Social Security Number Usage Law Raises IT Uniformity Issues

Computerworld - A California law that took effect last week limits the disclosure of Social Security numbers, forcing businesses to remove this ubiquitous identifier from forms sent to customers and from correspondence and ID cards.
The law, which applies to any company doing businesses in California, is in the vanguard of legislation targeting identity theft. It could affect business practices nationwide and spur the passage of new federal and state laws.
"We don't have California-only systems," said Kirk Hearth, chief privacy officer at Columbus, Ohio-based Nationwide Financial Services Inc. Hearth said it was much easier to apply the California rule nationally than to segment customer data by state.
The law is meant to make it harder for thieves to get a hold of this crucial identifier. The Federal Trade Commission said in 1999 that it received about 450 complaints per week from possible victims of identity theft; by the end of last year, the number had soared to 3,000. The Social Security Administration last year reported some 65,200 allegations of Social Security number misuse, up from 11,000 in 1998.
Companies had relatively little time to comply with the law, which was adopted in October.
The law prohibits including a person's Social Security number on any correspondence to him unless the law requires it. It also requires using encryption if the number is transmitted over the Internet.
Nationwide spent about $130,000 to comply with the law, Hearth said. Although it removed Social Security numbers from some customer correspondence, Nationwide also used other techniques to hide the numbers. One involved using an algorithm that takes a key to decrypt, while another hides the first five digits of Social Security numbers.
Another technique used by other companies involves including the Social Security number in a bar code, an industry group official said.
Congress has nearly a dozen bills pending that would restrict the use of Social Security numbers. One that would prohibit anyone from selling or displaying a Social Security number without the cardholder's consent is seen as the leading measure, but Congress isn't expected to act on any of the bills this year.
The risk for businesses is that a law could be adopted either in Congress or in another large state that sets different requirements from those in the California law, said John C. Scott, director of retirement policy at the American Benefits Council, an industry group in Washington that represents large financial services firms and other companies.
The question for businesses and industry groups "is whether they want to have a federalstandard or whether they want to have this done state by state," said Scott.