The Congressional furor over identity theft continues. This time the target is databases that, in the eyes of Sen. Charles Schumer (D-NY), make identity theft way too easy. Schumer showed up yesterday with the addresses and social security numbers of former Attorney General John Ashcroft, former Secretary of Homeland Security Tom Ridge and several executives at Westlaw, the company whose database Schumer used to obtain the information. The Washington Post has a nice write-up. Check out this quote from the article:
“Westlaw’s service could be entitled ’Identity Theft for Dummies,’” Schumer said. “To my mind, what bank robbery was to the Depression era, identity theft is to the information age. Everyone’s susceptible.”
I’m not trying to single out Westlaw, and I don’t think that Schumer was either. There are plenty of information companies out there—Lexis Nexis, for example—and Schumer’s main criticism (that it is too easy for people who don’t have or shouldn’t have a need for this information to get it) and concerns apply to them, too. In fact, the article ends with a more general quote on the overreliance on Social Security numbers and wonders whether these identifiers are part of the problem.
Instead of in-depth analysis I’m going to leave you with some quick hit thoughts. Companies have databases that track employees’ Social Security numbers, in HR if nowhere else. Are Schumer’s concerns applicable to these databases as well? Obviously there is a difference between a company that sells the records in its database and one that maintains them solely for internal use, but where exactly is the line between the two, particularly in some future legislated environment?
Reading between the lines here, I think that the concerns over database-based identity theft eventually lead to two issues that no one—at least among the majorities of both congress and the business community—really wants to see legislated. One is data security; effective legislation would essentially have to be Sarbanes-Oxley for security, the very thought of which should be enough to make most CIOs think about switching professions. The second is the issue of a federal ID that would in essence replace Social Security as our primary identifier. There’s talk about doing this for government employees now. I looked into this about a year ago and concluded that it would be an enormously complicated endeavor, full of wide-reaching implications that I’m not convinced outweigh the benefits. I’ll post something on it if anyone ever starts talking about a national ID system.