Skip to main content

tv   House Hearing Focuses on ID Protection Efforts  CSPAN  May 26, 2017 1:55pm-3:32pm EDT

1:55 pm
deeply to either the bronx, new york for cities. i moved to chicago and atlanta d.c. and all these things come to think blue mind about ferguson was like viciousness valley 20,000 people. it's totally, it's between northern edge of st. louis and like the suburbs. you just try through it. it looks like anywhere. it's just strip malls and parking lots and houses and the idea that what i express there was like the level of exploitation and the level of racial oppression and friction, the level of the invasiveness of policing, the intensity of the humiliation. all of that in this place that was heretofore anonymous. something about that blew my mind. >> watch sunday night at 9 p.m. eastern on c-span2's booktv.
1:56 pm
>> next, hearing examines race -- ways to prevent identity theft by social security numbers. held by two house subcommittees, this is one hour and a half. >> good afternoon and welcome to today's hearing on the federal governments use of social security numbers. unfortunately, chairman sam johnson was unable to be here with us today to discuss one of his favorite topics, ending the unnecessary use of social security numbers. i know everyone here joins me in wishing chairman johnson a speedy recovery. i would like to welcome chairman heard of the oversight and government reform committees, i.t. subcommittee at all of the i.t. subcommittee members joining us in ways and means committee hearing room today. back in 1936 when social
1:57 pm
security began issuing salsa skidding numbers, they were only used to track earnings and administer the social security program. back then it wasn't much thought about keeping your number a secret, but today social security numbers are the key to the kingdom for identity thieves. social security and identity security experts make a point of telling americans how important it is to protect their numbers. social security numbers are valuable targets for identity theft because of their regular use by both federal government and private sector as a unique identifier, especially by the financial industry. time and again we are reminded to protect our social security cards in order to avoid identity theft and to be careful with what documents we threw away in the trash. our salsa skidding numbers are connected to so many personal aspects of our lives, from our
1:58 pm
social security benefits and finances to our medical histories and art education. but in recent years privacy concern have become more and more critical. when i was in law school back in the dark ages, our grades used to be posted on the wall to keep secret whose grades they were by social security number. of course they were posted alphabetically. [laughing] so wasn't that hard to figure out who's was whose. in fact, one of my very good friends in moscow's last name was ziglar and he was the smartest guy in the class and always made an a and blue the kurds of everybody just gave him a hard time, i do salsa skidding number was always the one at the bottom of the list. and kill not long ago i could probably recite to you his social security number. while colleges and universities have since changed their ways, the federal government has yet to fully catch up.
1:59 pm
just over ten years ago under president bush's leadership, the office of management and budget issued a memorandum for the safeguarding of personally identifiable information, including the social security number. the memo called for federal departments and agencies to reduce or replace the use of social security numbers across the federal government. .. and what it should to make sure when social security numbers are used and collected, they are kept safe . the office of personnel management pack in 2015 is an example of what happens when the federal government collects social security
2:00 pm
numbers butdoes not keep them safe . that negligence comes with a cost to both the affected individuals and the taxpayers. the american people rightly deserve and expect that the federal government protect their social security numbers and only uses them when necessary. i thank all our witnesses for being your, i look forward to hearing from you about how your agencies are working to tackle this challenge and what more needs to be done. i now recognize mister larson for his opening statement thank you mister chairman and we join with you and wishing our dear friend and colleague sam johnson a speedy recovery. and we would like to add how fortunate we are on the ways and means committee to have two iconic american heroes serving on the same committee
2:01 pm
. when you think about sam johnson and his service to this country, and all that he endured, on behalf of this nation, nearly beaten to death by the vietcong, and then you think of john lewis and all he endured in this country, nearly to death in his own country. so we have these two iconic legends and i'm so proud to serve with sand and was happy to that he asked me to introduce with him the social security must of her identity loss and or hr 1513 that requires social security administration to remove beneficiary social security numbers from mailed notices. and mister johnson is i think everybody on the committee knows such an incredible gentleman. we also have taken every
2:02 pm
opportunity in the subcommittee to renew a request a, that i hope the committee will travel to plano texas for that and that we have an opportunity to inasmuch as mister johnson has indicated this is his last term, to have a meeting there in plano texas that would honor mister johnson and the committee on this particular topic area that he so vitally concerned about. i also want to recognize german hurd who is with us and the lead democrat robert kelly for being here. our meeting room as well. since 2000 1400s of millions of americans have lost their personally identifying
2:03 pm
information including their social security numbers to large-scale cyber attack. the number was originally created in 1936 for the purpose of running the nations new social security system. however, its usefulness as a unique governmental identifier has made it near ubiquitous across government and the private sector. today, social security administration has not suffered any large-scale data breach ongoing vigilance is needed including support for updating and modernizing social security administration it structure. altogether social security administration has been able to remove the nine digit ssn from about one third of the mailing it sends out, moving forward they have committed to removing them from the remaining notices wherever they revise the notice. this requires computer upgrades. the severe constraints on social security administration's budget however are preventing the
2:04 pm
agency from removing numbers from all notices right away. as they estimated it would cost 14 million to do so immediately rather than piecemeal. more alarmingly, since 2010 the number of beneficiaries has grown by 13 percent as the baby boomers and to retirement but social security's operating budget has fallen by more than 10 percent in that same period. social security administration simply cannot serve more and more people with less and less money each year. social security administration has already been struggling to serve as beneficiaries at the level they deserve. my constituents are experiencing multi-year wait times on disability appeals and hearings. their phone calls are going unanswered. they faced delays in collecting errors in their benefits and payments. to make matters worse, the
2:05 pm
president's fiscal year 2018 budget released today also attacks social security benefits for those with disabilities as much as $70 billion over 10 years and mister chairman i would like to submit for the record the 13 times that donald trump promisednot to cut social security and medicare and medicaid . president trump has promised repeatedly and explicitly throughout the campaign not to cut social security or medicare . this broken promise should be especially alarming to millions of people who voted for the president who spent their working lives paying premiums into the system believing those benefits would be there for them in retirement and should, or should they become disabled. bottom line is this. social security is the nations insurance program. it is not an entitlement.
2:06 pm
it is the insurance that individuals have paid for throughout a lifetime. the problems with social security at its core, this issue we are taking up today especially as it relates to theft is vitally important to protect people's identity but equally important in the responsibility of this committee is its actuarial soundness. this is the most efficient government operated program in the history of the nation. ask any private-sector insurance company if they could have a 99 percent loss ratio. they would die for that. and there is no product on the open market where you could produce old age and survivors benefits, disability and a pension plan and survivors benefits. that is the uniqueness of social security. that is why it is america's insurance plan that our citizens have paid for. this is not an entitlement.
2:07 pm
and will continue to make that point and i hope later this year, mister chairman and mister johnson has been very gracious about saying that we will get an opportunity to have hearings on our bills that will look at expanding and making solvent well into the next century social security for all of its american citizens. >> it's the nations insurance program. >> thank you, i now recognize mister hurd for his opening statement thank you mister chairman. two years plus i've been in congress i've learned one thing and that americans expect the federal government to protect their personal information. sadly is evidenced by the data breach that's affected more than 20 million people, this is not the case. american people deserve better from their government. stolen, we know social security numbers can use to perpetuate identity theft or worse. we never know what a piece of information the bad actors
2:08 pm
need to achieve their goals that they are looking to steal money or threaten the security of our nation. the oversight committee held a hearing on the irs data breach where bad actors act into the department of education's income information from my financial aid application and use that information to file fraudulent tax returns with the irs. all the agencies that came before us today attain a wealth of information on americans, particularly social security numbers. it's essential that we reduce the use of social security numbers on printed forms and electronically in transition. in fact, tomorrow the house is scheduled to consider representative about details social security fraud prevention act of 2016 which was passed on voice boot and prohibits agencies from sending numbers by mail unless the head of the agency teams it necessary. >> social security administration has over hundred 75 million wage earners and record on pretty
2:09 pm
much everybody living and dead. and a treasure trove of information. the veterans administration has held records on 8 million veterans and their families. i can imagine few of the records as infinite as an individual's record. the va currently uses social security numbers as a patient identifier, protecting these numbers is critically important for all americans given that social security numbers are frequently exchanged with our most at risk members of society such as seniors, veterans. we must take up most caution to prevent the risk of exposure for these populations. on the recommendations that came out of the committee's investigation of the opm breach was that agencies reduce their use of social security numbers in order to mitigate the use of threats. these agencies undertake this transition, it's essential they rethink how they use, collect and store social security numbers. and indeed, all pieces of personal information they collect.
2:10 pm
i'm proud to be here with my colleagues in the oversight committee as well as my colleagues on the ways and means committee in this important joint hearing to examine what's working and what we can do better. i hope we learn more about what efforts the federal government is taking to reduce its correction, use and storage of numbers and thank you for being here today and i look forward to hearing from our witnesses. >> thank you, and i now recognize mister kaylee for her opening statement. >> thank you chairman and ranking member larson holding this hearing. originally created to track the earnings of individuals and to determine eligibility for social security benefits, the social security number has become the principal method used to verify an individual's identity. as a proliferation of their use poses challenges to data security and identity theft protection. in 2007 when the office of management and budget recognized that reducing the use of social security numbers that agencies could reduce the risk of identity theft, 10 years ago this week
2:11 pm
omb issued a memorandum directing agencies to reduce their use of social security numbers by examining where their collection was unnecessary and creating plans to end such collection within 18 months. now on the 10 year anniversary of the guidance, we have the opportunity to examine the challenges that have signed the agency's efforts while learning from those agencies who have success in their initiatives. the social security administration no longer prints social security numbers on statements cost-of-living notices or benefit checks. centers for medicare and medicaid services is in the middle of efforts to remove numbers from all medicare cards by april 2019. likewise the department of veterans affairs has ceased printing social security numbers on prescription bottles, certain forms and correspondence, and is working to find an alternate means of identification that
2:12 pm
will maintain patient safety while reducing the visibility of social security numbers from patient wristbands. these concrete steps represent real progress and i commend agencies on their work so far. but barriers that still exist to fall implementation of omb guidance, one of those barriers is that it lacks strong coordinated approach from omb itself. gao found the 2007 memorandum did not define a necessary use, nor did it outline requirements at this timeline for performance goals. >> as a result, many agencies were vague and subject to varied interpretation over the years. >> additionally omb did not require agencies to update their inventories of social security number collection points, making it difficult to determine whether agencies were actually reducing collection in use. omb must provide clear direction to agencies and strengthen its monitoring compliance. >> in addition to poor coordination by omb, federal efforts to reduce social security numbers used have faced other challenges. agencies of statutorily and
2:13 pm
legally required to collect social security numbers of identity verification. and the numbers program and social security numbers remain the standard for identity verification across government programs. >> opm briefly took steps to address this issue by working to create an alternate identifier in 2008 and again in 2015. however a lack of approved funding prevented these efforts from going forward until congress refunds the requirements mandating social security number collection and alternate governmentwide identifier is created, significant reductions in social security numbers use seem unlikely. outdated legacy it systems also cause agencies struggle to attain their reduction goals. agency did not have the funds to replace these systems and start anew. this subcommittee has spoken at length about the need to update the federal government's it infrastructure and we must put our money where our mouth is. i'm concerned that
2:14 pm
across-the-board budget and personnel cuts proposed by the trumpet administration will take us in the opposite direction and make it harder to accomplish our social security number reduction goals. i hope my colleagues will keep this in the need to protect americans from identity theft in mind as we discussed this fiscal year 2018 budget proposal. >> i look forward to hearing from our witnesses and ideal back the balance of my time. >>. >> thank you. as is customary any members welcome to submit a statement for the hearing record. >> before we move on to our testimony today. i want to remind our witnesses, please limit their oral statements to five minutes. however, without a collection, all of the written testimony will be made part of the hearing record. >> we have five witnesses today.seated at the table are gregory will house in, director of information security issues, government accountability office. marianna locke and for all, acting deputy commissioner
2:15 pm
office of retirement and disability policy, social security administration. david drew brees, chief information officer, office of personnel management. and karen jackson, deputy chief operating officer, centers for medicare and medicaid services. finally, john oswald, executive director for privacy, office of information and technology. department of veterans affairs. welcome to all, welcome to you all and thank you for being here. pursuant to the committee on oversight and government reform rules, all witnesses will be sworn in before they testify. please rise and raise your right hand. >> the do you solemnly swear or affirm that the testimony you are about to give will be the truth, whole truth and nothing but the truth, so help me god. >> please be seated. >> mister will heusen,
2:16 pm
welcome and thanks for being here. please proceed. i butchered your name, i'm sorry. >> you did perfect, thank you. chairman rice and hurd, ranking members larson and kelly and members of the subcommittee, thanks for inviting me to testify on executive branch efforts to reduce the unnecessary use of social security numbers. my statement is based on a draft report on federal efforts to reduce the collection, use and display of these numbers. we are providing a draft report of 25 agency for comments. we anticipate issuing the final report to you later this summer after we receive agency comments. >> before i begin, if i may, i'd like to recognize members of my team were instrumental in developing my statement. or performing the work under any. >> with me is johnny depp or
2:17 pm
ari, i'm marisol cruz to let this work and quite darcy. >> in addition, andrew mays, shoney's wallace, dave kloke, priscilla smith and scott pettis, made significant contributions. >> beginning in 2007, opm, omb and the social security administration under several actions aimed at reducing or eliminating the unnecessary collection use and display of social security numbers on a governmentwide basis. however, these actions had limited success. opm issued guidance to agencies and acted to eliminate or masked social security numbers on personnel forms used through the federal government. >> also promulgated a draft regulation to limit federal collection use and display of social security numbers or with through the proposed
2:18 pm
rule because no alternate federal employee identifier was available. that would provide the same utility. >> in 2007, omb required agencies to establish plans or eliminating the unnecessary collection and use of social security numbers. omb also began a requiring agency recording on reduction efforts as part of its annual reporting 2007, the social security administration developed an online clearinghouse on agencies best practices for minimizing the use and display of social security numbers. however, this clearinghouse is no longer available. >> the individual agency level, each of the 24 cfo act agencies reported taking a variety of steps to reduce the collection use and display of social security numbers. these steps included developing and using alternate identifiers, masking truncating or blocking the display of these numbers on a printed form, correspondence and computer screens.
2:19 pm
and altering email to prevent transmittal of unencrypted numbers. >> however, agency officials noted that social security numbers cannot be completely eliminated from federal it solutions and records in part because no other identifier offers the standard universal awareness and applicability. they identified three other challenges. first, federal statutes and regulations require collection and use of social security numbers, interaction through other federal agencies and external entities require the use of the number. and a third challenge pertained to technological hurdles that can slow, replacement of the numbers of information systems. reduction efforts from the executive branch have often been limited by more readily addressable shortcomings. >> lack of direction from omb, many agencies reduction plans did not include the elements such as time frames
2:20 pm
or performance indicators. calling into question the plans utility. in addition, omb has not required agencies to maintain up-to-date inventories of social security number collections and has not established criteria for determining when the number use or display is unnecessary. leading to inconsistent determinations and definitions across the agencies. omb has also not ensured that all agencies have submitted up-to-date progress reports and has not established performance metrics to measure and monitor agencies efforts. accordingly in our draft report, we are making five recommendations to omb to address these shortcomings. until omb and agencies adopt better and more consistent practices, the reduction efforts will likely remain limited and difficult to measure. moreover, the risk of social security numbers being exposed and used to commit identity theft will remain
2:21 pm
greater than it need be. chairman rice, chairman hearts, ranking members larson and kelly, this concludes my statement. i'd be happy to answer your questions. >> thank you sir.this is lot 10 for, please proceed. >> acting chairman rice, chairman hurd, ranking member kelly and members of the subcommittee, thank you for inviting me to discuss the history of the social security number, how the administration uses it to administer his programs and efforts to reduce the numbers used. i'm mariana locke and for all, commissioner for retirement and disability policy. through the rich history surrounding the social security number. those responsible for implementing the program understood that crediting earnings to the correct
2:22 pm
individual would be critical to the programs success. names alone would not ensure accurate reporting. accordingly in 1936 we decide a nine digit ssn and ssn card to allow employers to report over 80 years since the program's inception we have issued around 500 million unique numbers to eligible individuals. the ssn continues to be essential to how we maintain records. without it we cannot carry out our mission. however, the ssn and the ssn card were not intended nor do they serve as identification. we encourage other agencies and the public to minimize their use. we provide electronic verification of assistance to our federal and state partners to prevent improper payments. in 2016, we performed over 2 billion automated ssn verifications. although we created the ssn, its use is increased dramatically by other entities over time. in 1943 executive order required federal agencies to
2:23 pm
use the ssn. advances in computer technology and data processing in the 1960s further increase the use of the number. congress also enacted legislation requiring the number for a variety of federal programs. use of the ssn brew not in the federal government but through state and local governments to banks, credit bureaus, hospitals, educational institutions and other parts of the private sector. as use of the ssn has become more pervasive so have the opportunity for misuse. we have taken measures to protect the integrity of the ssn. in 2001, we removed the fall ssn from two of our largest mailings, the social security statement and the social security cost-of-living adjustment notice. >> these notices account for about a third of the roughly 352 million notices that we send out each year. >> in 2007, omb issued a memo requiring agencies to review
2:24 pm
their use of the ssn and identify unnecessary use of the number. >> we recognize that although we need the ssn to administer our programs, we could and did refine all our personnel processes to reduce reliance on the number. >> still, we recognize we need to do more. two thirds of our notices have the social security number. >> notice infrastructure is complex. about 60 different applications generate notices and every notice is created to respond to an individual's unique circumstances. nevertheless, we are committed to replacing the ssn with a back beneficiary notice code or bnc as we modify existing notices or create new ones. the bnc is a secure 13 character alphanumeric code that helps our employees identify the notice and the
2:25 pm
beneficiary and respond to inquiries quickly.we initially developed the bnc for use in the social security cost-of-living adjustment notice. >> additionally, next year we will replace the ssn with bnc on benefit verification letters, as well as appointed representative and social security post entitlement notices. >> together, these mailings account for 42 million annual notices. >> we takegreat care to protect the integrity of the ssn and the personal information of thepublic we serve. thank you for the opportunity to describe our efforts , i'd be happy to answer any questions. >> thank you , mister devries, thanks for being here, please proceed. >> chairman hurd, ranking member larson and kelly and members of the subcommittee. thank you for the opportunity to appear before you today to represent the office of personnel management with respect to reducing use of social security numbers as a personal identifier. >> the 1962 the civil service commission adopted the ssn to
2:26 pm
identify federal employees. over time the ssn became universal to almost every piece of paper or digital form. in a federal employee's official personnel file. it became a de facto personal was used for reviewing personal actions record training, request health benefits and for other purposes. 2007 opm issued guidance to federal agencies to develop effective measures for use in safeguarding a federal employee as an ssn. >> the intent of these measures was to minimize the risk of identity and fraud in two ways. >> one by limiting the unnecessary use of ssn as identifier, and by strengthening the protection of personal information including ssn's from loss. >> examples of the measures that we recommended were eliminating the unnecessary printing display of the social security number on
2:27 pm
forms, reports and computer displays and restricting access to the ssn to those individuals who have a need to know and were notified of their additional responsibilities. >> we also included privacy and confidentiality statements to go along with the 11 and we finally came up with how you mask or take the social security numbers out of forms. >> intern, the opm we examined our internal policies with respect to use of ssn and issued an addendum to our privacy policy. the updated policy identifies social uses of the ssn, describes how the authorized use will be documented and presented alternatives. this policy addendum notes that exceptional use of the ssn are only those provided by law, executive order required interrupting ability with organizations outside opm who are required by operation to achieve agency mission. for example, the ssn is a single identifier that is consistent across the security investigation process. and maybe necessary to
2:28 pm
complete an individual's background investigation. but it is not protected in transit and storage. >> opm has taken efforts to reduce the use of it since issuing the 2012 policy. modifying the jobs and tracking systems so that neither collects ssn from applicants. we also have an effort in 2016 to understand which it systems maintain ssn's and how they use those to communicate with other programs . the initial inventory was completed in september 2016 and we are now using it to validate the progress made in identifying other opportunities. >> in addition we are updating the internal 2012 policy this year. >> is difficult to completely eliminate the federal use of ssn without a government wide coordinated effort and dedicated funding. ssn's on the common element making information among agencies . opm shared service providers and benefit providers and in the fall of 2016 obm proposed the program unique identifier or uid.
2:29 pm
the initiative to reduce the use of ssn's in many government systems and programs. it uid issued exchange of information without ssn. this would be accomplished by providing alternative numbers to uniquely identify records across various programs and agencies and initial proof of concepts show potential for continued study. members of the subcommittee thank you for having me to discuss opm's role in reducing the use of ssn's and for your interest and support in this important issue. >> are federal employees and others information we hold is of paramount importance to ssn. i'd be happy to address any questions you may have. >> thank you mister devries. thank you for being here and you can proceed. >> chairman rice and hurd, ranking member larson and kelly and members of the subcommittee, thank you for this opportunity to discuss,
2:30 pm
the centers for medicaid services work to safeguard the personally identifiable information of the beneficiaries whom we serve. including our ongoing work to eliminate use of the social security number on medicare cards. this effort is an important step in protecting beneficiaries from becoming victims of identity theft. one of the fastest growing crimes in the country. identity theft can destroy lives, damaged credit ratings and result in an medical records. >> next to congressional leadership, and in particular chairman johnson will i'm sorry is not here today, and members of the ways and means committee, and based on the recommendations of our colleagues from the government accountability office, cns will eliminate the social security number based identifier on medicare cards by people 2019. as congress directed us, as part of the medicare access and authorization act of 2015. known as macro. we very much appreciate congress providing us with the resources necessary to undertake this important
2:31 pm
project. beginning in april 2018, all newly enrolled medicare beneficiaries will receive a medicare card with a new medicare beneficiary identifier known as the nbi. >> at the same time, cns will begin discrediting the new medicare cards to our current beneficiaries. his new medicare number will have the same number of characters as the current 11 social security number is, health insurance claim number known as hicken but will be visibly different and distinguishable from the. with the introduction of the nbi for the first time, cns will have the ability to terminate a medicare number and issue a new number two instances where they are a victim of identity or their medicare number has been compromised in some way.transitioning to the nbi will help beneficiaries to safeguard their personalinformation by reducing the exposure of
2:32 pm
their social security numbers . cms has already removed the social security number and types of our communications including the medicare summary notices mailed to beneficiaries on a quarterly basis. we prohibited private medicare advantage plans and medicare part d prescription drug plans from using the social security numbers on their enrollees insurance card. many wonder why cns has used an identifier based on the social security number in the first place. >> when medicare program was established in 1965 it was the social security administration will administer the program. >> while cms is now responsible for management of medicare, the social security administration still enrolls beneficiaries and both cms and the social security administration rely on interrelated systems to coordinate eligibility for medicare benefits and social security benefits. currently, healthcare providers use the info when
2:33 pm
they submit claims in order to receive payment for healthcare services. and also for supplies. and cms and its contractors use the hicken to process those claims authorized payments and issue some beneficiary communications. we are in the process of making changes to over 75 of our affected systems to replace those systems indicators with the nbi over the hicken. and we've developed the software that will generate mdis and assign them to beneficiaries. we're working with our key partners such as fsa, railroad retirement board state and territories, indian health service, department of defense, department of veterans affairs, healthcare providers and other key stakeholders. there are a lot of them to ensure beneficiaries continue to receive access to services and our partners will be able to process these nbi's. we're implementing an expensive and outreach
2:34 pm
education program for the estimated 60 million beneficiaries who will be receiving new car as well as providers for private health plans, other insurers, clearinghouses and other stakeholders. this fall we will tell medicare beneficiaries they will be receiving a new card, instruct them on when they will be receiving it and what to do with their old cards. we're working to make sure providers and other physicians and other healthcare providers are prepared to serve patients through the transition by creating information for providers both for them to update their records with the new nbi and also for them to help remind beneficiaries they need to bring their new cards with them when they see their doctors. we know other successful large-scale implementations that it helps to allow time for all stakeholders to adjust to the changes and so beginning in april 2018 when we begin to mail out the cards, cms will have a 21 month long transition period during which our systems will
2:35 pm
accept transactions both containing the nbi and also the head. proper programs we are committed to safeguarding personal information, redesigning the medicare program to remove the social security number based identifier, it's an important step for cms in helping combat identity identity theft and protect our beneficiaries. thank you for your interest in our progress today and i look forward to answeringyour questions. >> thank you ms. jackson, mister oswald, thank you for being here, you can proceed . >> that afternoon chairman rice, german hurd. ranking member larson and kelly, distinguished members of the subcommittee. thank you for the opportunity to participate in your joint hearing on social security numbers across the government mba and the steps the va is taking to find ways to reduce, eliminate social security numbers from va systems. the va's mission is to serve with compassion america's
2:36 pm
veterans and their families, this mission is contingent upon accurate and timely information being available. you are to advocate for veterans and ensure they receive the medical care benefits and social support that lasting memorials they have heard in service to our nation. ba must identify, verify and coordinate this protected information entrusted to us. the department interfaces with many federal agencies including not limited to the department of defense, social security administration, internal revenue service and department of education. the eighth primary use is threefold, one locate veterans and dependents to ensure correct identification associated with delivery of healthcare and services. identify employees for employment record keeping and free, ensure one percent accuracy in patient identification. mistaken identity in the delivery of healthcare can result in catastrophic outcomes. until such time when the
2:37 pm
comprehensive and equally accurate is established and implemented, the use of ssn's remains the best means of ensuring patient identification. in addition, ssn's must be used as required by law and identification for purposes such as background and identification, income verification and matching computer record between government agencies. elimination of the ssn use is not solely a function of information technology. this is process is used by the veterans health administration, veterans benefits administration, bba and va offices require a complete overhaul and how they establish absolute identity verification inside va and equally important, outside va. it solutions to eliminate ssn use can only occur after our integrated and comprehensive review of ssn's use and its intricate interconnectedness is complete. va recognizes the growing threat posed by identity and
2:38 pm
the impact on veterans dependents and employees. 2009, va implemented the enterprisewide social security induction effort. social security number reduction effort. the goal of the ss and r is the catalog use leading to the reduction and elimination of the ssn as the va's primary identifier while maintaining the 100 percent requirement for proper veteran identification. for example, vha has eliminated the fall ssn use on a point letters, routine correspondence and veterans health identification card. the mail out pharmacy has eliminated the ssn from prescription models and mailing labels. va has removed ssn's from several forms where such use was not deemed necessary. dda is modifying an existing contract to replace ssn'swith barcode labels on all outgoing correspondence .
2:39 pm
the completion of that effort is expected in november of this year. as va migrates away, the office of information technology is collaborating with stakeholders to continue expanding the use of the master veterans index. a registry of veterans, their beneficiaries and other eligible persons. nbi serves as the authoritative identity source within the va to generate and assign an integrated control number or icn for each veteran. the use of nbi as a unique identifier continues to expand the ultimate goal being the replacement of the ss and had a primary identifier. or are many challenges facing va regarding the elimination of unnecessary collection and use of the ssn. this includes an enterprisewide system analysis that needs to be conducted to find and identify the large volume of interface systems that va needs for clinical care and administrative functions. undertaking a robust
2:40 pm
education and training program for employees to implement any new identifier. this has already begun but it will take time tointegrate fully into our processes and acceptance by the veteran community , the change of this magnitude across the va system will require substantial outreach and education. va has made considerable progress towards eliminating the unnecessary use of ssn's and continues to reduce the use of ssn's with the goal to replace it with an alternative primary identifier. this concludes my testimony and i am prepared to answer any questions you may have, thank you. >> thank you mister oswald, we turn to questions. as is customary for each round i will limit my time to five minutes and asked my colleagues to also limit their questioning time to five minutes as well. mister oswald, i want to start with you. you were speaking of the hurdles that the va has to cross to eliminate the social security number and of course how critical it is that we make sure we identify each
2:41 pm
patient and their lives are in the balance and make sure they get the right medication and so forth so you are saying that as a replacement for the social security number, you started implementing and icn. what you didn't tell us is how long it's going to take to get that done what would be your best estimate for when you can get that done? >> the nbi which is the registry, of certain types of it has been in place in various incarnations since 1999. >> you don't use social security numbers anymore? >> we do use but it's used as the primary identifier is still in the va process. the itn is generated by all the information the nbi collects.though using that icn as a means to identify a program as their information traverses the system or you know, machines, talking to
2:42 pm
machines, that has happened to a large extent already. it's merely the ssn use is when there's a human to human interface between the commission and patient. >> you still have the numbers on the wristbands? yes, sir, we do. >> there's an effort underway on a pilot level right now. you are seeking to laminate the fall ssn. with the goalof being a clinically complete elevation and there's a barcode . >> do you have a timetable for that? >> i have to take that and provide that for the record. i'm not aware of the projects status. >> mister oswald, ms. jackson, your testimony was interesting and exciting to me. you said my 20 18th you will eliminate the social security number? you're moving at lightning speed for the federal government. you for your efforts. >> mister schweikert, you said something interesting, you have stop collecting social security numbers for applicants for employment at
2:43 pm
the federal government? >> corrects her. >> when an applicant is going to enter into or wants to come into the federal government, they go to the job site, we no longer collects that social security number at that time. >> when you collect their social security? x we collected, the agency once we match up the job applicants against the job postings to what we call usa staffing and the agency takes that referral list and to this applicant and they narrow it down and make the final selection, when they bring that person on to make them an employee offer, that's when the agency that hiring them collects it from them. >> i know they would use their social security number for tax withholdings and such. what else when they use a social security number four when they were looking to hire somebody? >> most of that is status of employment and the benefits that come with it whether it be the pay and back to the
2:44 pm
irs and social security. >> you do criminal background checks and eight any agency of the government? >> your position requires that, then when you submit in for the background, that would also be the primary use. >> and similar to what we do with the va, once it gets into the background investigation system, it's a different number and it becomes a controlling number. >> says this massive hacking that occurred several years ago, i see it implemented a lot more protections to prevent that from happening. >> yesterday. >> this is -four, amazing statistic. did i hear you that you respond, that you verified to billion requests per year, is that right? >> 2 billion verifications, yes. >> so that would be like six for every single citizen, every single person in the country. >> is worth noting more than half of those are federal and state agencies verify numbers
2:45 pm
and i can add multiple times through a yearif their processing for example an application for benefits. >> . >> omb has required agencies to eliminate the unnecessary use of social security numbers but they never defined what necessary use is. how do each of your agencies define necessary use, i'll start with you mister wilshusen. >> microphone? >> i don't know how might agency has defined social security or unnecessary use. what we did in terms of our audit of the other agencies is determined to what extent that they have identified how they use it and what we found is that 24 cfo act agency is that a number of them have not even defined what unnecessary use is. and another eight defined,
2:46 pm
didn't really have a documented or did not have a formal definition but rather compared it to facing on the judgment of the individual were making the particular assessments on social security use. >> thank you sir. mister larson? >> you mister chairman and i want to thank the witnesses again. >> would accredit government service you are. and i thank you for being here today. >> and just a couple of questions, first, it's got to be incredibly hard to operate an agency that is the largest insurer in the nation. and to do so with a 99 percent loss ratio. the envy of any private sector insurance company.
2:47 pm
kudos to you. not without its problems and complexities, one of which we are exploring here today in terms of making sure we get out after fraud and abuse and as we said many times on the committee, anyone who abuses the system , a sacred trust on to get the ultimate penalty. i'm all for strengthening anything you can do to further crackdown on this. but we've heard in your testimony today, is a couple of things that strike me. number one, your, we have a 13 percent increase overall with the baby boomers coming through the system and yet, we've had a 10 percent overall cuts in your budget. when one has to ask, how are you able to manage with these increases and the complexity of the problems that you face including hacking. >> now, listen, i'm one of those people that would also concur that you don't always cut in service if they're replaced by technology that is current.
2:48 pm
it can overcome those things but it seems to me like you're also titled with legacy it. >> that needs to be updated and improved and yet there are the resources that we funnel you to do that. >> is that a fair assessment? >>. >> you have cited some of our challenges, yes. i will mention we are embarking on an ambitious it modernization plan. we know that we cannot continue to operate the way where operating. >> when you say you're embarking on it, you have the money for it and where are we going? like a lot of the problems we are confronted with especially in the area of veterans, etc. and i noticed the wristband concerns that were brought up in terms of identification. that if we had the resources and certainly we have the technological capability, why wouldn't we protect what is
2:49 pm
the government's leading program to protect in the system citizens? >> could you, you need more money? >> i think that our budget folks are coming up to brief yourself on the 18 budget but i will say the eating budget, has the budget and stewardship as well as a of improving efficiency. the modernization plan i mentioned is something that you're looking forward to advancing. and we are considering that be an agency priority so we are going to dedicate the funding to support that, part of that will help us to modernize our communications infrastructure and remove the ssn on the remaining notices. >> is very alarming to us and i know that my colleagues on the other side of the island share this as well is that we know how vital this program is to all our citizens. we know and everyone can attest to the long waits on disability in terms of processing claims.
2:50 pm
it seems in a country as gifted as we are with it, this ought to be something that we ought to be able to solve rather easily. >> so is further frustrating when we continue to see cuts in the budget and quite alarming today when we have the president's budget as revealed with about a $70 billion in social security which to me, is unconscionable especially given the president's previous statements about preserving and saving if not expanding these benefits to keep pace actuarially where they should be from where we were in 1983 when we actually last looked at this from a business actuarial some position. i really believe that we can close a lot of these gaps with appropriate technology and assistance from the rank-and-file who i would also note according to
2:51 pm
testimony in previous hearings that frontline members in social security offices are our best line of defense against fraud and abuse and waste. and they don't get enough credit and continuing to cut the budget instead of looking at investments in both it and where we can be more efficient and successful i think is where we need to go, thank you. >> just to clarify, the present is not talking about cutting benefits, he's talking about cutting administrative costs. mister schweikert. >> thank you mister chairman. who would be the most technical of all of you? all right. i need you to work with me through something and correct me if i'm not hearing something correctly.
2:52 pm
i have a bnc, i have a uid. i have an mb hi, i have an icn. all of these all on a common registry that a derivation table that you tack in technology and you pull back and tag? >> no serve. >> in that case, forgive me and look, i've only been reading the testimony in things here but what i see is absurd. technology wise, without a common central token system, and forgive me but if you use apple pay here, apple pay does not hold your credit card number. what it does is creates a one-time use token. the token, hands-off is and back in the number reflects back .you all have it budgets, you're trying to solve a problem in many ways, i need you to walk me through. it's my fear that the problem
2:53 pm
may have gotten worse because i have a ba with one set of numbers, i have medicare with the difference numbers. i have opm with a different set and i now have social security another blind identifier. have we just made the problem much worse, at least for the customer service aspect? >> if i could, let me address that to, a limited degree here. what you heard was exactly the case, we took the one common field called nine digit social security number that grew up for decades, became ubiquitous in every form that we filled out. we said we can't show that, we've got the use of that. where it's not publicly used. >> i understand. >> we created schemas for each of these things. if i came from several years inside dod so when i became a member became a veteran at the end of that thing. i get a different number. i have a civil servant, i get a different number yet know how do we unite that?
2:54 pm
that's what we need the identification of the top to help drive, the standardization of these things and how you link them back because at the end of the day, i still need time to different benefits that come from the different various employment opportunities. >> does everyone see what i'm observing is we may be actually in our attempt to blind these numbers creating another cascade effect that's going to create a whole new level of complication and that is when my veterans happen to be working on his medicare who also is dealing with a social security dispute that maybe wanting to go back to work for the federal government at the park service and now i have a handful of different numbers. >> just off the top of my head, and i'm on the edge of my technical expertise, i could come to you now and whether it be in a distributive leisure model, but some sort of common tokenization. where i've had this number, i get the hands off and i can get a constant match. >> it wouldn't stop you all
2:55 pm
from doing what you're doing but we would have to actually build a common unifying clearing house, data system that would reflect all the numbers and hand back the one-time use token. >> but that may be a unifying solution to solve actually a number of our problems which i can actually take you all the way to socialsecurity , for an income tax credit fraud and a whole number of other things that could help on. >> and i way out of my league here from your area of expertise, am i seeing a unifying problem here? >> you are correct. >> and my opening remarks, i talked about the program, unique identifier. and the concept there was to keep the social security number as the gold place. you protect that, you surrounded what you don't bring it out and then you have program so each of these could be a unique program and they would have structures to their numbering schemes and
2:56 pm
they own numbering schemes, just like you talk about today. that year gets associated back to it. >> because medicare cards gets targeted or lost, we come a new one. it does not start the whole process. >> it would be easier if every time the use of medicare benefits.they had a card that handed out a new token but you're not going to assign the same thing where i type in to this time, unique number hands-off. >> it may be worth a conversation for those who are interested in this technology, maybe as the committee here, we need to sort of, is going to take resources but there's got to be a unified theory to make this simpler. i yield back mister chairman. >> thank you, ms. kelly. >> thank you mister chair. social security numbers have become used as a principal method of identity verification in and across agencies. however, that very fact makes
2:57 pm
them lucrative targets for identity thieves. mister will, will, susan. >> wilshusen, you testified that ssn's are risky because they can quote, connecting individuals pi and across many agencies information systems and databases, can you explain how the widespread use of social security numbers increases the risk of identity theft? >> certainly and thank you for the question. one of the reasons is that it's available and if it's not properly secured and our work on information security at the federal agencies, when we look at the examination or examine the security controls over the agencies information, we have often found the security control are not effective to the extent where they can adequately take the confidentiality integrity and availability of the information and so at those agencies, so by having a store of social security numbers in a particular
2:58 pm
agency and if it's not adequately protected, that information can be used not only for that agency but can be used as an identifier for the individual at other agencies and indeed in the private sector as well. so just last year in fiscal year 2016, agencies reported about 8300 incidences involving pii to the us search, for fiscal year 16. so it's a present problem. >> how the use of such an alternate identifier reduce the risk of identity theft. >>. >> for one, it may limit the extent to which an alternative id may be used to identify that individual with other databases and other entities. so it's an opportunity to limit the extent that that identifier can be used across various different organizations. >> and you talked about in
2:59 pm
your testimony, no such identifier was available. can you expound on that? >> that one that's not universally as accepted. and applicable, as the social security number. we did report that in certain instances at certain organizations including dod and vha, where they start to use an alternate identifier other than social security numbers to provide for their members and that the required one. >>. >> and despite opm's failure to implement an alternate in 2008, the agency proposed the program unique identifier initiative in 2015 to provide an alternate alternative way to identify records in government systems. mister schweikert, is that correct and can you elaborate? >>: last forever question?
3:00 pm
>> i asked about the proposed program unique identifier initiative in 2015 to provide an alternate way and identify records in government systems and can you elaborate? >> again, going back to from a program perspective can you define the program as being a functional area of interest so let's say a cms, da, dod and other ones, there are benefits and other things that must get reported and attributed back to the individual. when i was born i got a social security number, i worked as a teenager, went to college, started the workforce andalong the way i through these benefits but each one gets recorded in their own way. the light uniting and going what we talked about before with a letter that says your program owner for this car , for this numbering scheme and we standardized the number and then you can reuse those things and just as he pointed
3:01 pm
out, we would not, if you lose your medicaid card, you lose the conductivity of what that represented in the medicare business but not across the whole financial institutions and all the other ones. the challenge is how i work that thing not only at the federal level at the agency but then down to the agencies that report into us and also to the state and local government because everything is coded into these various programs. the social security administration talked about the system she has. they keep on exploding when you go down to the state and local state has to and all those at some point in time. >>
3:02 pm
that did not happen overnight. it became the standard as we talked about and then enforcing it. >> thank you. mr. mitchell? >> thank you mr. chair. let me start, one of the things i have seen referenced here is the use of social security numbers and the hacking goes out in the irs. it would not surprise you that i am one of the people who have had been hacked. the solution could be a pin number. you get a code number mailed to seeking file you know what happened this year on that? >> i understand that the pin numbers were also compromised to some extent. >> they were. so i did not get a pin number. i can only begin to describe the entertainment trying to
3:03 pm
file my taxes as well as other millions of americans. when in fact they do not have pin numbers at work either. and they cannot file with their social security number. the reason i raise this point is that the point of schweikert raise. rather than independent agencies creating their own identifiers, a pin number and all the acronyms, i don't know of anyone is watching this war willb& tape but most americans eyes glaze over with acronyms. the approach would be to have an identifier. i'm stuck at this point there hasn't been substantial conversations as to why we do not set a centralized process system will contribute to and create a token for not only benefits but when they pay their taxes. why is that not a more active effort at this point in time? rather than individual efforts?>> i think it is definitely a possibility but i think you also touch upon the fact that these numbers, regardless of their providence
3:04 pm
if you will, need to be adequately protected by agencies and their information systems. we have found traditionally that there are, the security controls over agency systems needs to be improved. >> i would not disagree with you one bit. you have two issues. one is the user using the number and the agency securing it.those are two separate dilemmas and a problem. but we are seemingly making one harder by issuing all kinds of different identifiers which in the case of the irs, that was compromised as well. so what is to prevent being compromised with what we have done rather than having a token-based system that allows you to do that? deck technology exists for a fair amount of time. i would encourage agencies to begin actively. we should talk about this further how would we encourage you something through a token system that is encrypted. the lease protects the user.
3:05 pm
>> if i can before my time runs out. i was looking for your testimony. and i apologize for being late to the floor. there are notations here that i guess tell me that the va is currently evaluating the elimination of social security numbers from correspondence. i'm trying to find a polite way to word the response on that. it is nice that they are evaluating up. how long does it take the va to do that? >> sarah, since we started the effort and number of correspondence informed generally have been scrubbed. if there is a compelling business need for it, it would remain. we have an ssn number review board that reviews things from the department wide standpoint. i cannot attest right now. i can submit for the record what forms and letters and correspondence dell but as i
3:06 pm
said in my oral testimony - >> let me ask for the record, did you submit the number of forms and correspondence, the purposes and justifications for the record? because i don't understand why there is a correspondence going out with social security number on it. in fact if you put that then you put the whole number? and the social security numbers being on wristbands. my guess is that everyone in the room has been in the hospital for one purpose or another or to a lab. you get a wristband. i have not seen a social security number on a wristband in medical institution and close to a decade. maybe seven years. white in the world would you still put it on when they are hospitalized? >> there is a barcode at ss and that allows the clinician to talk to machines. it is used as a identification tool. i think i mentioned to my oral
3:07 pm
testimony, there were pilots that were using the last four. eventually the world moved away from the full human readable ssn and the integration control number, the icn will replace that. >> thank you, sir. >> thank you mr. mitchell. mr. caswell. >> thank you. ms. jackson. i sat on the ways and means health subcommittee. we had extensive conversations. with the social security agency. about the process for removing social security numbers. from medicare cards. hearing again about this process is enough to make your head spin. at the time, we have these,
3:08 pm
this dialogue. it was quite clear that social security quote - unquote did not have the funding to do this. that is what was said. can you explain how what seems like a pretty simple task of removing the social security numbers from medicare cards could be such a challenge that cms, to the system they use in terms of information technology. tell me what is going on. >> thank you very much for the opportunity to. >> guest: that. we have at cms been looking into the removal of social security numbers from the heart for a number of years. it was not until congress gave
3:09 pm
us the resources to be able to implement the system changes both in our internal systems and also in the data exchanges and the update that we must do with social security administration with the railroad retirement board who also used a - based identification card. updating information in our internal systems as well as informing providers and healthcare providers and medicare beneficiaries about their need to use a new card when they both provide care on the healthcare provider side and for billing purposes. also, when the beneficiary goes to receive care from their dr. or hospital. to move forward with implementation of the medicare beneficiary identifier. we have made system changes over the past couple of years. we had had a major milestone this past weekend and assigning new medicare beneficiary
3:10 pm
identifiers to all medicare beneficiaries. which now will allow us to begin the testing process with all of our systems and data exchange partners. to then be able to mail the card and begin the transition period. we hope to have this by april of 2019 with the beginning of the amount of cards in april 2018. the transition period for us is very important. so all stakeholders are able to receive the new mvi, submit bills and claims using the new mvi and ensure that healthcare is available and provided to medicare beneficiaries. >> will they be the same as the past? >> no, and you identifier is an 11 digit code. but it is an alphanumeric code that is randomly assigned or was randomly assigned when we do this over the weekend it
3:11 pm
does not look anything like the current health insurance number. >> okay, so - we have done this with some resources and you pulled -- the system will be complete in 2019? >> that is correct. >> am i correct in saying that? >> yes. >> that is pretty big. and you are standing by that? >> i am standing by that. we will be ready to receive the mbi unclaimed submissions by april 2018. >> thank you. mr. - and your testimony. mike -- you stated it is difficult to completely nominate the federal use of social security numbers. without a government wide coordinated effort and dedicated you said dedicated
3:12 pm
funding. that is what you said, right? >> yes, sir. >> okay.can you explain how they would use additional funding to try to achieve the goal of limiting the federal government's use of social security numbers? >> in the case we exchange the importing data between a retiree, if federal retiree with a social security and irs for tax purposes there. the underlying thing would still be coded and still be exchanging through the social security number. but again the given occasion echoes that's the federal retiree benefit is a different number.we are doing that for the retirement services. you get a different number when you become a retiree. and that is how it is tracked back to you.
3:13 pm
in terms of the money - it is where operating systems today and as cms, unity infusion of money to do coding and other changes in testing as you prepare this parallel highway if you will of how we are doing it there.>> thank you. mr. chairman, magis data since the record? -- may i just add this into the record? they say the president's budget does not cut social security benefits but it does. in the budget, it cuts social security disability by up to $64 billion. i think the record needs to be corrected. maybe the congressman has said it needs to be corrected. >> thank you, sir. >> you're welcome. >> thank you, chairman. mr. oswald, i was confused by an earlier exchange. do we know how many documents within the va have the social
3:14 pm
security number printed on it? >> we know what we know now. it is an ongoing expanding effort. there is a social security number reduction tool. >> so, correct me if i'm wrong. there are a bunch of forms that the va sends out fear we should know how any of those are - one of the elements is social security. what does it take years to go through each form and delete that data element? were not show it on the underlying form? >> sir, have had to submit for the wreck of the history why it is taking so long. but there are number of instances where it is. >> how many forms does your organization have that prince social security number on it? >> with the implementation of the medicare beneficiary identifier, we will not have any forms that will issue the social security number.
3:15 pm
over the past couple of years - >> so using 2019 is on we will be successful in achieving that? again, we currently right now, there is x number of forms that produce when they are printed out, on that form it includes a social security number. correct? >> sir, i am sorry i should have been clearer. our correspondence of medicare beneficiaries, we have truncated the social security number on all of that correspondence with the exception of one document. which is the medicare premium billing form. it still does include the health insurance claim number. i am not, i'm sorry i cannot remember if it is truncated. that will be the document that will be replaced with the mbi when we implement. >> hemi forms is your -- how
3:16 pm
many forms do you have that go out with social security number on it? -- >> are that many unique or is it five different kinds of correspondence? >> there are over 1000 separate types of notices. >> we have over 1000 documents and one of those elements when it gets printed out his social security number. why can you not just delete that from, when you run a batch of? >> we have deleted the number were removed and replaced it with a beneficiary notice code on over 100 million notices. we have another 42 million that we are doing. the challenge that we have is twofold. one is that there are 60 separate systems that produce notices. those 1000+ notices. the resources needed to make the changes are significant. beyond that, the other significant issue or challenge that we have is that the social security number was created to
3:17 pm
do business with our agents. and so when we mail out a notice to someone and they for example are being told that they have an overpayment, then i pick up the phone and call us. we have to be able to quickly identify who they are and what their issues are. >> mr. devries, estonia has the despair they have moved into a system where as a token. they are 1.3 million people. it is the size of my hometown of san antonio. a little bit different. but they have achieved the ability to have this and are operable number across all of their government agencies. we have talked about tokenization here within opm. what you need - ultimately it is a shared service. how do we implement a shared service when it comes to an identifier across all of the federal government? >> that is a great question. i'm not sure the exact answer. because you're talking about
3:18 pm
through the token and that type of technology and so forth. that is one that we need to look with industry closer on and bring it to the side of the house to because it is not the same as it is on the industry side of the house. i am desperately trying to reach out. i am stumbling with how to bring that technology in. it is really our application is not the hardware system it is the applications that are changing those. >> mr. wilshusen in the last 30 minutes of my time you referenced legacy it being a barrier. what do we need to do to prevent that from being a barrier? >> is one of the problems in terms of legacy systems, they often may not be able to handle your numbers. in order to be able to do that it requires significant system change or modification. >> i yield back mr. chairman. >> thank you, sir. >> thank you, mr. chairman. thank the witnesses for your help with the committee's work.
3:19 pm
mr. devries, back in 2015 i think in july, opm disclose that there was a massive region compromising social security numbers, names, addresses, background information, birth dates and the background investigation records for about 22 million people who had applied for sensitive positions with the fbi, cia, nsa and we had a hearing subsequent to that breach. i actually asked your predecessor if she was even taking the most rudimentary steps to protect social security numbers. we even encrypting them within the system at opm.
3:20 pm
i am very sad to hear her testify that no at that time in 2015 we were not encrypting. and i urge them to do that. then a year later we had a follow-up hearing with ms. colbert i think she had some operational responsibility there. i asked her the same question a year later. if the job was complete. she testified that no, it was not complete. and so we have come full cycle here. now you are here and now ms. colbert said our system did not allow encryption of social security numbers. i just want you to tell me something good. tell me that we have encrypting the social security numbers. you know, it would be laughable if it wasn't so serious. i just read an article last
3:21 pm
sunday in the new york times. a bunch of our sources in china are being killed off. in a killed or imprisoned. us sources. foreign intelligence sources and you know i have got to think that that hat was attributed to the chinese government. i know that the hack actually came after, at least we found out about it after many of these people were executed in china for cooperating with the united states government. they were shot as wise or imprisoned as spies. but you see especially with sensitive information like this for secure positions, we are really exposing our personnel. our intelligence officers and anyone who cooperates with them to grave mortal threat. and so, we really have got to step up our game here. let me go back in my question.
3:22 pm
are we encrypting the social security numbers? >> representative lynch, yes we are. of all of the databases that had these encrypted, with the exception of one database that resides in the mainframe which is behind other security controls and detection systems, that is scheduled for completion which is a little bit more of a challenge because it is on the mainframe. it will be completed this calendar year. >> okay. we had this happened about 10 days ago. his ransom where attack. it was basically not stealing our information by preventing people from utilizing that. most of the impact was overseas. they tell me that it was because many of the, much of the software was bootleg software.
3:23 pm
microsoft, windows - well they thought it bootleg so the fixes and all that were not available for those people. we do feel that we have major vulnerability from that type of tax. as far as our user population goes. >> i would say yes.and i'd say that is the lowest common denominator that we will use to keep educating. both for the families at home and the workforce itself. within opm there was no choice. that was just past. that is a call that the director supports and i make i , and i did that is the right approach to take. >> okay. mr. chairman, thank you for the courtesy. i yield back. >> thank you.
3:24 pm
mr. -- mrs. sanchez. >> identity theft affects over -- people a year and it costs victims over $350 on average. to hear cases taking people years and a lot more money to get it straightened out. and i have been one of those people that have unfortunately been the victim of identity theft. social security numbers and other personal information like dates of birth, that information is very coveted by hackers who still have personal identifiable information from breaches of the office of personnel management. health insurance companies, the united states postal service and even target. while i'm encouraged that the office of management and budget
3:25 pm
initiative issued a memo calling for the agency to reduce collected and retained information and to strengthen the security sensitive information, the recent hack show that opm and other agencies are still fundamentally very ill prepared. many american sensitive information are still very vulnerable. to attack. and that is why you know reducing the collection and retention of social security numbers is so important. it is troubling to see that after 10 years, government accountability reports show that only two of 24 agencies examined met the requirements for unnecessary usage of social security numbers. even more troubling the office of management and budget have provided very little guidance to agencies to help with transition. in addition to exacerbate matters, the president's budget proposal got agency personal and operating budget further
3:26 pm
limiting their capacity to protect information and improve their system. whether it is a lack of funding or lack of guidance, 10 years after the issuance i think we should be in a better position to safeguard america's personal information. i recognize that there are clear barriers that agencies face in reducing the collection of social security numbers. for example, it may take the states mandate that collection of the information. i just wanted to note before i go into questions i think it is interesting that today we are discussing the progress of agencies to reduce the collection of social security numbers when tomorrow the same committee will be working up a bill to add a new requirement on agency to collect and verify social security numbers. on the one hand we are saying do not collect them and do not collect them superfluous sleep. on the other hand we are going to be mandating the collection.
3:27 pm
i think it is hypocritical of us on this day us to be doing both things. but aside from that comment, mr. devries, in the report mentions that opm proposed an alternate federal employee identifier but the identifier was not available. what are the barriers to creating a new identifier for federal employees and for agencies to use in their administration and benefit? >> representative sanchez, thank you for the question. did the barriers to overcome here, it is the size and complexity of the government. the table represents a few of the agencies. every agency really has a collection thing that kind of ties back to individuals. and the benefits get tied to it. whether it either pay or benefits and medical and so forth. how do you then create that
3:28 pm
architecture and again going back to what chairman hurd talked about, you have to have that in hand before you begin to talk about token use or other big chain type stuff. how do you get that down? my colleague into the left talk about the role of the whole medicare new number. it is not done overnight, it is a process based upon the architecture. >> and how is it -- >> in every agency there's probably just net dollars to make that go. what i'm going to try and do something else. i have to have that fusion two halves of that goes along so what i'm currently operating. and we must turn off to just get rid of. >> would you say that right now you're operating with a -- the very best agreement that money can buy? >> no, ma'am. >> and the equipment they have to work with on a scale of 1 to
3:29 pm
10, in terms of modern and efficient, where would it lie on that scale? >> ma'am, i was it from the overall architecture and operating perspective i would say about 8.3 or.4. -- .3 4.4. >> thank you. >> the federal government needs to make sure they are doing everything they can to protect americans identities and social security numbers are not being used unnecessarily. while progress has been made, is that what we have heard today there is still a long way to go. thank you to our witnesses for their testimony. thank you also to members were being here. with that the subcommittee stands adjourned.
3:30 pm
regardless of your background remember where you came from. hold on to the way so many of you reached out to mentor youn persons >> then you also understand now is the time to help others. that's what this is all about. >> saturday night at eastern,
3:31 pm
2017 commencement speeches. this weekend speakers include former cabell california governor arnold schwarzenegger at the university of houston, former vice president joe biden at colby college in maine, rest not choose on at scripps college in california, arizona governor uc at emory riddle aeronautical university and joint base andrews, javier gonzalez at new mexico highlands university. and michigan governor rick snyder at adrian community college in michigan. saturday night at eight eastern on c-span and >> next, remarks from u.s. house members nanette barragan and pramila jayapal on the challenges they encountered running for congress as women and minorities. they were followed by a panel discussion focusing on women in politics. followed by the center for american progress, this is an hour and a half >> . [inaudible conversation]


info Stream Only

Uploaded by TV Archive on