May 25, 2017

What Does A BNC Look Like?

     From the testimony of Mariana Lacanfora, Acting Deputy Commissioner for Retirement and Disability Policy, Social Security Administration to a House Ways and Means Committee hearing yesterday on Social Security Number (SSN) usage:
We take seriously public concerns related to mailing documents that include the SSN. Therefore, in 2015, we convened an intra-agency workgroup to analyze options for removing the SSN from all agency notices. Based on our review, we concluded the best option would be to replace the SSN with the BNC — the identifier we now use on the Social Security COLA [Cost Of Living Adjustment] notice. The BNC will allow us to identify the notice and respond to inquiries quickly — just as the SSN has. As part of our IT [Information Technology] modernization efforts, we will begin to modernize communications (notices and mailings) in 2018. As we modify notices, or develop new ones, we will put only the BNC on such notices. 
In concert with CMS’ [Center for Medicare and Medicaid Services'] efforts to remove the SSN from Medicare Cards, next year we plan to replace the SSN with the BNC on benefit verifications [sic] letters, which account for approximately 11 million notices. We also plan to replace the SSN with the BNC on certain notices to appointed representatives and on Social Security post-entitlement notices, which account for approximately 2.6 million and 28 million notices, respectively.
     This may be a problem for attorneys who represent Social Security claimants. My firm often has two clients with the same name. When we receive correspondence we use the SSN to determine which client it pertains to. The client doesn't know their BNC. How can we know which client the correspondence pertains to? What if it's an award certificate for a child of a client? That won't even have the client's name on it. We already have a problem with fee payments in this situation. Is someone going to tell us the BNC?
     By the way, what does BNC stand for?

     Update: I found this in an OIG report: "The BNC is not an alternative identifier. Notices going to the same individual from different notice systems or in different years would display a different BNC." So Social Security is going to use an identifier that will be worthless to anyone other than Social Security. That takes care of the security problem but it increases the calls, that will often go unanswered, from attorney offices trying to figure out who a notice pertains to.
     By the way, are there any reported instances where a notice sent out by Social Security that contained an SSN ever actually caused someone a problem? I don't mean someone's fear that somehow, maybe, theoretically there might be a problem but a real, verified, significant problem? I've never heard of such a case. Why is Social Security doing something that will cause real problems in order to deal with an imaginary problem?

11 comments:

Margaret Kibbee said...

Protecting social security numbers is one thing, but this seems a bit much. Taking them off non-social security matters is one thing, but taking them off all notices and medicare cards is a bit much. I know my work became easier when the numbers started easing back onto notices.

Anonymous said...

Beneficiary Notice Control Number

Anonymous said...

BNC - Beneficiary Notice Control Number per http://oig.ssa.gov/sites/default/files/audit/full/pdf/A-02-13-13040.pdf

Anonymous said...

Identity theft is a problem because financial institutions link your credit record to a unique identifier and they use your SSN. Because the powers that be are incapable of preventing financial institutions of using the SSN, then limiting the ability to steal a person's SSN becomes one of the main ways to prevent identity theft. Anyone who carries their Social Security card, anyone who requires people to present their physical car, anyone who traffics in information flows that are keyed to the SSN (when they do not need to be) is making identity theft easier.

IN the present case, the risk of having the SSN intercepted and used for identity theft is a risk borne by the person whose SSN it is, not the lawyer or law firm, or hospital or school, or whomever it is that likes the convenience of the having an SSN to keep their own records.

So your convenience versus risk to the individual. No wonder the problem of identity theft is a problem that will never be solved.

ps. Mr. hall's contention is that no person has ever had their SSN stolen via communication with the Social Security Administration. HOw would he possibly know. Seems extremely unlikely to be true.

Anonymous said...

It's because Congress is pushing them to. The House just passed HR 624, which would require all agencies to remove SSNs from mailed documents w/in 5 years or state a rationale in regulation why they can't.

Anonymous said...

There has been efforts to remove SSNs from government materials since the VA laptop incident in 2006. In about 2008, SSA convened a task force in response to OMB directives to look at the SSN at SSA and amazingly came to the conclusion that the SSN exists in order to allow the agency to perform its mission, that eliminating it accordingly made little sense and came up with use of the BNC for a small number of items to meet OMB imposed goals. The point was made that the SSN was ours and existed only because we needed it and the fact that it's been misappropriated shouldn't require us to spend money to redo our systems due to that mistake but obviously it was easier to make the government change than to tell the private systems to stop using the SSN and come up with another way. So now in 2017, we end up here.

Anonymous said...

As far as proven identity theft due to someone using the SSN taken by a stolen notice, there has been none. SSA has not yet provided ID theft protection to anyone with a proven ID theft based on stolen correspondence, but has because the SSN was exposed and to not offer such would be a PR suicide action, it does if the agency was at fault in the incident. But the truth is, none of those offered ID theft protection have actually suffered ID theft. Not via the loss of an SSN on correspondence. (That could be proven if one was able to ask the company providing the service how many actual incidents they have had to remediate but that data isn't publicly available.) But public sentiment equates the mere chance of something happening to the equivalent of it happening and demands action. So ID theft protection is offered but 99% of it is never used. That is the reality of it. But the PR fallout requires all this activity take place and money be spent because there is no backbone to tell industry to find a new identifier.

Anonymous said...

10:32

In very few cases of identity theft would the victim ever know how and when their identity was stolen. Most perpetrators are never caught and the possible ways one can steal an identity are too numerous to count, in part because of the widespread use of the SSN as a link to credit and as a convenient way of record keeping by lots of public and private entities who in no way actually need to use the SSN in particular.

The conclusion that SSNs have never been stolen off of material that SSA itself distributed, because no one has requested ID protection is the strangest kind of logic. I get a notice. I throw it in the trash. Someone goes through community trash looking for bank statements, voided checks, SSA notices whatever is useful to their criminal enterprise. You would never ever know.

If a law firm is really worried that they can;t tell who a notice is for because they have two clients with identical names, they could just call up SSA and ask, is this notice for person A with birth date MM-DD-YY? Problem solved. At most you would simply nedthe last 4 digits. Again, problem solved.

Anonymous said...

By the theory that someone could go through the trash and use the data to steal an identity is on par with a meteor could land on my home and kill me kind of thinking. Sure it could. But that kind of thinking ignores the real world and context. In reality, there are much easier ways to do this. Given that the basic ID data of most Americans has been being sold on black market web sites in eastern Europe for years further dilutes the premise. The point is that one could eliminate the SSN on notices completely at whatever expense it takes but as long as the SSN is used as a defacto identifier that opens up bank doors and credit, the "safety" that action provides is negligible. This kind of thinking also ignores the reality that the problem isn't the SSN on notices, but the defacto national ID that it has become. If one wants to stop ID theft, the banks and credit cards and cops and everyone else needs to work out a way to identify people for business purposes that has better security than the SSN. And it's doable, it'll just cost a few billion from the folks making mega-billions on finance. Otherwise, this is just all grandstanding and posturing, spending limited resources for an even more limited result.

Anonymous said...

Prior to the 90's no one ever asked for SSN's. We were told it was illegal to be used as an ID and not give out to anyone. So what changed when everyone got and used the SSN as an ID number, Prior to this insanity, businesses would assign a number of their own and that is what should have been done right along. But another phenomena was the employers stating that employees files were stolen that were in boxes or via computer's and then the employees suffered ID theft. Employers HR has all of those records and to be honest, when losing those employees files opens the doors to ID theft for more than one reason.

Anonymous said...

Just wait till they change every single existing and future Medicare number away from the SSN to the new number. Three wont be ANY problems with that little project!