Protecting Social Security Numbers in Education: Failure is Not an Option

Alternate Identifiers: Not necessarily a foreign concept

Best and Worst Practices

Resources: Preventing identity theft and effectively responding

In an effort to curtail identity theft, the Social Security Administration (SSA) is initiating a public information program to encourage educational institutions to avoid using a student’s Social Security Number (SSN) as the student identifier. We are seeking your support in helping to ensure the integrity of individual SSNs.

Identity theft is one of the fastest growing crimes in American society. The routine and often indiscriminate use of SSNs as identifiers, creates opportunities for individuals to inappropriately obtain personal information. Repetitive use and disclosure of SSNs in documents including transcripts, unprotected registration forms, admission postcards, and grade postings, multiplies the susceptibility of students to potential identity theft. Through misuse of SSNs, employees, faculty, and staff of educational institutions are subject to the danger of identity theft and its repercussions. Access to an individual’s SSN can enable a thief to obtain information that can result in significant financial difficulties for the victim. While this can be disruptive for students and staff it can also lead to civil liability for an educational institution and its individual employees if someone is harmed by information that has been made available to others.

ALTERNATE IDENTIFIERS: NOT NECESSARILY A FOREIGN CONCEPT

We strongly urge all educational facilities to use an alternate identifier for students and staff. In recent years, a number of nationally known universities have moved from an SSN-based identification system to an alternate student identifier. In fact in our region, which includes Maryland, Pennsylvania, Virginia, West Virginia, Delaware and the District of Columbia, many colleges have found the cost of this conversion to be reasonable. Some have also stated that the increased peace of mind for students and staff have made any costs worthwhile. Some institutions have taken very progressive action by creating a Chief Privacy Officer position and requiring that their employees who handle student records sign a disclosure statement acknowledging their Family Educational Rights and Privacy Act (FERPA) responsibilities and personal liability in the event of misuse.

An added reason for using an alternate identification number relates to foreign students. Foreign students who do not have jobs or valid job offers will no longer be eligible for SSNs under SSA regulation changes published in September 2004. Various institutional record systems must be changed to handle these students under alternate ID numbers.

top of page

BEST AND WORST PRACTICES

Although the SSN is necessary for certain purposes, such as for financial aid and for students working on campus, many other uses are largely discretionary.

In the sections below, “University” is used to indicate all types of Educational Institutions.

If a university has already made the switch to an alternate identification system or has instituted other protection measures that other universities could benefit from, we would like to hear about it. Please email any materials that you think might be considered best practices to us at phi.rpa@ssa.gov.

University collection and use of SSNs can increase the risk of identity theft and fraud. Each time an individual divulges his or her SSN, the potential for a thief to illegitimately gain access to bank accounts, credit cards, driving records, tax and employment histories and other private information increases. Because many universities still use SSNs as the primary student identifier, student exposure to identity theft and fraud remains.

BEST PRACTICES

Assign another primary identifier

Students, faculty and staff use a university assigned number for most university transactions. The student SSN remains in the university database as a secondary identifier. The institution exercises limited use of the student SSN, for example, when it is necessary to verify student identities, process financial aid applications, and report wages of student employees. Using another identifier reduces the risk of unauthorized disclosure of SSNs.

EXAMPLE: One university recently redesigned its student information system with the capability to assign and use non-SSN student identification numbers. With the redesigned system, the university began issuing randomly generated student identification numbers to all new students registering for the fall 2003 semester. Students enrolled before fall 2003 were issued a non-SSN student identifier system starting with the spring 2006 semester.

Inform Students

Universities gave students the option of using another number as a personal identifier and addressed privacy of student records via FERPA or through discussion in university catalogs or on websites.

One university had a statement on the admission application regarding the state’s Public Information Act.

Another university had information on its website explaining the new student identification numbering system.

We also noted articles in student publications outlining concerns and possible solutions to identity theft and an article at one university entitled Old ID Cards hold SSN, new card effective mid – March. This is an example of the university taking action and informing students, faculty and staff about their new student identifier system.

Use Employee Disclosure Statement

Universities took action to decrease the risk of improper SSN disclosure by staff and employees. These universities required that personnel handling documents containing confidential information sign a disclosure statement. Some of the documents we reviewed contained references to the Family Educational Rights and Privacy Act and the fact that the handler of such documents may be subject to criminal prosecution and civil penalties, as well as disciplinary action by their employer, if they improperly disclose confidential information.

Establish Staff Responsibility

Some institutions have taken the very progressive action of creating a Chief Privacy Officer position for oversight of all issues involving record security, including protection of SSNs maintained in institutional files.

Comply with State Regulations

Many states have enacted laws that place certain restrictions on universities’ use of SSNs

• Arkansas has a law that makes it a crime for an individual without consent, to obtain or record identifying information of another person that would assist in accessing the financial resources of that person. The law includes SSNs in its definition of “identifying information.” (A.C.A. § 5-37-227).

• Arizona passed legislation that prohibits those universities under the jurisdiction of the Arizona Board of Regents from assigning an identification number to faculty, staff, or students at a university that is identical to the individual’s SSN. The law also prohibits the display of the SSN (or any four or more consecutive numbers of the SSN) on any Internet site maintained by the university or other publicly accessible document. Arizona also passed legislation that prohibits certain disclosures of SSNs to the public and the printing of SSNs on any card required for the individual to receive products or services. The law also establishes technical protection requirements for the on-line transmission of SSNs. In addition, the law prohibits, in certain circumstances, the printing of SSNs on mailed materials to residents of Arizona unless required by State or Federal law.

• California passed legislation that prohibits (1) publicly posting or displaying an SSN; (2) printing an SSN on any card required to access products or services; (3) requiring that an individual transmit his or her SSN over the Internet unless the connection is secure or the SSN is encrypted; (4) requiring that an individual use his or her SSN to access an Internet website, unless a password or unique personal identification number or other authentication device is also required; and (5) printing an SSN on any item mailed to an individual unless State or Federal law requires that the SSN be on the mailed document.

• Connecticut passed legislation that prohibits an entity that purchases a housing project from disclosing to the public the tenants’ SSNs from the tenants’ lease agreements. Additionally, this legislation prohibits housing authorities from disclosing the SSNs of tenants to anyone except a purchaser of a housing project without the tenant’s permission.

• Illinois passed legislation that directs a task force to “…examine the procedures used by the State to protect an individual against the unauthorized disclosure of his or her social security number when the State requires the individual to provide his or her social security number to an officer or agency of the State.”

• Indiana passed legislation that prohibits State agencies from compelling an individual to provide their SSN to a State agency against the individual’s will, absent Federal requirements to the contrary. Any forms that request the SSN must state the reason the SSN is requested and notification either that the State is required by Federal law to obtain the SSN and the form cannot be processed without it or that the individual has the right to refuse to provide the SSN and will not be penalized for doing so. In addition, an individual may request that his or her SSN be removed from a State agency’s record and the State agency must substitute a new identification number to be used by the individual.

• Kansas passed legislation that prohibits post-secondary educational institutions from printing or encoding a person’s SSN on or into the person’s identification card. In addition, any distinguishing identifier assigned to a person shall be unique to that person and shall not be based on the person’s SSN.

• Louisiana has a law that prohibits the use of SSNs as personal identifiers for school employees. ( La. R.S. 17:440).

• Michigan passed legislation that includes a provision prohibiting the use of “…all or more than 4 sequential digits of the social security number as the primary account number…” for an employee, student or other individual.

• Minnesota passed legislation that requires that an individual asked to provide private or confidential data be informed of the purpose and intended use of the requested data within the State agency, whether the individual may refuse to provide the requested information, any known consequences for not providing the requested information, and the identity of those authorized by State or Federal law to receive the information. State agencies cannot collect, store, use, or disseminate private or confidential data of an individual for any other purpose than those stated to the individual at the time of collection. This act identifies the SSN and educational data as private.

• Missouri passed legislation that prohibits any person or entity from publicly displaying a person’s SSN and from requiring that a person send their SSN over the Internet without appropriate encryption or other security measures.

• New Hampshire passed legislation that increased the penalty for identity fraud.

• New Mexico has legislation pending that increases the penalty for identity theft for “…willfully obtaining, recording or transferring personal identifying information of another person without the authorization or consent of that person and with the intent to defraud that person or another.” (2005 Bill Text NM S.B. 260).

• New York has enacted a law that regulates universities’ SSN use. The New York State Education Law 5 prohibits the display of a student’s SSN on “…public listing[s] of grades, on class rosters or other lists provided to teachers, student identification cards, [and] in student directories or similar listings…unless specifically authorized or required by law....”

• Oklahoma has a law that makes it a crime “…for any person to willfully and with fraudulent intent obtain the name, address, social security number, date of birth…or any other personal identifying information of another person living or dead, with intent to use, sell, or allow any other person to use or sell such personal information to obtain or attempt to obtain money, credit, goods, property, or service in the name of the other person without the consent of that person.” ( 21 Okla. St. § 15331.1).

• Texas has a law that prohibits the printing of “…an individual’s social security number on a card or other device required to access a product or service…unless the individual has requested in writing such printing.” The law does not apply to “...the collection, use, or release of a social security number that is required by state or federal law…or the use of a social security number for internal verification or administrative purposes.” ( Tex. Bus. & Com. Code § 35.58).

• Vermont passed legislation that makes it a crime to obtain, produce, possess, use, sell, give, or transfer personal identifying information (including SSNs) belonging or pertaining to another person with intent to use the information to commit a misdemeanor or a felony. Additionally, this legislation requires that a study be completed related to the use of SSNs by both public and private entities and that proposals be developed to reduce such use wherever possible and protect privacy and security when the numbers must be used.

• Washington requires that institutions of higher education use personal identifiers that are not SSNs.

• Wisconsin passed legislation that prohibits an institution of higher education from assigning any student an “identification number that is identical to or incorporates the student’s Social Security number.” The act defines an institution of higher education as either a State or private educational institution located in Wisconsin that awards a bachelor’s or higher degree or provides programs that are acceptable toward such a degree.

top of page

PRACTICES TO AVOID

Class Registration

At several institutions, students must disclose their SSNs to register for courses (on-line or paper form registration processes). Some universities used the SSN for access control or electronic payment. Others required student SSNs for transcript requests.

The paper registration process unduly discloses the SSN to university registrar employees throughout the process. The on-line registration process generally results in electronic databases that identify students by SSN. Without strict application controls, individual SSNs could be compromised.

Class Rosters

Class rosters at some universities listed the student SSN and name.

Listing SSNs on class rosters with student names exposes the SSN to university employees. At a minimum, the practice makes SSNs available to instructors. If instructors do not adequately safeguard class rosters, student names and SSNs could be vulnerable to unauthorized access.

Computer Login

Students must enter their SSNs to log into computers at several of the universities.

Students’ SSNs are susceptible to unauthorized disclosure during the log-in process. At one university, the SSN was displayed on the computer monitor during the log-in process. Computer users accustomed to the process can visually obtain an SSN while a student logs on.

Grade Reports
Instructors at some of the universities reported final grades to the registrar’s office by student SSNs.

Listing SSNs and student names on class grade reports discloses the SSN to university employees. This weakens institutional control over the SSN.

Overdue Library Notices

At one university, library staff maintained overdue library book records that identified the delinquent student by name and SSN.

The paper record of overdue books containing student names and SSNs increases SSN exposure to library staff and other individuals in the work area. Additionally, the electronic database used to develop the overdue book record contained the student SSNs. Without strict application controls the SSN could be electronically compromised.

ID Cards

SSNs frequently appear on student ID cards. One university official stated that student SSNs were displayed on the back of ID cards. Students use this card for check cashing, registration, transcript requests, and book vouchers. At another university, students were assigned a magnetic stripe card that contained their SSN, to enter designated areas such as laboratories or gymnasiums or to initiate transactions such as making photocopies, checking out books, placing telephone calls, or purchasing meals and snacks.

Registration Postcards

One university requested that prospective students provide their SSNs on reply cards used to schedule campus tours or informational meetings. These cards requested that students provide their name, address, telephone number, and other personal information, including SSN.

Internet Access

SSNs were used to access the Internet and computer systems.

Although the Internet and most computer systems use encryption to prevent identity theft, it is still possible for "hackers" to access some systems. Additionally, forms that were accessible to students in the university computer systems clearly displayed student SSNs when they were printed.

Exams

A university required that students record their SSNs on written examinations that were graded electronically. In such instances, students entered their SSN, which was used as the primary student identifier, onto machine-readable forms. These forms and examinations provide a source for unauthorized persons to obtain student SSNs.

top of page

RESOURCES: PREVENTING IDENTITY THEFT AND EFFECTIVELY RESPONDING

There are a number of resources which provide additional information on dealing with identity theft and how to prevent it, including:

• FTC is the lead federal agency on identity theft. Their website is http://www.consumer.gov/idtheft/ [Disclaimer]
  
  
• SSA offers a great deal of information on SSNs on our internet site at http://www.ssa.gov/ssnumber/.
  
  
• If your institution is a member of the American Association of Collegiate Registrars and Admissions Officers (AACRAO), the Middle States Association of Collegiate Registrars and Admissions Officers (MSACRAO), or a similar organization explore your group’s resources on the topics of FERPA compliance and protection of SSNs.

• Recent SSA OIG Audit reports detailing Educational Institutions' Use of the SSN as a Student Identifier.

Nov. 30, 2005, Region IX (San Francisco)

Aug. 19, 2005, Region VI (Dallas)

Aug. 12, 2005, Region I (Boston)

July 27, 2005, Region II (New York)

June 7, 2005, Region V, Chicago

April 26, 2005, Region III, Philadelphia

March 21, 2005, Region VIII (Denver)

March 8, 2005, Region X, Seattle

Jan. 31, 2005, Region VII (Kansas City)

Dec. 9, 2004, Region IV (Atlanta)

April 26, 2004, “Universities Use of ‘Temporary SSNs’”

To obtain additional information, please visit www.socialsecurity.gov.

If you have questions or would like a presentation on Protecting the Social Security Number or on a variety of other Social Security topics, please contact your local Public Affairs Specialist listed at the Philadelphia Region Public Affairs web page.

Top of Page