White House and Equifax agree: Social Security numbers should go
The Trump administration is exploring ways to replace the use of Social Security numbers as the main method of assuring people’s identities in the wake of consumer credit agency Equifax Inc.’s massive data breach.
The administration has called on federal departments and agencies to look into the vulnerabilities of employing the identifier tied to retirement benefits, as well as how to replace the existing system, according to Rob Joyce, special assistant to the president and White House cybersecurity coordinator.
“I feel very strongly that the Social Security number has outlived its usefulness,” Joyce said Tuesday at a cyber conference in Washington organized by the Washington Post. “Every time we use the Social Security number you put it at risk.”
Joyce’s comments came as former Equifax CEO Richard Smith testified before the House Energy and Commerce Committee, the first of four hearings this week on Capitol Hill. Lawmakers from both parties expressed outrage over the size of the breach as well as the company’s response, and grilled Smith on the timeline of the incident, including when top executives learned about it.
Smith said the rising number of hacks involving Social Security numbers have eroded its security value.
“The concept of a Social Security number in this environment being private and secure — I think it’s time as a country to think beyond that,” Smith said. “What is a better way to identify consumers in our country in a very secure way? I think that way is something different than an SSN, a date of birth and a name.”
Joyce said officials are looking into “what would be a better system” that utilizes the latest technologies, including a “modern cryptographic identifier,” such as public and private keys.
“It’s a flawed system that we can’t roll back that risk after we know we’ve had a compromise,” he said. “I personally know my Social Security number has been compromised at least four times in my lifetime. That’s just untenable.”
The administration is also participating in discussions Congress is having about requirements of protecting personal data and breach notifications for companies.
“It’s really clear, there needs to be a change, but we’ll have to look at the details of what’s being proposed,” he said. In the response to the Equifax hack, though, he said, “we need to be careful of Balkanizing the regulations. It’s really hard on companies today” facing local, state and federal regulators as well as international rules, he added.
The government’s own record of protecting Social Security numbers has its blemishes. Medicare, the federal health care program for senior citizens, has long used the numbers on identification cards recipients must carry. After years of criticism by the agency’s inspector general for the risks that creates, new cards with different numbers are currently being rolled out.
While lawmakers were unanimous in criticizing Equifax’s response to a breach that compromised info on 145.5 million U.S. consumers, they were divided on how to fix the underlying issue. Democrats on the panel have reintroduced legislation imposing requirements for when companies have to report data breaches, while Oregon Republican Greg Walden noted the company’s human errors, saying “you can’t fix stupid.”
Smith said the Equifax employee responsible for communicating that vulnerable software needed to be patched didn’t do so. That failure was compounded when a scan of the company’s systems didn’t find that the vulnerability still existed, the former CEO said.
Joyce’s comments helped take some of the focus off Equifax’s blunders, analysts at Cowen Inc. said in a note Tuesday.
The “White House may be indirectly coming to Equifax’s rescue,” they wrote. “This reduces the risk of business-model-busting legislation such as a requirement that consumers opt-in to a credit bureau collecting their data.”