The New York Times is covering how the Social Security Administration’s clampdown on access to its death list, a source of ID theft, is hampering legitimate uses of the record. One rarely hears how the SSA’s Death Master File (aka, Death Index) is used, so I thought it might be interesting to see what types of legitimate organizations are affected.
(Yeah, it’s a day off from blogging about AlertBoot’s data security solutions. Sometimes, data security comes in the form of something other than software and hardware, such as applying or having the correct policies).
Medical Research Groups
One example of a legitimate organization is the Scientific Registry of Transplant Recipients, a research group that analyzes organ transplant survival rates. The report is used by “the federal agency that runs Medicare,” according to the nytimes.com, “to determine whether some transplant programs have such poor track records that they should be cut off from government financing.”
The article implies that there are many, many more researchers being affected, including those studying cancer and cardiovascular diseases, such as a 60-year study heart study out of Boston University. One researcher looking into the mortality rate of kidney donors says his study is already compromised.
Apparently, a similar death index is compiled by the CDC, the Centers for Disease Control and Prevention. However, it is less affordable than the one cataloged by the SSA ($995 vs. $30,000 and up), not to mention less complete: the CDC’s records are “14 months to 18 months out of date.”
(Interestingly enough, the article notes that the CDC’s records are more complete, in direct contradiction to what I wrote above. I guess what the nytimes.com means is that, given a particular period, say all of 2010, the CDC’s records will be more complete than the SSA’s. If I know my researchers, though, the most recent records are of high interest to them. Since the SSA’s list will have more of that data due to the 1.5 year lag, the SSA’s list is actually more complete of the two for functional purposes).
The Social Security Administration has countered the criticism from medical establishments by essentially stating that it’s not their problem. As a relatively young, mortal being that has more than a passing interest in seeing medical research pay dividends, I hate to agree with the SSA. But they’re right.
The data coming from SSA is not better, it’s just cheaper or more convenient (and most probably both). And no matter how well-intentioned, these studies that have decided to take advantage of what now turns out to be massive security hole that requires patching up. It’s not as if there aren’t any alternatives to get the data.
ID theft is quite the thorn for the financial industry. Depending on which survey you look at, the number of victims and the estimated costs vary, but an approximate figure of $50 billion is normally brought up when discussing ID theft statistics. One would imagine, then, that banks and the like would welcome the SSA’s policy of tighter controls on the Death Master File.
Apparently, the financial industry also requires access to the file to combat fraud. Unfortunately, the nytimes.com in-depth coverage only extends to the medical industry. However, if my past research is of any value, my guess is that financial institutions need the list to attempt an end-run on ID thieves by checking that SSNs are not tied to dead people. Without access to the death list, it would difficult to curb abuses where legitimate names and SSNs are used to apply for loans and other forms of credit.
However, one wonders whether this is a legitimate complaint. After all, the SSA already has a program that does give financial institutions access to this data: the Consent Based Social Security Number Verification:
With the consent of the SSN holder, enrolled users may utilize CBSV to verify whether the SSN holder’s name and Social Security Number (SSN) combination match SSA’s records. CBSV returns a “yes” or “no” verification indicating that the submission either matches or does not match our records. If our records show that the SSN holder is deceased, CBSV returns a death indicator. CBSV verifications do not verify an individual’s identity.
CBSV is typically used by companies who provide banking and mortgage services, process credit checks, provide background checks, satisfy licensing requirements, etc. [socialsecurity.gov, my emphasis]
Besides indicating whether one’s time on this earth has expired, the CBSV also checks for name, SSN, date of birth, and gender. The use of this valuable resource would, according to some opinions that I’ve read, pretty much eliminate ID fraud of any kind in the financial market because satisfying all five requirements is a monumental obstacle. At minimum, ID theft would be slowed down as people try to obtain fake IDs that are a match.
For example, maybe a person shows up at a bank and submits his name as “Pat Robertson”; has a valid SSN that is not tied to the death file; and “proves” he has the correct date of birth (and looks the part, too) by flashing a fake driver’s license. But, a search using CBSV shows that Pat Robertson is, in fact, a woman. Pat, the distinguished-looking gentleman, gets arrested.
The downside to the CBSV? Money. There is currently a charge of $1.05 per SSN number searched, plus setup fees, which makes it unpopular in financial circles. Considering that ID theft costs the industry $50 billion, one wonders whether financial institutions are being pennywise and pound foolish.
Governmental organizations could also be affected. For example, the IRS is currently battling a problem in the form of fraudulent tax refunds:
According to a report by Scripps Howard News Service, “Crooks are pocketing fraudulent tax refunds after filing returns with personal information about recently deceased people found in the Social Security Administration’s Death Index Master File.
“The Internal Revenue Service…estimates that fraudsters improperly submitted 350,000 returns on dead Americans this tax season, improperly seeking $1.25 billion in refunds.” The parents of deceased children are increasingly at risk. Once the fraudster has obtained “the deceased child’s Social Security Number and other personal information, the crooks falsely claim them as dependents and have the funds routed to them.”[fraudoftheday.com]
Granted, the fraud’s success comes from the fact that the Death Index is accessible; however, if things get locked down, I can still imagine a situation where enterprising criminals grease some palms to get access to the data. Meanwhile, if the IRS is unable to access the list, it still faces the same ID theft-related problem, although I imagine at a lower rate.
The Importance of Data Security Policies
Having the correct data security policies in place is important. It may be even more important than ensuring you’ve got the correct mobile data security solution. After all, a data security policy is supposed to be a capstone of sorts, the final product of your organization’s data risk assessments and working schematic to ensure data security breaches are minimized.
Let the problem fester, a number of decades in this system, and an eco system will eventually grow around it.
Related Articles and Sites: