LegiStorm Pro

Recent data breaches highlight how identity theft may occur when businesses share individuals' personal information, including Social Security Numbers (SSNs), with contractors. Because private sector entities are more likely to share consumers' personal information via contractors, members of Congress raised concerns about the protection of this information in contractual relationships. In response, GAO examined (1) how entities within certain industries share SSNs with contractors; (2) the safeguards and notable industry standards in place to ensure the protection of SSNs when shared with contractors; and (3) how federal agencies regulate and monitor the sharing and safeguarding of SSNs between private entities and their contractors.

Banks, securities firms, telecommunication companies, and tax preparation companies share SSNs with contractors for limited purposes. Firms GAO interviewed routinely obtain SSNs from their customers for authentication and identification purposes, and contract out various services, such as data processing and customer service functions. Although these companies may share consumer information, such as SSNs, with contractors, company officials said that they only share such information with their contractors when it is necessary or unavoidable. Companies in the four business sectors GAO studied primarily relied on accepted industry practices and used the terms of their contracts to protect the personal information shared with contractors. Most company officials stated that their contracts had provisions for auditing and monitoring to assure contract compliance. Some noted that their industry associations have also developed general guidance for their members on sharing personal information with third parties. Federal regulation and oversight of SSN sharing varied across the four industries GAO reviewed, revealing gaps in federal law and agency oversight in the four industries GAO reviewed that share SSNs with contractors. Financial services companies must comply with the Gramm-Leach-Bliley Act (GLBA) for safeguarding customers' personal information and regulators have an examination process in place to determine whether banks and securities firms are safeguarding this information. IRS has regulations and guidance in place to restrict the disclosure of SSNs by tax preparers and their contractors, but does not perform periodic reviews of tax preparers' compliance. Because the Federal Communications Commission (FCC) believes that it lacks statutory authority to do so, it has not issued regulations covering SSNs and also does not periodically review telecommunications companies to determine whether they are safeguarding such information.