Eyeing more secure alternatives to Social Security numbers, lawmakers in the U.S. are looking abroad. Today, the Senate Commerce Committee questioned former Yahoo CEO Marissa Mayer, Verizon chief privacy officer Karen Zacharia and both the current and former CEOs of Equifax on how to protect consumers against major data breaches. The consensus was that Social Security numbers have got to go.
Rounding out the panel, Entrust Datacard president and CEO Todd Wilkinson offered some context and insight about why the U.S. should indeed move away from Social Security numbers — a step that the witnesses unanimously agreed was necessary if not wholly sufficient to protect consumers moving forward, in light of the Equifax hack.
“Over 145 million Americans’ insecure identities are now forever at risk, and they have limited ability to protect themselves,” Wilkinson said. “A key question for this committee to consider is: What do we do now given these identities are forever compromised?”
Social Security numbers are a privacy nightmare. While a consumer who gets hacked can replace credit card numbers and other account details, a Social Security number is relatively permanent, linked to a real identity throughout a person’s lifespan. In the hearing, Wilkinson and many of the senators present argued that the U.S. needs to move to a dynamic system of personal identity, one designed with digital security in mind — a stark contrast with an inflexible legacy system that dates back to the 1930s.
“Some combination of digital multi-factor authentication… is the right path,” former Equifax CEO Richard Smith said when asked about such a program.
Multiple times throughout the hearing, Brazil’s Infraestrutura de Chaves Públicas system of citizen IDs through digital certificates came up as a potential model for the U.S. as it moves forward. In this model, a certificate lasts for three years at maximum and can be used to issue a digital signature much like written signatures are used now. Unlike its counterpart in the U.S., these identity accounts can be revoked and reissued easily through an established national protocol.
Members of the Senate committee also advocated for “rigorous” data security rules, expanding FTC authority to enforce them and stiffer penalties to motivate companies to protect consumers proactively.
“The parade of high-profile data breaches seems to have no end,” said ranking committee member Bill Nelson. “We can either take action with common sense rules or we can start planning for our next hearing on the issue.”
Last month, White House cybersecurity coordinator Rob Joyce made it clear that the Trump administration is also interested in abandoning Social Security numbers in favor of a more secure, more digital form of identification, stating that the form of ID has “outlived its usefulness.”