Social Security’s Perilous Plan for Its Future

The Social Security Administration (SSA) is developing a plan of action for the next ten years. The conventional wisdom is that the next decade for SSA will feature a smaller workforce, fewer field offices, and more Internet-based customer service.

Achieving the latter will require the agency to rely more on contractors. One company that will figure prominently in SSA’s future is Experian, an information services company best known as one of the “Big Three” credit reporting agencies.

The Social Security Administration contracted with Experian in 2012 to provide identity proofing and fraud prevention for My Social Security (My SSA), an online portal through which the public has 24/7 access to their earnings and benefits statements and various customer services. SSA provides Experian with identifying information for social security number holders—last name, first name, date of birth, address, and phone number. When you go to My SSA to open an account, you are redirected to an Experian site to verify your identity. Once you successfully answer a few questions based on information Experian maintains in your credit report, you are directed back to the My SSA site to continue the registration process. According to SSA, more than 14 million people have established a personalized My SSA account.

SSA’s choice of Experian to perform this function is troubling. The company has a history of cybersecurity breaches and consumer law violations. Right now, Experian is dealing with major fallout from an incident in which a subsidiary, Court Ventures, sold the personal information of hundreds of thousands of Americans to an international identity theft ring. Experian purchased Court Ventures after the fraud scheme began, but the illegality continued for several months after the acquisition. The FBI and Secret Service are investigating the incident.

Experian senior Vice President Tom Hadley admitted at a Senate hearing last year that Experian failed to detect the scam while conducting pre-acquisition due diligence. “During the due diligence process, we didn’t have total access to all the information we needed in order to completely vet that, and by the time we learned of the malfeasance nine months had expired, and the Secret Service came to us and told us of the incident,” Hadley testified at the hearing.

Experian seems to be a particularly enticing target for hackers. The New Hampshire Attorney General’s security breach notifications website shows that Experian has reported 22 breaches since 2010, while the other two major credit reporting agencies—TransUnion and Equifax—reported only 2 and 3, respectively. Experian is faring even worse in Maryland, where it has reported 78 information security breaches since 2008, compared to zero for TransUnion and 5 for Equifax.

Experian and its subsidiaries have also been penalized over the years by the Federal Trade Commission (FTC). In January 2000, Experian paid $1 million to settle FTC charges that it violated the Fair Credit Reporting Act by failing to maintain a toll-free number at which consumers could speak to company representatives during normal business hours. (TransUnion and Equifax were accused of the same violation and also paid settlements.) In August 2005, Experian subsidiary Consumerinfo.com paid $950,000 to settle FTC charges that it deceptively marketed free credit reports. In February 2007, Consumerinfo.com paid $300,000 for allegedly violating the August 2005 settlement agreement.

In June 2014, the State of Mississippi sued Experian alleging that errors in Experian’s credit report database are preventing millions of Americans from obtaining loans and passing job-related and government background checks. The lawsuit alleges Experian makes it extremely difficult for consumers to correct errors in their credit reports.

However, concern over SSA’s haste to move customer service to the Web goes beyond the track records of its contractors. In June 2014, the Senate Special Committee on Aging issued a report warning that SSA’s justification for closing field offices and further automating customer service was “incomplete or insufficient.” It found that SSA often failed to consider whether those affected by office closures had access to the Internet. The report cited a study by the Pew Research Center, which found astonishingly low rates of Internet usage and broadband access among the elderly, rural residents, and among those of lower education and income levels.

On top of this, Pew also found more and more Americans are becoming victims of online data theft or online account hacking. Unfortunately, My SSA may be susceptible to these hazards. The Senate Special Committee on Aging found that tens of thousands of Americans have reported potentially fraudulent creation of My SSA accounts, some of which were used to redirect Social Security benefits to unauthorized bank accounts. The government’s vulnerability to online security breaches was further driven home last month when a hacker broke into the HealthCare.gov insurance enrollment site and uploaded malware.

SSA finds itself in a tough spot as it develops a strategic plan for the next ten years, which will soon be revealed to the public. The plan will almost certainly include more Web-based customer service, which will increase the agency’s dependence on contractors like Experian. The Project On Government Oversight will continue to closely watch developments at SSA.