[Dataloss] GAO recommends that Congress sets SSN truncating standards for information resellers

[security curmudgeon]

The following article is from GSN: Government Security News (May 1, 2006). 
Any typos are my own.

--

GAO recommends that Congress sets SSN truncating standards for information 
resellers

If you contact the right information resellers on the Internet, you may be 
able to obtain a range of personal information about a specific 
individual, including his date of birth, driver's license data, telephone 
records and even his social security number, or a truncated version of 
that SSN.

The Government Accountability Office (GAO) looked into the availability of 
SSNs over the Internet, contacted 21 resellers and reached two interesting 
conclusions: SSNs are not that widely available, but when they are, there 
is no standardized format in which they present the entire SSN or a 
truncated version of the number.

The GAO reported "there are few federal laws and no specific industry 
standards on whether to display the first five or last four digits of the 
SSN, and [Social Security Administration] officials told us the agency 
does not have the authority to regulate how public or private entities use 
SSNs, including how they are truncated."

As a result, the GAO has recommended that Congress consider setting 
standards for truncating SSNs, or delegating authority to the SSA or 
another agency to set such standards. The SSA agreed with this 
recommendation, the GAO siad.

When it requested SSN information from 21 different resellers, the GAO 
said it received one full SSN, four truncated SSNs (which displayed only 
the first five digits), and nothing at all from 16 of the resellers.

"In one case, we also received additional unrequested personal information 
including truncated SSNs of the search subject's neighbor," said the GAO 
document issued earlier this month.