Data Security: A Modest Proposal
Data security is a real problem, and a problem with multiple dimensions. The most troubling of these to me is the problem of identity theft, since it is a problem that hundreds of thousands of small and medium sized businesses should simply not be subjected to.
The basic problem is social security numbers. Many small businesses, especially in healthcare, have a need (in contravention of Federal law, IMHO, but wired into many systems nonetheless) for them, but a surprising range of businesses collect them on customers and employees. When they do the SSNs are typically accessible to a wide range of employees including low-wage clerical and temps.
With a social security number, an address and internet access, the enterprising identity thief can find birthdays, legal records and former addresses, allowing them to apply for credit and make purchases with only an estimated 1 in 700 chance of getting caught.
So millions of businesses are being told they need to protect social security numbers and other customer data to prevent identity theft and the potential for bad publicity and lawsuits. Vendors are happy to propose band-aid solutions that only cost money and time.
Don’t misunderstand: data security is a real problem. Yet protecting social security numbers from casual access shouldn’t be part of the problem. Why? Because the way people use SSNs for identity theft have one element in common: credit reporting agencies.
The issue is “identity fraud”, which to my mind is the real problem: we make it far too easy for thieves to open credit lines using stolen information.
Congress should require that all credit reporting services give out credit information only with express permission of the individual.
The credit reporting agencies will whine about this, since they are only interested in selling reports, not protecting consumers against fraud, or helping victims of identity theft. But since they’ve made the system so easy to game, I think they need to take responsibility for fixing it.
So what appears to be a “storage security” problem, in this admittedly limited case, is really a political problem. Congress, a wholly-owned subsidiary of the American Banking Association, is currently considering a Federal law that would pre-empt state laws that allow consumers to require persmission before releasing credit reports. This move takes a responsibility that could easily and at no cost to taxpayers be placed on three national firms and would allow consumers to freeze their credit reports only after they’ve been victimized!
I encourage all small businesses that like the freedom to use SSNs for business purposes to contact their congressmen to protest this stupidity. Rather than tax millions of small and medium businesses with the responsibility to protect (or not use) SSN’s, let’s give it to the three large and well-financed reporting agencies, where it belongs.
on May 4th, 2006 at 2:03 pm
[...] As I’ve mentioned before (Data Security: A Modest Proposal) requiring authenticated personal approval for the release of credit reports would bring identity theft to a screeching halt. There are only three credit reporting companies. They all have lots of computers and smart people working for them. Authentication is a solvable problem. One law could choke this off tomorrow. Hiding every piece of personal information for 300 million people in millions of businesses and thousands of governmental units is neither likely or cost-effective — though the encryption folks might differ. [...]