CPB Says No To Utility's Use Of SSNs
The New York State Consumer Protection Board (CPB) has filed notice of its serious concerns regarding plans proposed by utilities to provide customers remote access to their utility account numbers utilizing Social Security numbers as the sole or primary authentication mechanism. The plans, created to facilitate customer control and increase choice regarding energy services, particularly for consumers who wish to purchase them from an energy service company (ESCO), pose privacy risks and should be rejected.
"Federal and State laws have been passed to restrict the use of Social Security numbers to protect the identity of consumers," said Mindy A. Bockstein, Chairperson and Executive Director of the CPB. "While access to this information is a win for consumer choice, there is a privacy issue that can not be ignored. Social Security numbers are the key to our identities and should not be used lightly. With reports of data breaches increasing, we are encouraging consumers to be very careful when giving out Social Security numbers, especially online. Utilities should exercise caution to help consumers avoid the possibility identity theft."
In its role as Governor Paterson's identity theft watchdog Agency, and consistent with restrictions advanced in New York's Social Security Protection Act (Act), which took effect on January 1, 2008, the CPB reviewed the plans submitted by utilities according to three (3) Agency criteria developed to protect customer privacy. The CPB's concerns center around the failure by the utilities to meet these criteria:
1. Rely solely on the use of a Spcial Security number for authentication;
2. Use non-public authentication elements, if they don't rely solely on Social Security numbers, for example a PIN, rather than a zip code;
3. Utilize a secure connection or encryption to protect a Social Security number if access is provided through the Internet. In its filing, the CPB underscored the Act which requires that (1) an encrypted and/or secure connection be utilized when customers are compelled to transmit their Social Security numbers over the Internet, and (2) password protection, personal identification number (PIN), or other type of authentication device is utilized for customers required to use a Social Security number to access an Internet website.
The Act, therefore implicitly demands that entities apply a higher level of privacy protections for consumers to help protect them from the possibility of identity theft and fraud. The CPB asserts that this standard should be extended to Interactive Voice Response (IVR) usage in addition to the current online requirements.
Further, the Federal Trade Commission (FTC) argued against the general use of Social Security numbers as the sole mechanism for customer authentication in its December 2008 report entitled "Security in Numbers: SSNs and Identity Theft."
"We strongly assert that the request to use Social Security numbers as the sole or primary authentication number for access to customer accounts compromises the privacy of New Yorkers," continued Chairperson Bockstein. "With identity theft continuing to rank first on the FTC's 2008 Top Complaints listing, and New York State remaining 6th in the nation for identity theft, oversight Agencies should think twice before allowing these types of proposals to be accepted as they stand."
The privacy concerns came to light in March when the PSC posted a Notice of Proposed Rule Making in the New York State Register and invited parties to file comments relating to utilities' compliance plans as well as all other matters related to filings received in December 2006 pursuant to a November 7, 2006 PSC Order. Under the Order, utilities operating in New York State were required to submit plans to provide customers with secure, real-time remote access to their own distribution utility account number, or point of delivery identification number used to sign up customers for an ESCO. Utilities filed their plans by December 22, 2006, but the PSC took no formal action until this year.
In 2008, Governor Paterson created the Identity Theft Prevention and Mitigation Program within the CPB designed to provide resources to help New Yorkers prevent identity theft and aid victims in coping with the consequences of this crime.
Information privacy and the protection of a consumer's personal information in the marketplace are critical issues for the CPB in its ongoing quest to advocate for and empower New York consumers.