State Sold Thousands Over Three Years on the Internet for $6 A Pop
Assemblyman Dave Jones last week revealed that a state-run web site had been selling access to the Social Security numbers of thousands of California consumers, a practice that began in 2004 and only ended this week when Jones raised objections. According to Jones this is “potentially the longest running government Internet breach in California’s history.”
“For the past 3 years, the state has been in the data broker business,” Jones said. “It has sold Social Security numbers for a mere $6 each to any member of the public with an Internet connection and a credit card. This is a gold mine for identity thieves.”
Jones has introduced legislation intended to prevent further occurrences of the problem. His bill, AB 1168, will permit the Secretary of State to reject documents containing Social Security numbers, a power that office does not have under current law. Under the state’s Uniform Commercial Code, if a UCC financing statement follows a prescribed format, the Secretary of State must accept it for public filing – even if it contains a Social Security number. AB 1168 would also require local government offices like county clerk-recorders to black-out the first 5 digits of Social Security numbers before releasing records to the public.
Jones discovered earlier this month that an Internet web site maintained by the Secretary of State’s office was selling public records containing the names, addresses, Social Security numbers, and sometimes the signatures of tens of thousands of Californians who have taken out secured loans. Though legal, selling this information to the general public could have enabled criminals to fraudulently secure credit cards in other individuals’ names, according to Jones.
“We live in an age of identity fraud,” Jones said. “Experts tell consumers to cross-shred their bank statements, actively monitor their credit reports, and shop on only the most secure web sites.
So it’s hard to explain to the average person why their government would sell their Social Security numbers over the World Wide Web.”
Law enforcement officials and privacy advocates cite Social Security numbers as key to committing identity theft because they are needed to apply for new lines of credit and may serve as the password for access to financial accounts or medical files. Jones said that his office logged on to the web site maintained by the Secretary of State and purchased about 20 records over the course of several days. Among those records were 14 individuals’ Social Security numbers.
In response to Jones’ concern over the web site, Secretary of State Debra Bowen this week blocked access to the online files and pledged to black out all but the last four digits of Social Security numbers in the records before releasing them to the public. The records, called “UCC financing statements” are by law open to the public. They are regularly used by banks to track loans to small business owners and other borrowers.
At the same time as Jones’ press conference, Joanne McNabb, chief of the California Department of Consumer Affairs’ California Office of Privacy Protection (COPP), was testifying before the US Senate Judiciary Committee’s Subcommittee on Terrorism, Technology and Homeland Security. She told the Committee that California’s laws have made privacy protection a more important social priority in the state. McNabb said “For example, our Social Security number law has resulted in the removal of Social Security numbers from our health plan cards, student ID cards, and other often-used pieces of identification.”
According to the Identity Theft Data Clearinghouse of the Federal Trade Commission, California reported in 2005 45,175 cases of identity theft, the third highest of any state in the nation. We are the largest state, and even though much has been done in this area to prevent identity theft, much more needs to be done.
Jones’ bill goes beyond the Secretary of State’s office. Its first stop will be the Assembly Judiciary Committee, which he chairs.