Written by William & Mary Law Student Brittany McGill
In the wake of recent data breaches, legislators and VA officials are asking: Should we keep using the Social Security Number (SSN) as the VA identifier? The Social Security Administration created the SSN solely for employers to report employees’ earnings.[i] However, the SSN since has developed into a “nearly universal identifier” for both government and private sector needs.[ii] SSNs have served as identifiers of active duty service members for all military branches since 1974.[iii] Veterans use their SSNs to obtain their military records and to process benefits claims.[iv]
Last year, a Wisconsin Department of Veterans Affairs employee sent an email containing 637 SSNs to a random veteran.[v] Further investigation revealed emails containing SSNs had been sent from this office to unintended recipients at least three prior times.[vi] Federal law and VA regulations require VA employees to password-protect “personally identifiable information”.[vii]
This is not the first time veterans’ SSNs have been compromised. In 2006, a burglar stole a laptop containing 26 million veterans’ and active duty service members’ personal information.[viii] In March 2016, a North Carolina veteran received another veteran’s SSN and benefits information in the mail.[ix] Following the Wisconsin incident, the VA updated its software to better scan for SSNs.[x] Secretary Robert McDonald stated that the VA is open to using an alternative identifier, but that it would take time.[xi] Senator Tammy Baldwin (D-Wis.) recently drafted legislation intended to force the Department of Veterans Affairs to stop using SSNs as identifiers.[xii]
Veterans are particularly vulnerable to identity theft. Forced to use their SSNs during and after service, many veterans easily give out their SSN when asked compared to non-veterans.[xiii] Veterans dealing with the VA on disability claims often have stacks of paperwork in their homes—all containing their SSN as the reference number.
In April, Medicare began transitioning away from SSN identifiers. A bill signed by President Obama requires the Department of Health and Human Services (HHS) to issue Medicare cards without SSNs to new and existing beneficiaries over the next eight years.[xiv] The VA can use the HHS legislation and Medicare procedures as an example.
Still, switching to a non-SSN identifier within the VA poses legitimate challenges. Per Secretary McDonald, “getting rid of the SSN ID system… would be complicated and costly.”[xv] Medicare’s costs are an estimated $320 million over the next four years.[xvi] Logistically, the VA would have to start new claims without SSNs and convert current claims to a different identifier. With the VA already suffering from immense backlog, a change of this nature certainly could further slow processing time for claims. While veterans are likely to appreciate the additional security of a non-SSN identifier, those already aggravated with the disability claims process likely would not be enthusiastic about any additional delay. Still, for the protection of those who have protected this country, an SSN-less VA system is worth exploring.
[i] Id., supra note 1, at 67.
[ii] Id., supra note 1, at 67-69; William H. Manz. Federal Identity Theft Law: Major Enactments of the 108th Congress: A Legislative History of the Fair and Accurate Credit Transactions Act and Identity Theft Penalty Enhancement Act (Inc 2005).
[iii] National Archives, Service Number (SN) and Social Security Number (SSN), http://www.archives.gov/st-louis/military-personnel/social-security-numbers.html (last visited Mar. 27, 2016).
[iv] Id., supra note 4; Department of Veterans Affairs, Notice to Veteran/Service Member of Evidence Necessary to Substantiate a Claim for Veterans Disability Compensation and Related Compensation Benefits, 7 (2015), http://www.vba.va.gov/pubs/forms/VBA-21-526EZ-ARE.pdf.
[v] Adam Schrager, Veteran Receives Email Listing Hundreds of Social Security Numbers, Channel3000.com (Oct. 29, 2015, 4:48 PM), http://www.channel3000.com/news/veteran-receives-email-listing-hundreds-of-social-security-numbers/36124636. See also, Adam Schrager, Wis. Senators Demand Answers from VA Over Privacy Breach, Channel3000.com, (Oct. 30, 2015, 12:54 PM), http://www.channel3000.com/news/Wis-senators-demand-answers-from-VA-over-privacy-breach/36150298.
[vi] Schrager, supra note 6.
[vii] Id., supra note 6; Government Accountability Office, Information Security—Protecting Personally Identifiable Information (2008). s oject’te s, and file foldersncident, the VA updated ion for persoanl adn ave protected this country. ted ing time for claims.
[viii] Government Accountability Office, supra note 10; Jonathan J. Darrow and Stephen D. Lichtenstein, Do You Really Need My Social Security Number? Data Collection Practices in the Digital Age, 10 N.C. J.L. & Tech. 1, 23 (2008.
[ix] Amanda Weston, Veteran Receives Stranger’s Confidential Information in Extra VA Letter, WECT.COM (Mar. 16, 2016. 8:45 PM), http://www.wect.com/story/31489864/veteran-receives-strangers-confidential-information-in-extra-va-letter.
[x] Channel3000.com, Veterans Administration Updates Software to Better Protect SSN, (Mar. 10, 2016), http://www.channel3000.com/news/veterans-administration-updates-software-to-better-protect-ssn/38453030.
[xi] Channel3000.com, supra note 16.
[xii] Aisha Chowdhry, Senator Wants VA to Stop Using SSNs, Federal Computer Week (Mar. 10, 2016), https://fcw.com/articles/2016/03/10/veterans-affairs-ssn.aspx.
[xiii] This observation comes from the author’s personal experience collecting individuals’ confidential information to process personal injury claims.
[xiv] Social Security Administration, New Medicare Cards Will Not Display Social Security Numbers, Social Security Administration (Apr. 29, 2015), http://oig.ssa.gov/newsroom/ blog/ apr29-medicare-card-SSN.
[xv] Channel3000.com, supra note 16.
[xvi] Channel3000.com, supra note 16.