Social Security kept silent about private data breach

WASHINGTON — The Social Security Administration has failed to inform tens of thousands of Americans it accidentally released their names, dates of birth and Social Security numbers in an electronic database widely used by U.S. business groups.

The federal agency has kept silent about a potentially harmful security breach of the personal data of about 14,000 people each year, ignoring recommended reporting guidelines for such confidentiality breaches and violating the intent, at least, of the U.S. Privacy Act, which protects personal information of private citizens.

The mistakes Social Security has made — and continues to make — with a database called the “Death Master File” (DMF) underscore how federal consumer-protection laws lag far behind laws in most states.

Legislation in 46 states, including Washington, makes disclosure of such breaches mandatory, although federal agencies generally are exempt from state and local laws.

“I certainly have never been warned about this. I totally object to that,” retired University of Tennessee agriculture professor John Jared, 68, said after a reporter recited his Social Security number and date of birth, gleaned from the database.

Jared was one of 31,931 living Americans discovered in a Scripps Howard News Service review of three copies of the Death Master File (DMF). These files, available for purchase from many sources on the Internet, contained their Social Security numbers and birth dates — critical information needed by identity thieves.

“That’s just not supposed to be public information, especially not my Social Security number,” Jared said. “This needs to be corrected.”

No one warned

Reporters at newspapers and television stations owned by the E.W. Scripps Co. interviewed dozens of people nationwide who have had security breaches because of what Social Security officials call “inadvertent keying errors” by federal workers when entering what was supposed to be information only about dead people. None reported that the agency warned them about the breach of their confidential information.

Most of those erroneously listed as dead who were contacted for this story said they only found out about the agency’s mistakes when they suffered adverse events like frozen bank accounts, canceled cellphones, refused job interviews, declined credit-card applications, denied apartment leases or refused mortgage and student-assistance loans.

“Our government really needs some shaping up,”said Laura Todd, 58, a Nashville woman who twice was falsely listed on the Death Master File. “I spent almost 10 years trying to get this all straightened out. No one ever sent me an apology or anything.”

Social Security officials admit that, each year, they accidentally release the personal information of about 14,000 living Americans by posting their files among the records of 90 million deceased Americans.

If their estimate is accurate, confidential data about more than 400,000 living Americans have been released since 1980 when the DMF became public under a Freedom of Information Act lawsuit.

U.S. business interests asked that the file become public to help protect them from fraud by thieves who assume the identities of dead people.

“When we discover that we have included a living individual on the DMF, we take prompt action to correct our records,” Social Security Commissioner Michael Astrue told Deputy Senate Majority Leader Richard Durbin, D-Ill., in a letter dated Sept. 21.

Astrue also said the breach is reported to the United States Computer Emergency Readiness Team (commonly called CERT), a part of the Homeland Security Department’s Cyber Security Division.

Attack on privacy

Consumer-protection advocates and privacy experts are quick to lambaste Social Security’s actions.

“This is a clear failure to follow the rules meant to warn consumers when their most private information has been exposed,”said Carmen Balber, Washington director of Consumer Watchdog, a national advocacy group.

The federal government’s silence about the breach prevents people from taking action to protect them from the threat of identity theft, privacy advocates said.

“Breach notice is a fundamental aspect of consumer protection,”said Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse. “Such notification gives individuals the information they need to take steps to rectify the situation. Without that notice, they are in a kind of Kafkaesque nightmare.”

Failing to notify those affected by the confidential data breach would be illegal throughout most of the nation if Social Security officials had to abide by state law.

It also appears to violate a 2007 directive from the Office of Management and Budget (OMB) ordering every agency to develop a breach-notification policy when the confidentiality of personal data has been compromised.

“Notification of those affected — and the public — allows those individuals the opportunity to take steps to help protect themselves from the consequences of the breach,” the OMB directive said. “Such notification is also consistent with the ‘openness principle’ of the Privacy Act that calls for agencies to inform individuals about how their information is being accessed and used, and may help individuals mitigate the potential harms resulting from a breach.”

Only four states — Alabama, Kentucky, New Mexico and South Dakota — do not have breach laws.