The future of Social Security numbers in the cybercrime era

Are the left and right hands working together? Do they have no clue what the other is doing? Or could it be possible they don’t see the contradictory messages their oppositional actions can be sending? The hands belong to the government. Caught in the middle? Everyone with a Social Security number (SSN), or any business with employees.

Although flying below the radar, there are two distinct and divergent efforts related to SSNs going on in the legislative branch.

On the Senate side, there’s a growing recognition that these can no longer be considered a safe and secure method of verifying identity. The Commerce Committee has begun hearing testimony on what technology can be used or developed to create a new national identification system. Recent hearings that brought top tech execs together to testify were spurred by the Equifax hack that exposed 145 million SSNs.

Equifax was the death knell for SSNs, which have been leaching out of supposedly secure systems for years. Among the biggest losses were from government systems of several states (including South Carolina three times), the Internal Revenue Service, the Office of Personnel Management (the HR department for the federal government), and the Veterans Administration. Topped off by Equifax, it is nearly impossible that there are any unexposed SSNs left to steal.

Still, until the government can agree, legislate, develop, and effectively implement a new system, SSNs are what we have. And not only do we have them but also we are tethered to them like a Mafia snitch and a pair of concrete boots.

Regardless of how many times your SSN may have been exposed, you can never get a new number, and you can only change the name on your Social Security card three times in your life, a rule that primarily impacts women.

Into this unsettled mess comes the House, which is considering legislation to require that every business in the country participate in the government’s E-Verify program —the federal data system that uses SSNs to verify eligibility of job applicants to work in the United States. Currently, participation in E-Verify is inconsistent. Few states require it fully for all public, private, and government hiring. South Carolina is one of these few states.

The requirements of the E-Verify program can be onerous, especially for small businesses. A significant one is the protection of every SSN you collect.

Once you enroll in E-Verify, you have to use it to process every employee. Selective use of E-Verify would be a violation of anti-discrimination employment law. You are also required to keep the E-Verify documents, including the SSN, “in a safe and and secure location… that only authorized individuals have access,” according to the United States Citizenship and Immigration Services, which administers the program. Small businesses with paper files are possibly not securing these documents effectively. Others that digitize them but don’t have business-level accounts with appropriate role-based permissions may be unintentionally violating the law and risking exposure of sensitive information.

A watchdog organization called the Electronic Frontier Foundation is lobbying against the E-Verify expansion, calling it a “privacy disaster in the making.” Obviously, a data breach is a major concern, but there others cited in a study by the General Accounting Office. They include a disparate impact on women who may or may not change their names after marriage or divorce, the historical fact that more non-Americans are denied, and the GAO’s opinion that errors will increase dramatically if E-Verify is made mandatory nationally.

Add to that the additional compliance requirements on every business, agency, and nongovernmental organization, regardless of size.

You may argue that if, in fact, SSNs are already widely exposed, then nothing is really at risk. Consider that valid SSNs may now be in the hands of thieves with stolen identities. That means someone masquerading as Laura Haight in Portland, Ore., could get a job and be a verified employee in the national database, while I could be flagged as an imposter and unable to be approved to work.

These two efforts appear to be working at cross purposes: properly exploring technology for a new ID system offering greater security of our identities, while at the same time seeking to force massive expansion of a program that depends nearly completely on an insecure and irreparably broken system.

PRO TIP: Get familiar with the document retention requirements for the I-9 and E-Verify. You may be holding sensitive information longer than is required (three years after employment for the I-9). Not only can small businesses be putting themselves at risk for a more extensive data breach, but I-9 auditors can fine you for every error on every document you have kept, whether you needed to or not. That’s $100 to $200 per error.