Democracy Tree: Michigan gets it right on identity theft law

by Amy Kerr Hardin

Typically legislative resolutions earn little more than a passing chuckle — they’re either complete partisan hogwash or inane attempts by lawmakers to pad their legislative record with silly things like declaring January the Official Dish Soap Appreciation Month.Amy Kerr Hardin

But Michigan’s House managed to patch together a strong bipartisan showing for a resolution of actual substance last week. They are calling upon the U.S. Congress to enact legislation to prevent federal agencies from printing Social Security numbers in their entirety on correspondence. Seems simple enough. Michigan already enacted such a law — way back in 2004 — which prohibits the use of any more than four consecutive digits of a Social Security number. The resolution makes note of that fact:

Under the Michigan Social Security Privacy Act (2004 PA 454), various prohibitions on the use of an employee, student, or other individual’s Social Security numbers are in place. These include certain prohibitions on mailings that contain a Social Security number. Except for certain exceptions, it is prohibited to include all or more than four sequential digits of a Social Security number in a document or information mailed to a person.

Know the law — when to just say no

What many citizens are unaware of though is that they do not have to provide their Social Security number in a variety of circumstances. Of course, the number is absolutely necessary to file taxes, secure credit, and to seek employment. Those who haven’t recently been in the job market may be surprised to learn that many employers demand to physically view Social Security cards.

Who can we safely say “no” to then? For starters: Doctors and Schools.

Say no to the doctor

With the exception of Medicare and health insurance companies, health care professionals and hospitals are not entitled to Social Security numbers, although they all too often ask for them with possible debt collection in mind.

Medical records are a prime target for hackers because they provide a treasure trove of personal information that is not available elsewhere. Stolen medical data is a hot commodity, yet few consumers are aware of how sensitive this information truly can be. Beta News reports this week that in a survey of 1,000 American adults, only 11 percent cited medical records among their top security concerns.

Clearly, coupling this highly personal information with a Social Security number is always a bad idea.

If a health care provider requests your Social Security number, Consumer Reports advises:

  • Leave the area on the form blank. Often, the provider won’t even ask or notice.
  • If they do, explain that you’re “concerned about identity theft and prefer not to reveal my Social, except in those situations where it’s mandated by law.” If you feel pressured, consider choosing another facility or doctor, if you can. Some folks offer just the last four digits of their number.

Unfortunately, Medicare and health insurance companies are still permitted by law to obtain Social Security numbers.

medicare card

In the case of Medicare, it’s printed right on the card as the claim number. Consumer Reports advises patients to present their card at the first office call, then make a copy to carry in their wallet with all but the last four digits of the number blacked-out .

Legislation was introduced last January to remove this information from Medicare cards, but it is currently languishing in committee with giving it a 1 percent chance of being enacted. Another example of elected officials unwilling to serve the best interests of the American people.

It’s even worse for those purchasing insurance under the Affordable Care Act in state and federal marketplaces. Insurers are required by law to obtain an enrollee’s Social Security number, including the numbers of all household members covered under the policy.

As for those enrolled in an employer group plan, once again, the feds insist your Social Security number be attached to your insurance records under provisions of the Mandatory Insurer Reporting law.

So, pretty much every man, woman, and child is at risk of identity theft via health insurance records.

This is no hypothetical problem. Just last February, Blue Cross Blue Shield customers in Michigan were exposed through a large-scale hack at Anthem. The fallout is yet to be known.

This is beyond bad public policy — it’s pure lunacy.

Say no to the school

Many lower-education places of learning ask for student, and sometimes parental, Social Security numbers for their records. The Department of Justice, Civil Rights Division, makes it abundantly clear that families have the right of refusal:

  • Some school districts request a student’s social security number during enrollment to use as a student identification number. If a school district requests a student’s social security number, it must: (1) inform you and your child that providing it is voluntary and that refusing to provide it will not bar your child from enrolling in or attending school, and (2) explain for what purpose the number will be used.
  • A school district may not prevent your child from enrolling in or attending school if you choose not to provide your child’s social security number.
  • A school district may not require you to provide your own social security number in order for your child to enroll in or attend school.

Security trouble in higher education

Students of higher education however, face the daunting spectre of both the Common App and the Federal Application for Student Aid — aka, the dreaded FAFSA. The Common App does not require a Social Security number if an applicant does not have one, i.e. foreign students. But, they continue to press for the information from American applicants.

FAFSA, on the other hand, requires everything but a DNA sample. Expect to report Social Security numbers, along with a mind-boggling minutiae of personal financial and employment details — you have no secrets in the world of higher-ed. Although the U.S. Department of Education has been making efforts to increase security for FAFSA accounts, recent changes may have actually made it easier for hackers to access online information. They now offer nine Challenge Questions to choose from — one being “What color was your first car?” to retrieve the new personalized ID, which replaces the old-school PINs.  To hackers, this question must look like a magical portal to vast sums of data. Edvisors offers advice on how to protect accounts:

  • When providing an answer to a Challenge Question, ignore the question. Instead, create a second password consisting of a random collection of numbers and letters, including uppercase and lowercase letters, and use that as the answer. That will prevent a hacker from guessing the answer based on the question. Be sure to record this second password for later reference.
  • Treat the answer to the significant date question as though it were an 8-digit PIN and do not use a date or other easy-to-guess numeric sequence.
  • Close the web browser after using it, to clear the cache.

Like FAFSA, other federal and state programs by necessity have access to Social Security numbers and financial information – particularly those that require income verification through the IRS — food assistance, like SNAP, comes to mind. Without substantive reform, the potential exposure to hackers is endless.

Michigan lawmakers have it right — the federal government must up their game to protect citizens from identity theft. They should stop using Social Security numbers where not absolutely necessary, and further lock-down databases that contain them. Additionally, regulatory law to protect individuals from careless creditors must be strictly enforced — both in their lending practices and the protection of sensitive data.

Leave a Comment