Fact Sheet 10:
My Social Security Number - How Secure Is It?
Send to Printer
Privacy Rights Clearinghouse
- How do government agencies use my Social Security number?
- Am I required to give my Social Security number to government agencies?
- Must I give my Social Security number to private businesses?
- Should I disclose my Social Security number online?
- Financial transactions require my Social Security number?
- Can a school or college use my Social Security number as an ID number?
- Can a state use my Social Security number as my drivers’ license number?
- How can I obtain my Social Security Statement?
- Can I change my Social Security number?
- What information is contained in the Social Security Death Master File?
- How can I protect my Social Security number?
History of Social Security Number use. When Social Security numbers were first issued in 1936, the federal government assured the public that use of their use would be limited to Social Security programs such as calculating retirement benefits. Today, however, the Social Security number (SSN) has become the de facto national identifier.
Government agencies and private businesses continue to use SSNs for a wide range of non-Social Security purposes — such as employee files, medical records, health insurance accounts, credit and banking accounts, university ID cards, utility accounts, and many more.
In fact today SSNs are often used both an identifier and an authenticator. As an identifier, the SSN is provided by individuals to answer the question, “Who are you?” As an authenticator, the SSN is provided by individuals in response to a challenge: “Prove who you are.”
Risk of identity theft and data breaches. Identity thieves seek SSNs so they can assume the identity of another person and commit fraud. It’s relatively easy for someone to fraudulently use your SSN to assume your identity and gain access to your bank account, credit accounts, utilities records, and other sources of personal information. Identity thieves also can establish new credit and bank accounts in your name, or use your SSN for employment purposes or to obtain medical care.
Therefore, it’s wise to limit access to your SSN whenever possible. While the potential sources of SSNs are vast and accessible, you can take steps to keep your SSN out of the hands of potential thieves.
Unfortunately, your SSN is often saved in numerous databases which may be subject to compromise by hackers or other means. In recent years, news stories of data breaches in which SSNs are compromised are a daily occurrence.
Federal agency use. SSNs have been displayed on millions of cards issued by federal agencies, including Medicare cards, Department of Defense identification cards and insurance cards, and Veteran Affairs identification cards. Because the connection between identity theft and widespread use of the SSNs is now indisputable, the federal government has acted to curtail its use.
- Medicare cards. Legislation signed in April 2015 requires that SSNs be removed from Medicare cards. Medicare will replace SSNs with randomly generated Medicare beneficiary identifiers. The process will take up to 8 years, beginning with Medicare cards for new Medicare beneficiaries during the first 4 years and then for existing beneficiaries within the next four years.
- Military ID cards. SSNs began to disappear from military identification cards in 2011. As cards expire, they are replaced with new cards having a Department of Defense (DoD) identification number. The DoD identification number is a unique 10-digit number. An 11-digit DoD benefits number will appear on cards of dependents eligible for DoD benefits. SSNs embedded in the bar codes on the back of identification cards are being phased out.
- Veterans. Veteran Health Identification Cards (VHIC) are issued for use by veterans at VA Medical Facilities. The VHIC replaces the Veteran Identification Card (VIC) which contained the veteran's SSN in the bar code on the card. VHICs do not contain your SSN.
- Government checks. The Social Security Number Protection Act of 2010 (S. 3789) prohibits federal, state, or local agencies from displaying the Social Security account number of any individual, or any derivative of such number, on any check issued for any payment by the agency.
State and local government agency records. The
U.S. Government Accounting Office (GAO), the investigative arm of
Congress, first reported on the potential for identity theft posed by
SSNs included in public records in 2006.
GAO estimated that 85 percent of the largest, most populated counties
surveyed make records that may contain SSNs available in bulk sales or
online. Most often SSNs appear in state and local court files and local
property ownership records.
Agencies generally place no restrictions on the reuse of data included in public records, meaning information can change hands many times and even be outsourced to foreign service providers. Since the GAO’s report, many states are working to limit SSNs in public records. Such belated efforts, however, do nothing to retrieve the millions of SSNs already available through public records. Some jurisdictions are beginning the process of redacting SSNs from old public records. However, this can be a costly and time-consuming process.
The answer depends upon the agency. Some government agencies, including tax authorities, welfare offices, and state Departments of Motor Vehicles, can require your SSN number as mandated by federal law (42 USC 405 (c)(2)(C)(v) and (i)). Others may request the SSN, leading you to believe you must provide it.
The Privacy Act of 1974 requires all government agencies — federal, state and local — that request SSNs to provide a "disclosure" statement on the form. The statement explains whether you are required to provide your SSN or if it’s optional, how the SSN will be used, and under what statutory or other authority the number is requested (5 USC 552a, note). The U.S. Office of Management and Budget, Office of Information and Regulatory Affairs (OIRA) provides guidance and oversight regarding the Privacy Act of 1974.
The Privacy Act states that you cannot be denied a government benefit or service if you refuse to disclose your SSN unless the disclosure is required by federal law, or the disclosure is to an agency that has been using SSNs before January 1975, when the Privacy Act went into effect. There are other exceptions as well.
If you are asked to give your SSN to a government agency and no disclosure statement is included on the form, you should complain to the agency and cite the Privacy Act of 1974. Unfortunately, there appear to be no penalties when a government agency fails to provide a disclosure statement.
Generally. Except in those few situations where your SSN is required by federal law (see below), you are not legally compelled to provide your SSN to private businesses. There is no law, however, that prevents businesses from requesting your SSN, and there are few restrictions on what businesses can do with it. But even though you are not legally required to disclose your SSN, the business does not have to provide you with service if you refuse to release it. So in a sense, you are strong-armed into giving your SSN.
But don't give up. Be sure to ask if there is an alternate number that you can provide to the company, such as your driver's license number. Also ask if you can provide a deposit rather than giving your SSN to the company.
If a business insists on knowing your SSN when you do not see a reason for it, we encourage you to speak to a manager who may be authorized to make an exception or who may know whether company policy requires it. If the company will not allow you to use an alternate number such as your driver’s license number, you may want to take your business elsewhere.
Read 5 Places Where You Should Never Give Your Social Security
Number for advice on how to avoid giving up your SSN and Why you shouldn't give your doctor your Social Security number.
Your SSN is sometimes required by federal law. Federal law requires private businesses to collect your SSN when (1) you are involved in a transaction in which the Internal Revenue Service requires notification, or (2) you are engaged in a financial transaction subject to federal Customer Identification Program rules.
Health insurance companies. The company providing your medical insurance will ask you to provide your SSN.
- MediCal and Medicare are government health plans and can require an SSN for enrollment.
- Commercial insurance companies can ask for your SSN. Beginning with the 2015 tax year, the Affordable Care Act requires every provider of minimum essential coverage to report that coverage. Your health insurance company will provide Form 1095-B to you and to the Internal Revenue Service (IRS). The law requires SSNs to be reported on Form 1095-B. You will use the form to prepare your income tax return. The information will be used to verify information on your individual income tax return under the Affordable Care Act (ACA). If the information you provide on your tax return cannot be verified, you may receive a notice from th IRS indicating that you are liable for a shared responsibility payment under the ACA.
- If you are covered by group insurance through your employer, a Mandatory Insurer Reporting Law (Section 111 of Public Law 110-173) requires insurers to report SSNs to the Centers for Medicare and Medicaid Services for both subscribers and covered dependents. This information is used to coordinate Medicare payments with other insurance benefits. However, there is no language in Section 111 itself that mandates collection or reporting of all SSNs to Medicare. Medicare requires only that insurers send the Medicare ID numbers of Medicare beneficiaries, and that they take appropriate steps to ensure that they tell Medicare about all the Medicare beneficiaries they also provide coverage for.
- Individuals who receive ongoing reimbursement for medical care through no-fault insurance or workers’ compensation or who receive a settlement, judgment or award from liability insurance (including self-insurance), no-fault insurance, or workers’ compensation may also be asked to provide their SSN.
Credit applications. Credit card applications usually request SSNs. Your number is used primarily to verify your identity in situations where you have the same or a similar name to others. Most credit grantors will insist on having your SSN. But in rare cases, you may be able to find a credit grantor who will provide you credit without knowing your SSN, especially if you are persistent and can provide other forms of identification.
Pre-approved credit applications. You need to give out
your SSN over the telephone to stop receiving pre-approved credit card offers
when calling (888) 5 OPT-OUT or (888) 567-8688. This is the toll-free
line shared by the three credit bureaus whose mailing lists are often used to
generate credit card solicitations. You can use the agencies’ online form instead. While it
doesn’t require the SSN, the credit reporting agencies say that including it
will help to ensure your request will be successful.
State laws. In California, state law restricts how certain businesses can display their customers’ Social Security numbers. It does not restrict the collection of SSNs, however, and it doesn’t affect government agencies. California Civil Code §1798.85 prohibits, for example, insurance companies from printing the SSN on identification cards that are carried in the wallet. Similarly, customers of banks and investment companies cannot be required to transmit the SSN over the Internet when conducting business online, unless the number is encrypted. SSNs cannot be printed on documents sent through the mail, with some exceptions.
Other state legislatures and Congress have considered similar laws since passage of California’s landmark law. The New York state legislature passed a similar law in 2007.
New York lawmakers, in amendments to the state's labor law, further restricted private businesses' use of Social Security Numbers as well as employees' "personal identifying information." Personal identifying information includes not only the SSN but, among other things, an employee's home address and phone number, personal e-mail address, Internet access information, and the employee's parents' names. Effective January 2010, New York state government offices along with city and county agencies had to follow the same standards as apply to private businesses.
Another New York law limits the ability of entities to collect individuals’ SSNs. The law's provisions are subject to multiple exceptions, including use of SSNs for government requirements, use for internal verification or fraud investigation, use related to banking and credit-related activities, use in connection with employment, insurance or tax purposes, and other instances.
In most states, your employer can use your SSN as an employee ID number. However, the Social Security Administration discourages employers from displaying SSNs on documents that are viewed by other people — such as badges, parking permits, or on lists distributed to employees. Employers do, however, need each employee’s SSN to report earnings and payroll taxes. In California and New York, as explained above, employers cannot display the employee’s SSN in certain situations.
Consumers Union provides a listing of State laws restricting private use of Social Security numbers. The Data Quality Campaign has has a summary table of state SSN protection laws.
5. Should I disclose my Social Security number online?
You should never provide your SSN when shopping online. Likewise, responsible employers will not ask for your SSN when just applying for a job online. However, you may need to provide your SSN when applying for a credit card, bank account, insurance policy, brokerage account, or a government benefit.
When online, you must take extra precautions to determine that your personal data is transmitted securely and that it’s stored safely by the recipient. Make sure you have a firewall, up-to-date operating systems and software, and current anti-virus and anti-malware software installed on your computer or other device. Only conduct business transactions with well-known, reputable companies. Make sure that you are actually connected to the proper site. Scam sites may have similar names.
Make sure that your data is being transmitted securely. Here's how you can tell when you are dealing with a secure site:
- If you look at the top of your screen where the Web site address is displayed (the "address bar"), you should see https://. The "s" that is displayed after "http" indicates that Web site is secure. Often, you do not see the "s" until you actually move to the order page on the Web site.
- Another way to determine if a Web site is secure is to look for a closed padlock displayed on the address bar of your screen. If that lock is open, you should assume it is not a secure site.
Beware of spam (unsolicited e-mail messages) that asks for your SSN or other personal information. Many people receive e-mail messages that appear to be from a government agency like the Internal Revenue Service, from a bank, Amazon, eBay, or PayPal. The message typically says that the company or agency is updating its records or has detected fraudulent activity with your account and needs personal information from you, such as your Social Security number, account number, password, mother’s maiden name, and so on. It may direct you to an official-looking Web site through a link contained in the message.
Do not respond to such messages! These are called “phishing” scams. Although they appear to be legitimate, these messages and Web sites are scams to get your personal information. No reputable company or government agency sends e-mail messages asking for sensitive personal data.
Federal law requires private businesses to collect your SSN when (1) you are involved in a transaction in which the Internal Revenue Service requires notification, or (2) you are engaged in a financial transaction subject to federal Customer Identification Program rules.
The IRS began using SSNs as taxpayer ID numbers (TIN) in 1966. SSNs are required on transactions in which the IRS may be interested. That includes most banking, stock market and other investments, real estate purchases, many insurance documents, and other financial transactions as well as employment records.
Financial institutions are also required by federal law to participate in Customer Identification Programs (CIPs). Banks must keep records of identifying information and check customer names against terrorist lists. This applies to anyone who opens a new account. The CIP Rule does not require financial institutions to report your dealings to the government. However, sections of the Bank Secrecy Act do require transactions over a certain dollar amount to be either reported to the Financal Crimes Enforcement Network (FinCEN), a branch of the U.S. Department of the Treasury, or documented by the bank. Reporting requirements may vary depending on the type of financial institution.
For additional information about CIPs, read PRC Fact Sheet 31.
Publicly-funded schools and those that receive federal funding must comply with the Family Educational Rights and Privacy Act in order to retain their funding. FERPA is also known as the "Buckley Amendment," enacted in 1974, 20 USC 1232g. One of FERPA's provisions requires written consent for the release of “educational records” or personally identifiable information, with some exceptions. The courts have stated that SSNs fall within this provision. (See Krebs v. Rutgers, 797 F. Supp. 1246 (D.N.J. 1992)).
FERPA applies to state colleges, universities, and technical schools that receive federal funding. An argument can be made that if such a school displays students' SSNs on identification cards or distributes class rosters or grades listings containing SSNs, it would be a violation of FERPA. However, some schools and universities have not interpreted the law this way and continue to use SSNs as a student identifier. To succeed in obtaining an alternate number to the SSN, you will probably need to be persistent and cite the law.
Public schools, colleges, and universities fall within the provisions of another federal law, the Privacy Act of 1974. This act requires such schools to provide a disclosure statement telling students how the SSN is used. If you are required to provide your SSN, be sure to look for the school's disclosure statement.
When the school is a private institution, your only recourse is to work with the administration to change the policy or at least to let you use an alternate identification number as your student ID.
The U.S. Department of Education and Department of Justice interpret the Privacy Act as prohibiting a public school district from requiring a pupil or parent to provide an SSN or denying admittance because a pupil does not provide an SSN.
Many colleges and universities are looking for ways to eliminate the SSN as primary identifiers for not only students but facility and staff as well. The California College and University Social Security Task Force published a report on the use of Social Security numbers in California colleges and universities in July, 2010.
The Intelligence Reform and Terrorism Prevention Act of 2004 prohibits states from displaying your SSN on drivers' licenses, state ID cards, or motor-vehicle registrations. The law applies to all licenses, registrations, and identification cards issued after that date. If your license still uses your SSN as the ID number, you can request this be changed. You don’t need to wait until it expires to get one with a different number, though you may be charged a fee for the new issuance.
Although your SSN may not be used as your ID number on your license, under the Real ID Act of 2005 states must require proof of a person’s SSN (or verification that the person is not eligible for an SSN) when issuing a license.
You can obtain your Social Security statement online by creating a My Social Security account. Your Social Security statement provides:
- A list of your lifetime earnings according to Social Security’s records
- The estimated Social Security and Medicare taxes you’ve paid
- Estimates of the benefits you or your family may receive
- General information about Social Security
You can also choose to block electronic access to your Social Security record. When you do this, no one, including you, will be able to see or change your personal information online. You may want to block your information if you:
- have been the victim of domestic violence;
- have been the victim of identify theft; or
- have any reason you do not want your record to be available.
Alternatively, you can opt for extra security to provide your account with an extra level of protection. With this option, you need a cell phone with text messaging each time you sign in.
Periodically checking your Social Security statement online can help you discover whether you might be a victim of a type of identity theft where someone uses your SSN to obtain employment. For example, an undocumented worker might use your SSN to obtain employment.
The Social Security Administration (SSA) mails statements to workers attaining ages 25, 30, 35, 40, 45, 50, 55, and 60 who are not receiving Social Security benefits and do not yet have a my Social Security account. After age 60, SSA mails annual statements. SSA mails the statements three months prior to the workers’ birthday.
The Social Security Administration (SSA) will issue a new number only in certain very extreme cases. A new SSN may be issued if you can prove that someone has stolen your number and is using it illegally. You must provide evidence that the number is actually being misused, and that the misuse is causing you significant harm on an ongoing basis. If your card has been lost or your number has fallen into the wrong hands, that's not enough. Further, SSA will not give you a new SSN to aid in avoiding legal responsibility, or in hiding bad credit or a criminal record.
SSA may also assign a different number if:
- Sequential numbers assigned to members of the same family are causing problems
- More than one person is assigned or using the same number
- There is a situation of harassment, abuse or life endangerment
To get a new Social Security number, you must visit your local Social Security field office and provide the required documentation.
The Social Security Administration’s (SSA) Death Master File (DMF) contains records of deaths that have been reported to SSA. SSA receives death reports from various sources, including family members, funeral homes, hospitals, and financial institutions. The DMF was created under a 1980 consent judgment from a lawsuit brought by a citizen under the Freedom of Information Act. The consent judgment requires that identifying information of decedents, including their Social Security numbers (SSN) be divulged.
The DMF is used to prevent fraud to help
prevent stealing the identity of a dead person. The DMF is used by
credit reporting agencies (CRA), as well as government, financial,
investigative, medical research organizations to verify death and to
The DMF includes the following information on each decedent, if the data are available to the SSA: SSN, name, date of birth, date of death, state or country of residence (February 1988 and prior), ZIP code of last residence, and ZIP code of any lump sum payment. The SSA does not have a death record for all persons. Therefore, SSA does not guarantee the accuracy of the file. The absence of a particular person from the DMF is not proof that a person is alive.
Although the DMF is not available online, the DMF Extract is available for a fee from the United States Department of Commerce’s National Technical Information Service (NTIS).
NTIS and SSA are working together to offer the DMF updates more frequently and in alternative formats. By running credit and other applications against the DMF, CRAs and other organizations are better able to identify and prevent identity fraud.
Conversely, the DMF can be used by identity thieves to obtain tax refunds for deceased persons or to apply for credit cards or obtain cell phones. Approximately 2.4 million deceased Americans have their identities stolen each year.
As of March 27, 2014, access to decedent information during the three-calendar-year period following that individual’s death is limited to certified subscribers with a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty.
A March 2015 SSA Inspector General's report found that at least 6.5 million active Social Security numbers belong to people who are at least 112 years old and likely deceased. Of the approximately 2.8 million death reports SSA receives annually, about 14,000 are incorrectly entered into its DMF. The DMF contained 36,657 death entries between May 2007 and April 2010 for people who were in fact alive.
Erroneous death entries can lead to benefit termination and closing or freezing of bank accounts, causing financial hardship. They also result in the publication of living individuals' personal identifying information in the DMF. While those who are declared dead generally lose their ability to apply for credit, they may be at risk for other types of identity theft now that their personally-identifying information has been made public.
If you find out that your name is on the DMF, your first priority is to find out who reported your death, when, and why. You must take appropriate steps to correct the information at the originating source. You will need to take steps to locate and amend the death certificate and then remove your name from the DMF.
- Adopt a policy of not giving out your SSN unless you are convinced it’s required or is to your benefit. Ask any requestor to explain why it is needed. Never give out your SSN in response to a phone call that you did not initiate.
- Never print or write your Social Security number on your checks, business cards, address labels or other identifying information.
- Do not carry your SSN card in your wallet
except for situations when it is required, such as the first day of a
new job. If possible, do not carry any items in your wallet that include
your SSN, such as your Medicare card, except when needed to
receive healthcare services. Your wallet could be lost or stolen,
resulting in your SSN being vulnerable to fraudulent use.
- Order a copy of your free credit reports
each year. If you are a victim of identity theft, the credit report
will likely contain evidence of credit or banking fraud committed using
your name and SSN. It will also show other SSNs or names associated with
- If a private business requests your SSN:
- Leave the space for the SSN on the form blank or write "refused" or “N/A” in that space.
- Speak to someone in management or write to the business and explain why you do not want your SSN used to identify you. If you don’t receive satisfaction from the first person you contact, go to someone in the organization with more authority.
- Insist that the company document its policy of why they are requiring a SSN. If a written policy cannot be found or too much time is taken looking for one, maybe the business will allow you to use an alternate number.
- Ask why your SSN is requested and suggest alternatives like using your driver’s license number.
- If the company insists on having your SSN, explain that you will take your business elsewhere. If the company persists, follow through on your promise.
- If your employer releases or displays your SSN, explain why you disapprove of this practice. Some employers do not treat SSNs as confidential information. They may be willing to change their policy when they understand the twin dangers of invasion of privacy and potential for fraud. As explained above, laws in California and New York and some other states place restrictions on the display and transmission of SSNs by companies.
- If your bank, credit union or other financial service provider uses your Social Security number as a personal identification number (PIN) or as the identifier for banking by phone or the Internet, write a letter of complaint. Demand to have a different PIN and/or identification number assigned. Explain why the SSN is an extremely poor choice for a password or security code. If you voluntarily use the last four digits of your SSN as your PIN for ATM and other banking or credit transactions, change it to something else, but not to a common number such as your birthdate, telephone number, or ZIP code.
- If you fear your SSN has gotten into the wrong
hands, take the following steps to reduce the risk of new accounts being
opened in your name:
- Place a 90-day fraud alert on your credit reports by calling one of the three credit bureaus: TransUnion (800) 680-7289; Equifax (888) 766-0008; Experian (888) 397-3742. Then renew the fraud alert every 90 days.
- Monitor your credit reports very closely. Placing the fraud alert allows you to order a free credit report within 90 days.
- Consider "freezing" your credit reports with Equifax, Experian, and TransUnion. By freezing your credit reports, you can prevent credit issuers from accessing your credit files except when you give permission. This effectively prevents thieves from opening up new credit card and loan accounts. See http://www.consumer-action.org/english/articles/freeze_your_credit_file#Topic_04 for more information.
- If you have evidence of actual or attempted identity theft, additional steps are needed, such as notifying the police and the Federal Trade Commission and establishing a seven-year fraud alert. See our Fact Sheet 17(a) “Identity Theft: What to Do if It Happens to You”.
- Avoid sharing your birthday, age, or place of birth on the Internet. A research study by Carnegie Mellon University found that Social Security numbers can be predicted based on publicly-available information, including your birthday, age and place of birth. The Social Security Administration began assigning randomized number series on June 25, 2011. Unfortunately, the more predictable Social Security numbers will remain in effect for individuals born before June 25, 2011.
- Congressional Research Service, "The Social Security Number: Legal Developments Affecting Its Collection, Disclosure, and Confidentiality" (February 2014). This report provides a comprehensive list of federal developments affecting use of the social security number, from 1935 to the present. This list includes federal statutes regulating the collection and disclosure of SSNs, as well as specific authorizations for the use of SSNs, confidentiality provisions, and criminal provisions relating to SSN misuse.
- California Department of Justice’s Privacy Enforcement and Protection Unit, “Recommended Practices for Protecting the Confidentiality of Social Security Numbers,
- California College and University Social Security Task Force, "The Use of Social Security Numbers in California Colleges and Universities: A Report to the California State Senate and Assembly Judiciary Committees and to the California Office of Privacy Protection" (July 2010)
- Social Security Administration, “Historical Information: Social Security Numbers”
- Federal Trade Commission. "Security in Numbers -- SSNs and ID Theft" (December 2008). An FTC report recommending five measures to help prevent SSNs from being used for identity theft.
- Many universities have established SSN usage policies and have adopted ID numbers other than the SSN.
- U.S. General Accounting Office, "Social Security Numbers: Federal and State Laws Restrict Use of SSNs, Yet Gaps Remain"
Browse Privacy Topics
Background Checks & Workplace
Banking & Finance
Credit & Credit Reports
Harassment & Stalking
Identity Theft & Data Breaches
Online Privacy & Technology
Privacy When You Shop
Public Records & Info Brokers
Social Security Numbers
Who We Are
We are a nationally recognized consumer education and advocacy nonprofit dedicated to protecting the privacy of American consumers.