"We have to look at what companies can do to protect against risks from outsiders, and we have to look at what companies can do to police their own workforce," Nahra says. "And then you also have to look at what people can do individually to protect their own information." It all goes back to better controls, he says, "limiting where you have the information, how you use the information and not giving out information unless it is absolutely necessary."
Social Security numbers remain the most critical and common personal identifiers used on a daily basis in the United States. But compromised Social Security numbers are the backbone of identity theft. Nahra says laws and society, generally, are getting better about reporting and responding to incidents of compromised Social Security numbers and, ultimately, identity theft crimes; but much more progress is needed.
During this interview with Information Security Media Group, Nahra discusses:
- Why insider access is the No. 1 concern;
- The risks associated with outdated databases and "accidental" personal profile histories;
- The focus on adequate response to Social Security number thefts.
Nahra is a partner with Wiley Rein in Washington, D.C., where he specializes in privacy and information security litigation and counseling. He chairs the firm's Privacy Practice and is co-chair of its Health Care Practice. He assists companies in a wide range of industries in analyzing and implementing the requirements of privacy and security laws across the country and internationally. He has served on the International Association of Privacy Professionals Board of Directors and is the editor of Privacy Advisor. A certified information privacy professional, he is the co-chair of the Confidentiality, Privacy and Security Workgroup of the American Health Information Community. He is a graduate of Georgetown University and the Harvard Law School, and is a frequent author and speaker on privacy and security issues.
Social Security Numbers and IdentityTRACY KITTEN: Social Security numbers are closely linked to our identities yet they are surprising easy to steal and exploit. Why are these long held personal identifiers so susceptible to fraud? I'm here today with Kirk Nahra, partner with Wiley Rein, a Washington D.C.-based law firm that specializes in regulatory and public policy counseling. He also serves on the Board of the International Association of Privacy Professionals, a global community of privacy professionals.
Kirk, Social Security numbers remain the primary personal identifier of U.S. citizens. But over the last several months we have seen a number of cases and incidents come to light that revealed the inherent weaknesses and vulnerabilities of Social Security numbers. Are these personal identification numbers outdated, and how do they compare, from an authentication and security-privacy perspective, with personal identifiers being used in other parts of the world?
KIRK NAHRA: We have obviously been struggling longer than the last few months; this is something that goes back a number of years, at this point, with how to balance the benefits of a Social Security number. It is still the single best identifier, despite the risks that go along with it. I think we have done a couple of things that have been positive -- there are a lot of different laws that have restricted how Social Security numbers can and can't be used. There used to be a lot of public use of Social Security numbers; and by "public," I mean things like your health insurance card, and using your Social Security number as your member ID. That is not the case anymore; that has been moved away, both by law and by practice. So, there have been some positives; but I certainly do agree that it is an inherent weak spot, because of how often it is used as the core identifier.
What companies have been struggling with is creating an individual identifier for a particular customer relationship; but customers or individuals often don't know those numbers or don't remember those numbers, so they can't use them when they call in to get their questions answered. And those types of numbers don't carry over from company to company. Our society, in general, is still really struggling with what to replace a Social Security number with, and as of today, there isn't really any good alternative.
Protecting Social Security Numbers and IdentitiesKITTEN: What steps should we be taking in the U.S. to ensure better security of Social Security numbers (i.e., better protection from theft and misuse)?
NAHRA: Well, the incidents that have come up in recent years fall into three different categories. We have had situations that get most of the press, that have been large-scale hacker or criminal situations, where outsiders break into a computer system, an office or something like that and take high volumes of Social Security numbers. There are ways to deal with that kind of issue. There are also insider problems in a lot of companies, and that has been an increasing issue. This would be a company insider who needs to have access to information for certain purposes but then misuses it; that's poses a different set of ways to attack that problem. The third place, which is frankly more related to recent identity-theft problems, relates to our personal situations, where a spouse, an ex-girlfriend, a neighbor, a cousin, a sibling, somebody like has access to a person's information -- it might be access they can from being in their house, or it might be through some of their records.
So, we have to look at what companies can do to protect against risks from outsiders, and we have to look at what companies can do to police their own workforce, and then you also have to look at what people can do individually to protect their own information. Primarily, it goes back to better controls -- limiting where you have the information, how you use the information and not giving out information unless it is absolutely necessary, as well as being very vigilant about checking your accounts and checking different credit reports.
The Responsibility of the Credit Bureaus?KITTEN: Talking about credit reports, specifically, it has been suggested that the credit bureaus should play some role in reporting suspected fraud or abuse of Social Security numbers. Do you agree?
NAHRA: I think that those companies are starting to do more than they used to; and, again, it is a mixture of both legal requirements and actual practices. There have been a number of laws passed in the last few years, at both the state and the federal levels, dealing with the whole issue of identity theft. Identity theft is a problem that goes beyond a Social Security number, but it is also widely understood that the Social Security number is the single easiest entry to identity theft. And so there are a variety of new provisions that require credit bureaus, in particular, to take certain action when red flags or other kinds of problems are easily identifiable or are reported to them.
The flipside is that those credit reports have a lot of information and some of it is clearly going to be wrong. When I looked at my credit report recently, I found various addresses that were wrong, but there was usually some reason for it. It might be my parents' address; it might be an address for my sibling; it might be a roommate that I used to share an address with and then that roommate moved. So there is a variety of problems that don't mean identity theft, but we see issues that could lead to identity theft. We are starting to be more aware. I think we are also getting a little better as a society at fixing some of these problems. We are a little better at stopping identity theft, at catching it and remedying the problems; but we still have a long way to go.
NAHRA: I think the issue with biometrics, similar to a lot of other identifiers, is basically a practicality of use. What happens with Social Security theft is somebody gets a Social Security number -- again it could be a theft, it could be a person that you know or whatever -- and then they apply for a credit card using the identifying information of another person. Now, it is great to talk about biometrics, but there is no feasible way to make that work in a regular setting. People go to Target or Sears or Wal-Mart or whatever and they want to get a credit card that gives them10 percent off their purchase that day. There just isn't any viable means of using biometrics for that. The other premise of biometrics is that if you were going to take my thumbprint, for example, or retina scan, all of those people around the country and around the globe would have to have access to that information in order to verify it. So, it is a nice idea, and there may be certain kinds of situations where it makes sense; but, again, right now what we are struggling with is trying to come up with any kind of realistic alternative that is actually viable that people could actually use, that companies could use, that individual consumers could remember. So, it is a real ongoing challenge.
NAHRA: We have had a lot of laws passed in the last two, three, four, five years that have tried to address specific practices in connection with identity theft, and we have seen sort of a perfect storm of legislators and regulators at the state and federal levels all trying to address this problem by throwing a lot of new laws into place. What we are seeing in some situations is that the laws don't precisely fit the particular situation. I don't know a lot of the details of this Colorado case; it sounds like it is a slightly different situation than we usually think of with identity theft. It doesn't sound like another consumer was necessarily the subject or the victim of identity theft. My guess in this case is that we didn't have a precise match between the action and the crime that was on the books or the crime that prosecuted in the case. I do think we are seeing a lot of effective criminal prosecutions related to real identity theft. We are seeing flexibility in the legislators to make sure that they revise laws to make sure they are broad enough. I think we are going to continue to see these laws that work their way through the system over the next few years. It is clearly a problem that we are both trying to address and are not yet done addressing. I am not too worried about an individual case. It sounds like a bad situation, and it sounds like somebody who is trying to behave badly got away with something; but, again, in terms of broader precedent, I think that, for the most part, we are finding ways to get at most of these situations.
Again, the real problem with identity theft is not a lack of ability to go after the wrongdoer; it is finding the wrongdoer and, even more importantly, it is fixing the problems of the identity theft victim. So that is where the real challenge remains going forward.
Top 3 Social Security VulnerabilitiesKITTEN: Kirk, what do you deem to be the top three vulnerabilities related to the way Social Security numbers are used and housed?
NAHRA: I will go back to my list before, the ways in which these numbers can get attacked; I think that there are real issues in companies in a wide range of industries that are having problems with insider access. We have situations with customer-service people -- the people that are at the end of the telephone call when you call in with questions; we are having problems with the people that fill out applications and those kinds of things. In order to do their job, they need access to lots of information; but we are seeing more and more cases where that access is being abused. So, one vulnerability is insider access -- people needing access to do their jobs but then misusing that access in a way that can lead to actual harm.
I think that people don't often take good care of their own information; they leave it lying around and they carry their cards with them and then they leave their wallet somewhere, or they throw away trash in a way that doesn't include shredding information. So, I think people don't do a good job, necessarily, of protecting their own information, because we have seen so many cases where the person who commits the identity theft is somebody that is known to the individual. On a broader level, we do continue to see large-scale criminal activity, which involves hacking and things like that into systems, so companies also need to do a better job of just policing their overall network security. Although, again, I think many companies are, in fact, doing a pretty good job of that, certainly much more so than we had four or five years ago.
Better Protection and VerificationKITTEN: What advice can you provide to the financial, government and healthcare industries in the U.S. about better protection and verification of Social Security numbers?
NAHRA: I think the major advice I would give is to recognize that while there may still be certain situations in which the use of a Social Security number is needed, there are not very many situations where you absolutely have to rely on a Social Security number. One of the things that I tell all of the companies that I work with, and I think it is really a very valuable step, is to go into your company and do a real thorough audit or a review. Go in and look at every single place in your company where you collect Social Security numbers, where you store Social Security numbers, where you use Social Security numbers, where you disclose Social Security numbers; I have yet to find a company that couldn't look at 50 percent or more of those places and say, "There is really no reason for this." It is just history. It is things that we haven't changed that we don't need to.
So, go through and reduce access as much as possible. You want to reduce the number of people that see that information. You want to reduce the places where Social Security numbers are available and to whom they are available and for what purpose. Doing that kind of a survey or audit, I think, can really do a very significant job of reducing -- not eliminating, but reducing -- these problems, because it cuts down so many of the places where this information just simply doesn't need to be. And, again, the reason it is there is it is just history or it's been saved by accident or no one has thought about it recently. But doing an audit or review, being proactive, is really a very important part of reducing this overall risk.