Dear Mr. Astrue:
An April 8, 2011 Associated Press article, "Social Security Stopping Mailed Earning Statements," reported that the Social Security Administration(SSA) will no longer mail earning statements to those Americans who pay into the Social Security system. As you know, since October 1995, eligible individuals 60 years of age or older have been receiving annual earning statements by mail, and individuals age 25 or older have been receiving annual earnings statements by mail since October 1999. We understand that there has been a significant increase in the number of Americans who are using the Internet, but we would also like to note that there are still a large number of Americans who do not have Internet access and may have problems getting their earnings statements online.
As Co-Chairman of the Bi-Partisan Privacy Caucus, we are deeply concerned about the proposed changes in the delivery method of such sensitive private information. Our concerns are heightened by evidence of an inadequate response to a serious security breach at the Social Security Administration- the leaking of personally identifiable information (PII) through the Death Master File (DMF). In a March 2011 follow-up report titled, "Follow-up: Personally Identifiable Information Made Available to the General Public via the Death Master File," the SSA Inspector General reported that a total of 63,587 individuals had their PII inadvertently exposed by SSA from July 2006 through April 2010. The SSA Inspector General also reported that "SSA continued to publish the Death Master File with the knowledge its contents included the personally identifiable information of living number holders."
We are concerned about these past problems and SSA's future plans as described in the article referenced above. Accordingly, we request responses to the questions that follow.
1. The AP article states that some individuals already access Social Security account statements via the Social Security Administration website. What information must an eligible American provide in order to view an online statement?
2. How does the Social Security Administration currently protect information collected and transmitted during this process?
3. Does the Social Security Administration intend to provide additional \
protections moving forward? It so, what protections will be provided, and on
4. As the Social Security Administration implements its plans to move statements online, will it apply the recommendations made by the Inspector General in its report regarding the DMF breach? If yes, how? If no, why not?
5. The Social Security Administration website is only one potential point of risk. Americans could risk their privacy any number of ways while trying to access a statement (use of a compromised public computer, data capture by previously planted spyware, etc). How will the Social Security Administration help Americans protect their data?
6. Section 1143 of the Social Security Act mandates that a statement be delivered on an annual basis to each eligible individual. If there are individuals who do not desire to use the new online method, will there be an option to "opt out"?
7. When moving to an online system for earning statements, what are SSA's methods for ensuring a smooth transition? Is SSA planning to move everyone to a new system at once or gradually? How does SSA plan to inform everyone of the change?
8. How does the Social Security Administration plan to inform eligible Americans of any changes it makes as part of this process?
9. What has SSA done to close the security gaps in its management of the DMF that were identified by the Inspector General's report?
10. In SSA's current efforts to prevent any security breaches that could arise due to moving earning statements online, what kind of security measures are being used to prevent a breach in PII during the transition?
Thank you for your attention to this request. We ask that you please provide us with a response to these questions within 15 business days or no later than July 14, 2011. If you have questions, please have a member of your staff contact Mr. Emmanual Guillory on Rep. Barton's staff at 202-225-2002 or Mr. Mark Bayer on Rep. Markey's office at 202-225-2836.
Congressional Bi-Partisan Privacy Caucus
Congressional Bi-Partisan Privacy Caucus