Security lapses, ID theft
making SSN obsolete

What purpose does data serve if it proves unreliable?

A map with a faulty road grid is more hindrance than help. A telephone number with one incorrect digit won’t make the intended connection. And a Social Security number that doesn’t correlate to the financial and personal history of its owner does an organization no good when it comes time to check a potential client’s — or employee’s — background.

Unfortunately, this is the dilemma we now face in the digital age, whose vast data storage capabilities and facile information alteration can have devastating outcomes when used for ill purposes. Combine that with a decade’s worth of security breaches and consumer data losses among national corporations and government agencies, and you have the potential for information chaos.

In the past two years alone, there have been numerous reports concerning compromised customer information by the likes of national financial service institutions and data collection companies.

Then, in May, there were reports of the theft of a Veterans Affairs laptop containing personal information — including Social Security numbers — of 26.5 million U.S. military veterans and more than 1 million active-duty personnel.

Because the theft occurred during the burglary of a data analyst’s home, VA officials have said it is likely the thief is not even aware of the potential gold mine (my words, not theirs) he or she had stumbled upon. That is cold comfort to the millions of men and women who are now frantically placing fraud holds on their credit histories.

And it is such organizational lapses in information security combined with the nefarious actions of identity thieves that could very well render the Social Security number’s function as an individual identifier completely useless — or at least much less effective — in the not-too-distant future.

Or maybe even now.

In June, Avivah Litan, vice president and distinguished analyst at high-tech consulting company Gartner Inc., commented on the VA laptop debacle, noting that as many as one-in-seven adult Social Security numbers in the United States may have been compromised already.

“This incident also shows that the Social Security number has become an extremely unreliable piece of information and cannot be trusted to be unique to an individual,” she said in a prepared statement. “Companies should not rely on Social Security numbers alone as proof of individual identity.”

But the Social Security number is the primary identifier used by credit reporting companies to keep tabs on individuals’ credit history, which is then reviewed by banks, credit card companies, insurers and employers.

If the Social Security number is no longer reliable, what purpose does it serve?

For now, it serves as a hard-learned lesson in the need to better protect data that has yet to fall into the wrong hands.

For businesses that see the cost of data encryption as a major deterrent, be assured that dealing with a security breach is much more expensive.

According to Litan, companies with at least 10,000 accounts to protect can spend about $6 per customer account for basic data encryption. That compares to $90 per customer account needed to clean up the mess after data has been compromised.

If that is too costly, she recommends using host-based intrusion prevention systems to prevent security breaches or implementing security audits to ensure that the organization has “satisfactory mitigating controls” in place to reduce the need for encryption or an intrusion prevention system.

I would add another low-tech security measure to go along with Litan’s advice: Businesses should devise a comprehensive data security policy taking into account its network and wireless systems and, here’s the kicker, make sure employees understand and follow it.

— Kimberly Hilden, SCBJ Assistant Editor

Back to the top/July 2006 Main Menu