Cyber Risk of State Auditors Demanding Full SSNs in Assessing Unemployment Insurance Claims
Bloomberg Law
Bloomberg Law
Employers and payroll service providers invest millions of dollars each year in protecting the sensitive personal information they hold, including our Social Security numbers (SSNs). These companies must hold our data in order for most of us to get paid and to help our employers withhold taxes.
However, much of the protection employers design and implement is degraded when employers are required to provide full SSNs to state auditors for them to use in assessing unemployment insurance claims. Rather than applying the concept and, in some cases, rule, of data minimization (and only requesting the information they absolutely need), state auditors routinely demand excessive data, including full SSNs.
This may seem like an insignificant risk, but it is not. Each time employers comply with the requirement to provide unredacted SSNs to state auditors, the risk to each of us is increased. State and local entities are often the victims of cyberattacks, and states simply do not have the same security controls in place as employers.
Just last year, the Colorado Department of Health Care Policy and Financing was in the news for a breach that led to the compromise of millions of SSNs. In 2021, a breach at the Washington State Auditor's Office compromised SSNs of approximately 1.6 million residents. That same year, the Alaska Department of Health and Social Services was breached, exposing a trove of data, including SSNs. And in 2020, Arkansas, Colorado, Illinois, and Ohio each experienced breaches that likewise impacted a large number of individuals’ SSNs. It is not just the online component that makes forcing employers to provide full SSNs to state auditors such a problem. Even without an online element, the electronic storage alone of full SSNs by state auditing entities still exposes our information to additional risk; state entities in Connecticut and Georgia, for instance, have reported data breaches caused by lost laptops.
Even assuming all criminal activity such as hacking or laptop theft could be stopped, the risk that each of us faces because employers are forced to expand the number of entities that have our full SSNs is not eliminated. Simple human error is one of the top causes of data security incidents. Indeed, a recent report identified human error as the root cause of a staggering 74% of data breaches. Take, for example, the situation with the Vermont Department of Labor in 2020 that resulted in the mailing of thousands of unemployment insurance claimants’ SSNs to the wrong employers. Applying data minimization practices, such as the state auditors requiring only the last four digits of our SSNs, would be a good step on the path to reducing risk. And yet, employers are still being forced to share full SSNs with state auditors.
The U.S. Congress enacted the Protecting Americans from Tax Hikes (PATH) Act in 2015 (P.L. 114-113) to address this issue. Section 409 of the PATH Act and related IRS regulations invite employers to truncate employees’ SSNs on Forms W-2 (e.g., XXX-XX-9999), with the express intent of aiding “employers’ efforts to protect employees from identity theft.” TD 9861. Employer submissions of Forms W-2 to state and federal tax authorities, and quarterly wage reports filed with Employment Security agencies continue to report the full SSNs.
It would be counterproductive and counterintuitive, following the PATH Act, if employers were still required to print and maintain copies of employees’ Forms W-2 with the full SSNs displayed in case of an audit. Yet several state Employment Security agencies continue to demand Forms W-2 with the full SSN displayed in accordance with Unemployment Insurance audit regulations which have been largely unchanged since the 1970s, despite U.S. Department of Labor Employment Security guidance to the states which permit partial SSNs in audits. There are abundant horror stories of what happens when an SSN is compromised—whether the breach is due to human error or a malicious actor. Individuals find their bank accounts emptied, fraudulent tax returns filed on their behalf, or loans taken out in their name. Unwinding these problems often takes years.
What is ironic is that employers would not share sensitive information such as SSNs with a vendor without having first done their due diligence on the vendor's data security measures. And yet, no due diligence can happen when information is shared with state auditors. Similarly, many employers apply data minimization principles when they share information with vendors to reduce the likelihood that information could be compromised in transit or once it is received by a third party. The states’ requirement that employers share full SSNs makes this security best practice impossible.
These risks seem even more egregious in light of the fact that state auditors do not need employers to provide full SSNs to perform the audits. States themselves already have the full SSNs, and a state auditor could easily match records provided by employers to a person using only a partial SSN or an alternative identifier altogether. Supporting, or at least permitting, data minimization is an easy solution, and one that the federal government recognizes and encourages. The U.S. Federal Trade Commission encourages businesses to make smart data minimization decisions when providing SSNs to “reduce the risk of a data compromise down the road.” Similarly, to protect against identity theft, the U.S. Internal Revenue Service allows employers to truncate employees’ SSNs on Forms W-2 furnished to employees.
In addition, guidance from the U.S. Department of Labor for Employment and Administration grantees regarding transmitting information recommends using identifiers other than SSNs and, when there is no alternative available, requires that the SSNs be truncated or rendered unattributable to a particular individual. Other guidance issued by the U.S. Office of Personnel Management likewise provides that SSNs of all federal government employees “must be masked” in “record retrieval and access authorization processes.” States should take their cue from these federal entities and take action requiring—or at least permitting—employers to implement these same data minimization strategies and allow them to provide only partial or masked SSNs or alternative identifiers altogether to state auditors.
The principle of data minimization and resulting smart practices, like masking SSNs, have already become the norm in many other areas. Truncated credit card numbers on receipts, for example, have long been required by both the Fair and Accurate Credit Transactions Act and certain state laws. Although that change was an adjustment for many, the industry adapted and helped to reduce the risk of credit card fraud. It is time to update the rules here as well and permit employers to truncate the SSNs they provide to state auditors. While it may likewise require an adjustment, we will all be safer for it.
Copyright 2024 Bloomberg Industry Group, Inc. (800-372-1033) Cyber Risk of State Auditors Demanding Full SSNs in Assessing Unemployment Insurance Claims. Reproduced with permission.
Practices