Social Security Numbers Released by the Social Security Administration?
When you are born in the United States you are entitled to a "social security number." I say entitled, because it doesn't seem to be required, at least it wasn't. I didn't get mine until I was applying for my first job. My mother took me down to the Social Security Administration's office and I got myself a shiny new blue card with a number that would follow me my entire life. My children got theirs from the doctor who delivered them (kidding, but it was close in time).
When you die in the United States, apparently the Social Security Administration "re-categorizes" you as deceased in what is called the Death Master File or DMF. I can see the usefulness of that. It seems logical that you'd want to make sure that a decedent's SSN isn't used by anyone else... But what if, just maybe, the SSA listed you erroneously on the DMF? But wait, I'm not dead, in fact, I'm feeling much better now (remember Monty Python's Holy Grail..bring out yer dead scene? Hilarious).
What is the impact when you are erroneously listed on the DMF? Apparently, and according to people who were erroneously listed on the DMF, you can be turned down for loans and apartments, have bank accounts frozen and other negative events when your SSN is a required aspect. I guess the "inquirer" looks up the applicant's SSN on the DMF and if it's there, then the applicant must be dead (at least their SSN is), therefore the applicant can't have whatever it is they're asking for - because they are dead.
The DMF is apparently available for purchase, but if you buy it, you get the SSN's of living breathing humans because mistakes happen.
According to a report in the Seattle Times by Howard Scripps News Service reporter Thomas Hargrove, the news service purchased the list and then started contacting the "erroneously placed names and SSNs" to inform them that they are listed as dead. One woman said that she has been dealing with her number situation for 10 years! What a hassle.
From the article in the Seattle Times:
Social Security officials admit that, each year, they accidentally release the personal information of about 14,000 living Americans by posting their files among the records of 90 million deceased Americans.
WHOOPS, sorry 'bout that. Thanks for telling us though.... Oh, you didn't tell us? You don't tell us? You're not required to tell us?
Apparently the SSA takes the position that they're not required to tell those people erroneously listed that their personal information has been made available to the public, by accident. A data breach by my definition. The article doesn't clearly say that, nor do the quotes from Social Security Officials, but what other conclusion can you draw?
I know, I know, the Social Security Administration didn't KNOW that the mistake happened, otherwise, logically speaking, it wouldn't have happened. And since they didn't KNOW it happened, how could they possibly have informed the people involved?
If you read any of the pending Federal legislation regarding data breach notification requirements, you'll find that constant monitoring is required. If you have the data, it's your job to KNOW if it's been erroneously released.
If the Feds want to place these regulations on businesses across America, they should really clean up their own house first.