Of course, as most of us know, for years the United States has been using a defacto national identifier: the Social Security Number ("SSN"). Sure, we don't call it an identifier, but that is essentially what it has become, even though the back of each card reads, "not for purposes of identification." Yet, for the last 30-40 years, that is all we have done. When I was in boot camp in the 90's, I shouted out my SSN or "service number" three times a day in line to get fed at the chow hall. I still have the Army duffle bag upon which my SSN was stenciled for the world to see as I traveled from post to post. (I have since redacted, of course). This past week, after I gave a talk on privacy, a gentleman raised the issue that, if the SSN is only required to be used for a finite number of express purposes such as those required by the IRS or other federal agencies, why do so many businesses and agencies not only use it, but even require it to provide services? The answer is pretty easy. It is the one identifier that can isolate you from everyone else in the United States. It is, indeed, being used "for purposes of identification," and there are relatively few limitations on whether a company can demand a SSN for services to be rendered or not. Furthermore, people choose to give up the number, either because they really want the service, don't care, or think they have no other choice.
The issue that a government-issued number is being used for many other unintended purposes for which it is not required by law is the troublesome aspect of a national identifier. It is one code that can unlock so much sensitive information about you or link to other data sets to expand what the good and bad guys can learn about you. Indeed, the SSN has often been called the "holy grail" for identity thieves. There is a simple reason why there is so much more risk of harm today than 20 years ago when shouting my SSN out in boot camp did not render me penniless as a result of identity theft: The Internet, and more specifically the digitization and linking of information, was not yet reality.
But this is not the case today, and the issue is a global one as data can be linked quickly and with little technical ability. We saw this a couple of weeks back in the ramp up to this year's exciting FIFA World CupĀ®. Every country participating in the World Cup goes through a series of 'friendly' matches in the weeks before the start of the international tournament. These games don't count for anything other than serving as a warm-up. One night England played a friendly against Honduras here in the United States at Sun Life Stadium in Miami. As the team sheets for the clubs were being handed out to the press box and crowd, someone noticed a huge mistake. The passport numbers of each of the England players were printed on them. Within minutes, pictures of the document containing players' names, birth dates, and passport numbers were being tweeted to the world. Their captain, Frank Lampard, even had his signature on the paper. With very little effort, anyone could quickly find this information using a general web browser and potentially do a lot of harm. Now, obviously with respect to the English footballers, the primary problem was data security (disclosing the information inappropriately) and not an improper use of a national identifier (passport for travel). However, with such a national code in existence and being collected regularly (on hard copy sheets no less), the risk of harm is escalated considerably.
So what to do? Well, assuming we can all agree there are national identifiers out there in one form or another, here are some basic approaches for consumers and companies, alike. The following suggestions discuss SSN's. However, the same guidance can be applied to any sensitive information.
1. Companies shouldn't collect SSN's, unless required by law. There is a difference between a legal requirement to collect information and a business decision to do so. If they have not already, companies should move away from the collection, storage, sharing and use SSN's, unless required by law. Many states already have laws in place to limit the use of SSN's by private entities. Furthermore, companies should be mindful that unauthorized disclosure of SSN constitutes a "data breach" under most state and federal law, and the company is inviting the responsibility (and costs) to comply with such laws, to include notification, fines, mediation costs and dealing with regulators.
2. Companies should strictly limit use of SSN's. Just because a company can or must legally require a SSN, it doesn't mean it cannot use a second identification code for day-to-day operations and limit SSN use only to those transactions required by law. Furthermore, companies can redact SSN's in their systems completely, or to smaller data sets (last 4 digits) to accomplish the business purpose without having to compromise security. Of course, when possible, encryption or de-identification should be used for SSN's (and all sensitive data) to protect against data breach.
3. Companies should strictly control access to SSN's. Additionally, a company must implement reasonable safeguards to ensure SSN access is role-based, or on only a business "need-to-know" basis. Not every employee or system in a company needs to view a SSN to complete daily operations. As with access to any such sensitive personal information, companies should have layers of access tied to an employee's role in a company and his or her assigned duties. Likewise, when possible, segments of a network where SSN's are stored should be clearly separate from segments where non-sensitive information is used. Layered security is critical with such highly sensitive information.
4. Consumers can just say no. A wise man once questioned why Radio Shack asks for your phone number when you buy batteries. Consumers shouldn't give their SSN's unless required by law. Just because a company asks for personal information doesn't mean an individual should or even has to provide it. As you have probably experienced already, you can always decline when asked. In most cases, the clerk just moves on. And for those companies that insist, ask if you can use an alternate number instead of a SSN. If they continue to insist, then you have a choice as to whether you give them your business or not. As with all privacy related transactions, there should be choice and consent and this choice includes the opportunity to take your business elsewhere.