of SSNs in the private sector in order to reduce the incidence of identity theft. An analysis of the need to collect and use SSNs by the private sector was one of the recommendations outlined in the strategic plan to address identity theft, which was recently issued by the Task Force.

Here are the specific questions for which the FTC has requested comments:

Current Private Sector Collection and Uses of the SSN

• What businesses and organizations collect and use the SSN? For what specific purposes are they used?
• What is the life cycle (collection, use, transfer, storage and disposal) of the SSN within the businesses and organizations that use it?
• Are governmental mandates driving the private sector’s use of the SSN?
• Are there alternatives to these uses of the SSN?
• What has been the impact of state laws restricting the use of the SSN on the private sector’s use of the SSN?

The Role of the SSN as an Authenticator

• The use of the SSN as an authenticator, as proof that consumers are who they say they are, is widely viewed as exacerbating the risk of identity theft. What are the circumstances in which the SSN is used as an authenticator?
• Are SSNs so widely available that they should never be used as an authenticator?
• What are the costs or other challenges associated with eliminating the use of the SSN as an authenticator?

The SSN as an Internal Identifier

• Some members of the private sector use the SSN as an internal identifier (for example, an employee or customer number), but others no longer use the SSN for that purpose. What have been the costs for private sector entities that have moved away from using the SSN as an internal identifier? What challenges have these entities faced in substituting another identifier for the SSN? How long have such transitions taken? Do those entities still use the SSN to communicate with other private sector entities and government about their customers or members?
• For entities that have not moved away from using the SSN as an internal identifier, what are the barriers to doing so?

The Role of the SSN in Fraud Prevention

• Many segments of the private sector use the SSN for fraud prevention, or, in other words, to prevent identity theft. How is the SSN used in fraud prevention?
• Are alternatives to the SSN available for this purpose? Are those alternatives as effective as using the SSN?
• If the use of the SSN by other sectors of the economy were limited or restricted, what would the ramifications be for fraud prevention?

The Role of the SSN in Identity Theft

• How do identity thieves obtain SSNs?
• Which private sector uses of the SSN do thieves exploit to obtain SSNs, (for example, the SSN as an identifier or SSN as an authenticator)? Which of those uses are most vulnerable to identity thieves?
• Once thieves obtain SSNs, how do they use them to commit identity theft? What types of identity theft are thieves able to commit with the SSN? Do thieves need other information in conjunction with the SSN to commit identity theft? If so, what other kinds of information must they have?
• Where alternatives to the SSN are available, what kind of identity theft risks do they present, if any?

Copyright © 2009 - Credit Union National Association, Inc.