Agencies face SSN scrubdown
OMB says agencies must stop the practice of using SSNs as unique personal identifiers.
Agencies face a daunting task to find and eliminate unnecessary Social Security numbers from their information systems, a chore that the Office of Management and Budget has asked agencies to complete by April 2009. Agencies frequently expose SSNs when they experience losses or unauthorized disclosures of personal information. OMB has directed agencies to safeguard against further breaches by collecting and storing the least amount of personal information necessary. As part of a new policy, issued May 22, agencies must develop a plan during the next four months for eliminating the unnecessary use of SSNs within 18 months after they establish a plan. Complying with that policy to enhance data security will be difficult, said Dave Combs, chief information officer at the Agriculture Department. SSNs are embedded in countless government records as unique identifiers. In its most recent Federal Information Security Management Act report, OMB said federal agencies have identified 10,595 systems that need to be searched, and possibly scrubbed, of personal information, including SSNs, to minimize the risk of exposure.“Every personnel folder in the federal government is chock full of SSNs,” Combs said. Time and attendance reports have SSNs, often unnecessarily. “There are lots of systems, and you can’t just snap your fingers and change it overnight,” he said. Some agencies, including USDA and the Interior Department, have initiated plans to reduce SSN use, partly in response to publicized data breaches. “This is a combination of discover and fix, an iterative process of looking at every piece of paper, every report, every system and every file and discovering all [the places] where we use Social Security numbers, in particular, and other private information,” Combs said. The next step is to question whether agencies must keep certain information. Combs said people must ask, “Do we have to have information for a legal or procedural reason, and if not, how do we get rid of it?” USDA may have a leg up on other agencies as a result of a recent data breach. Earlier this year, it discovered that it had inadvertently made public the SSNs of thousands of grant and loan recipients. SSNs were part of larger, 15-digit federal award identifier numbers, which were publicly accessible, by law, through the Federal Assistance Awards Data System. USDA designed the identifier decades ago.USDA Secretary Mike Johanns directed his staff to fix the problem, Combs said. Deputy Secretary Chuck Conner led a team of department executives, including the assistant secretary of administration, the chief financial officer, representatives of the secretary’s office and the chief information officer in developing a comprehensive approach to safeguarding personally identifiable information. Now USDA has begun its review of policies and procedures for handling personal information. It plans to offer employee education and awareness training, evaluate programs that use SSNs and hold employees accountable for SSN use, Combs said. USDA also has established a policy that states the department’s agencies will collect, maintain, use and disseminate identifiable personal information only as authorized by law and as necessary to carry out agency responsibilities.Agencies report on their use of SSNs when they write privacy impact assessments, which they are required to do when they create new information systems or alter existing ones. They also report their SSN use once a year when they document their compliance with FISMA. In December 2006, OMB communicated a new emphasis on reducing SSN use, Combs said. The memo that OMB issued May 22 emphasized the point.Like USDA, Interior has a head start on scrubbing its databases of unnecessary SSNs. Interior’s National Business Center, which handles many of the department’s major applications containing sensitive information, is able to mask or block the display of SSNs on reports and computer screens, said Interior CIO Mike Howell. NBC also is working with the Office of Personnel Management to create a unique employee identifier to replace the SSN. Agencies can eliminate some SSN uses by asking employees not to write their SSNs on leave application forms, Howell said. NBC also is modifying its time and attendance system to eliminate the use of SSNs.“If we have to recode business systems, it’s going to take time and money,” Howell said. “We’ll have to work ourselves out of it over potentially several years.”Howell said agencies can avoid exposing SSNs or limit their exposure to employees or business processes that need to see them. “It’s kind of like layers of an onion,” Howell said. “There are different layers depending on what the usage is.”Combs said there are many ways to minimize risk, even when external reporting requirements, such as those of the Internal Revenue Service, stipulate the use of SSNs. Systems and reports used internally may not need an SSN, he said.“You can map [information] over to the person’s SSN once a year whenever you have to do reporting to IRS. The rest of the year, the SSN stays locked up in a vault, so to speak,” Combs said. In the May 22 memo, OMB directed agencies to create alternative personal identifiers and participate in governmentwide efforts to create unique identifiers for federal employees and federal programs. The memo asked agencies to formulate a breach notification policy, which must include OMB’s requirements for incident reporting and external breach notification. OMB also asked agencies to develop policies that define the responsibilities of individuals authorized to access personally identifiable information. OMB’s leadership in protecting personal information is welcome, said David Marin, a spokesman for Rep. Tom Davis, (R-Va.), ranking member of the Oversight and Government Reform Committee. Davis said he was pleased that administration officials recognize that information security must be a governmentwide priority, Marin said. OMB’s policy memo also recognizes the important role FISMA policies play in federal information security, Marin said. The OMB memo addresses aspects of the Federal Data Breach Protection Act, which Davis introduced and the House passed last year. Marin said Davis will ask committee chairman Rep. Henry Waxman (D-Calif.) to hold a hearing on OMB’s policy and Davis’ legislation as soon as possible