Saturday, May 19, 2012

What about the Social Security Numbers? (The Utah Data Breach and your SSN)

The Utah Data Breach

This week the continuing saga of the Utah Medicaid Data Breach continued to unfold.

If you haven't been following the story, here's the play-by-play:

That is an amazing story. Remember that Utah only has 2.8 million people according to the US Census. So in this single data breach 28% of the residents of Utah had their personal information stolen from them, and 10% of them had their Social Security Number stolen.

The good news, if there is any, is that Utah is now Very Serious about Identity Theft, launching its new IRIS: Identity Theft Reporting Information System in response. What will it take for the other states to get serious about identity theft?

What About Social Security Numbers?

The Utah story was only intended to be a vehicle for asking this question. What are we doing about Social Security Number theft? If hackers get your password, you can have your password reset. If hackers steal your credit card number, the bank will issue you a new one. If your bank account is breached, it is not uncommon to have the bank CLOSE your account and open a new account for you. But what if you the hackers steal your Social Security Number?

The first place that seemed reasonable to check was the Social Security website. They have a page about Identity Theft called Identity Theft and Your Social Security Number (SSA Publication No. 05-10064, ICN 463270, August 2009).

That form asks "What if an identity thief is creating credit problems for you?" and answers the question:

If someone has misused your Social Security number or other personal information to create credit or other problems for you, Social Security cannot resolve these problems.

They have several recommendations:

But read on . . . IT IS POSSIBLE to get a new Social Security Number, and Social Security will work with you to do that IF YOUR NUMBER IS BEING ACTIVELY ABUSED, but they warn that getting a new number may actually be worse than the abuse. For example, in the United States, the key to your credit history is your Social Security Number. If you get a new number, congratulations, you now have Zero Credit History. You won't be able to get a credit card or a loan without a lengthy ordeal or a co-signer.

So what is the answer? Despite all the controversy, it may be time to go back to the discussion of a National Identity Card. I visited Spain last summer and my banking security friends marveled at how the US clung to our antiquated system. They have a National Identity Card (DNI - Documento nacional de identidad) that is carried at all times. The chip in the card contains a digitized version of a photo of the bearer, plus a digital version of their signature and finger prints! There is no value to having only the Number -- my friend who was explaining it to me said you can write your number on your business cards, because there is NOTHING ANYONE CAN DO by simply having the number. It is the CARD that has value. If you have my number, but not the chip in my card, it is worthless to you.

I'd like to see this discussion move forward. If criminals don't already have your Social Security Number, it is certainly only a matter of time. Even if it is only a theoretical question right now, it is extremely likely that this question will be a personal matter to you or someone you love in the near future.

Especially if you live in Utah.