SSNs versus CCNs
There's lots of talk these days about securing credit card numbers. As I've mentioned before, people should have more of an interest in keeping information like their Social Security number protected. If your credit card number is compromised you can always have the old card canceled and a new one issued to take its place. With your Social Security number, however, you can't do that. Once it's compromised, there's no way to get it back.
It turns out that there's another big difference between credit card numbers and Social Security numbers, and that concerns how often they're exposed in data breaches. According to the information in the OSF's database of data breaches, incidents that expose a Social Security number are far more common than data breaches that expose credit card numbers. The last time I looked at the data in this database, for each incident that exposed credit card numbers there were almost seven incidents that exposed Social Security numbers.
Maybe the government should start a program like the PCI DSS to ensure that anyone handling Social Security numbers needs to have some basic security mechanisms in place.
Maybe it's because I live in the UK, but I'm still amazed at the problems with SSNs.
Firstly, why should knowledge of an SSN be any more risky than knowledge of a name? Fixing the systems which depend on secrecy of SSN for security should be a high priority.
Secondly, the program already exists in the US, see http://en.wikipedia.org/wiki/Safe_Harbor_Principles. It it's good enough for the EU, shouldn't US citizens demand as much for themselves?
The recent "Personal Data Guardianship Code" http://www.theisaf.org/documents/pdgc(2).pdf is an easier-to-read statement of obligations.
(And yes, I know the implementations of these are not perfect yet, but are a good start.)
Posted by: Andrew Yeomans | Friday, 19 June 2009 at 03:27 AM