There’s an expression in Washington about politicians and agencies that find themselves in hot water: It’s not the crime, it’s the cover-up.
In the case of the Social Security Administration’s massive breach of confidentiality, it wasn’t a crime, but incompetence, and not so much a cover-up as inaction by the agency.
The SSA failed to inform tens of thousands of Americans that over the past 20 years their names, addresses, birth dates and Social Security numbers had inadvertently been released to a publicly available database widely used by businesses.
The agency’s failure to inform the at-risk parties ignored government guidelines and recommendations for dealing with security breaches and violates the intent, if not the letter, of the U.S. Privacy Act.
The database is called the Death Master File and contains the records of 90 million dead Americans. It was begun in large part at the urging of business. Administered properly, the death file is a useful tool in preventing con artists from assuming the identities of deceased Americans.
The problem is that each year the names and other personal information of 14,000 living Americans are mistakenly entered into the file. Since the SSA declines to issue warnings, the first inkling many Americans have of the release of their private information is when they become victims of identity theft.
An earlier examination by Scripps Howard News Service found that the names of 31,931 living Americans had become public. A later examination with the aid of television stations and newspapers found that the problem was significantly broader, but still unaddressed by the Social Security Administration.
Most victims of the breach only found out about it when they were suddenly confronted by frozen bank accounts, canceled cellphone service or denied apartment leases, turned down for credit cards or refused mortgages and student loans.
The businesses, landlords and prospective employers were acting on the not-unfounded belief that since the master file showed the applicants were dead they were being set up for some kind of identity-fraud scam.
It took one victim nearly 10 years to untangle the mess and, she complained, “No one ever sent me an apology or anything.” Being the SSA means never having to say you’re sorry — or much of anything else.
The SSA has refused to explain its policy of keeping silent about the breaches or its policy of notifying — or not — the potential victims, which prevents people from taking action to protect themselves from the lapses.
Forty-six states make disclosure of confidentiality breaches mandatory for state and local agencies. The White House Office of Management and Budget has urged a federal policy of public admission and individual notification. Clearly, Congress should make that policy mandatory too.