The government doesn’t care if a child’s Social Security number is used for fraud—even before they’re born
If the U.S. government became aware that a child’s identity was used in fraud, one would assume they would tell parents and report it to law enforcement. A reasonable person would also think that when issuing new Social Security numbers (SSNs) to children, the Social Security Administration (SSA) would check to make sure that nobody has already used them for fraud. However, a reasonable person would be wrong in all instances. Congress should step in to address this and move decisively to protect children.
History of SSN Use
Until recent history, SSNs were sometimes used as regularly as names. A Virginia Tech class of 1983 brochure advertised that class rings would be engraved with the graduate’s name and city and state or SSN, and, as late as 1991, the brochure still advertised SSN engravings as an option. Military dog tags also included SSNs until 2015, and service members even put their SSNs on their laundry bags in Iraq.
SSNs were only randomized a little over a decade ago. Until then, the first three digits related to the person’s location, the next two related to a narrower geographic area, and the last four were used to identify the individual. This system was far less secure, particularly when people were regularly asked for “the last four digits of your social.”
At their inception in the late 1930s, SSNs were not designed to be secure or used broadly for security reasons. Originally, the purpose of the number was to keep track of Social Security retirement payments. A name wasn’t enough because some people shared the same name. Since then, their use has greatly expanded beyond the original purpose.
Regardless, government and private entities now use SSNs almost in a cavalier manner for a variety of reasons. And this cavalier use of SSNs has created problems for many Americans, especially children, whose SSNs are requested casually without regard to the increased risk of theft or misuse that it inherently creates. It’s long past time for the government to treat this important identifier as a critical element of every American’s identity and take basic actions to keep SSNs secure.
Government Negligence and Abdication of Responsibility to Protect Children
More than half of all possible SSNs have been assigned to people. That means that even if a bad actor generates a random SSN, there is more than a 50-50 chance that it belongs to someone. And bad actors commonly use SSNs with a name that does not correspond to it. Moreover, because the SSA does not check SSNs before assigning them to newborns, it could easily assign a number that already has a history of arrests and financial problems. Two areas that highlight the extent of fraudulent use of children’s SSNs are IRS tax accounts and the foster care system.
Income Tax-Related Identity Fraud
A 2020 report by the Treasury Inspector General for Tax Administration revealed that the IRS failed to identify parents and guardians of 133,864 children and other dependents who were possible victims of identity theft related to tax accounts/employment. Not only is alerting parents a logical step for the IRS to take, but the Taxpayer First Act was signed into law in 2019 and requires that the IRS “notify taxpayers of suspected identity theft.” According to the 2020 report, “[t]he IRS’s unwillingness to take any action in an effort to notify parents or legal guardians is problematic because of the impact and damage that theft of a child’s identity can have on future credit and employment history.” Of course, one would expect that a federal government agency that routinely pursues the prosecution of criminal activity would, at a minimum, report these acts of fraud to the U.S. Department of Justice, state law enforcement, or someone, but the 2020 report suggests otherwise.
The Inspector General recommended that the IRS fix this problem, but the IRS said it would not do so. The IRS explained that it notifies victims of employment-related identity theft only if the victim has an active tax account, and children do not have active tax accounts. The Inspector General replied to the IRS that “[w]ithout notification, parents and legal guardians cannot take the same proactive steps the IRS suggests when an adult’s [taxpayer identification number] is identified as being used to fraudulently obtain employment.” Hope of the IRS doing its job here as required by law is dim. In fact, the IRS also failed to notify 198,213 adult victims without tax accounts of fraudulent use of their SSNs. This task is more difficult because the IRS does not have these individuals’ contact information, but that does not mean that attempts should not be made to try to reach the victims. Finally, the IRS stopped alerting the heirs of deceased individuals whose SSNs were being used fraudulently because it upset the heirs, and the Inspector General recommended that the IRS resume informing heirs in these circumstances.
A 2023 report by the National Taxpayer Advocate noted that even when taxpayers come to the IRS for help when they believe they are victims of identity theft, they face “unconscionable” delays. “During FY 2023, the IRS took an average of about 19 months to resolve self-reported identity theft cases and send refunds to the affected taxpayers,” the report noted. It also revealed that the IRS ended the year with “an inventory of about 484,000 of these cases” and that a majority of these victims tend to have very low incomes—of those whose identity theft cases were resolved, 69 percent “had adjusted gross incomes at or below 250 percent of the Federal Poverty Level.”
Identity Fraud in the Foster Care System
SSN-based identity theft is also prevalent in America’s foster care system. Because so many adults have access to the most sensitive information of youth in foster care, these children tend to have a higher risk of being victims of fraud. A 2013 SSA Office of the Inspector General report found that 4 percent of children “had wage items in SSA’s Earnings Suspense File,” and 5 percent had credit files “that contained evidence that someone may have used their SSNs for credit or other purposes.” Moreover, this now-outdated and very narrowly focused audit likely underreported the issue. After the Equifax data breach in 2017, fully one-half of all U.S. households were believed to have a risk of identity theft. At any given time there are roughly 400,000 children in foster care. Thus, after the Equifax breach, at least half of those children would be potential victims.
Sadly, sometimes the state taps into a child’s account to capture Social Security benefits for which the child may be eligible if they are disabled or orphaned and uses it to offset the foster care costs that the state is obligated to pay or bolster the general government budget. Some minors who age out of the system fall into poverty, which could possibly be avoided if the government did not steal their money.
Recommendations
There are a few obvious next steps that we recommend Congress take to safeguard children’s SSNs.
First, Congress should mandate that the SSA check all SSNs before issuing them to ensure that the number has not been used for fraud. If an SSN is determined to be “hot,” it should not be issued.
Second, Congress should consider requiring the SSA to lock minors’ credit files when SSNs are issued as well as establish policies that allow identity-monitoring services the opportunity to compete, flourish, and improve. The government should not usurp this duty itself and reduce competition. When the SSA sends children’s Social Security cards to parents/caretakers, it should provide instructions for unlocking these credit files in the future as well as a recommendation to regularly monitor the minor’s credit file. Unfortunately, in the case of foster care, foster parents do not have the authority to lock or unlock their foster children’s files. Only the state or county can do so.
Third, Congress should revise law to ensure that the IRS notifies parents and guardians, as well as law enforcement—to the degree possible—when their dependents are victims of tax-account-related identity theft. Importantly, this should not be limited to a single notification; parents should be notified of every instance of known identity theft. If the IRS fails to do this, there should be consequences for the organization. Congress should also establish oversight to ensure that the IRS meets this obligation.
Finally, states’ access to children’s SSNs should be strictly limited, and it should be unlawful for the government to access and misuse the Social Security funds of children in the foster care system. According to AP News, “[m]ore than a dozen states have made at least some sort of revisions to the practice since Maryland became the first to do so in 2018.” This is good news, but every state should explicitly prohibit this practice and conduct oversight to ensure that it does not continue to happen.
There is no excuse for the U.S. government to continue to ignore the severe risk that SSN fraud has on children’s identities and financial futures. Taking these basic actions will help the next generation avoid a future of financial and emotional distress.