As companies and other organizations collect and store more and more data about individual consumers, protecting this information against unauthorized access is vital. Media reports frequently highlight incidents of hackers gaining access to large databases containing sensitive consumer information.
Estimates suggest that in 2015 data breaches compromised over 707 million records. This highlights the need to enhance the security of payment information systems and develop technological solutions to better protect credit and debit card account information. Although no comprehensive federal data breach law has been enacted, 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving certain categories of personal information.
To protect against data breach incidents, organizations collecting consumer data need to take steps to protect the information gathered. Further, it is important these organizations have plans in place to quickly respond to security breaches should they occur and work to minimize damages to consumers whose information is put at risk.
The widespread use of Social Security numbers (SSNs) in both the public and private sectors gives identity thieves great opportunities to gain access to the estimated 227 million active SSNs. Because government agencies and private businesses often use SSNs for a wide range of non-Social Security purposes, the SSN has become the de facto national identifier. For this reason, SSNs are particularly valuable to identity thieves, who use them to assume the identity of another individual and commit fraud, and therefore require heightened protective measures.
Information Security: Policy
Policymakers and the private sector should:
- adopt a strong and effective information security program that is proportionate to the risks posed to consumers’ personally-identifiable information (PII);
- create, test, and operationalize an incident management framework and policies that will allow for swift detection and response to potential and actual security incidents affecting the confidentiality of consumers’ PII; and
- limit the use of PII in internal processes unless absolutely necessary, retain PII for only as long as necessary, and securely dispose of data no longer needed.
Protection of Social Security numbers (SSNs)
Companies, government agencies, and individuals should not be allowed to post or publicly display SSNs, print them on cards, transmit them over the Internet or by facsimile, or send them by mail without safety measures.
- The sale and purchase of SSNs in the private sector should be limited by requiring an individual’s affirmative consent before his or her SSN can be sold.
- Unnecessary or inappropriate collection of SSNs when consumers purchase goods or services should be restricted.
- Federal and state governments should enhance criminal and civil penalties for SSN misuse.