Information Security


Companies and other organizations collect and store more and more data about individual consumers. Protecting this information against unauthorized access is vital. Media reports frequently highlight incidents of hackers gaining access to large databases containing sensitive consumer information.

Estimates suggest that in 2017 data breaches compromised more than 2.5 billion records. This highlights the need to enhance the security of payment information systems and develop technological solutions to better protect credit and debit card account information.

The federal government does not require companies to notify consumers of data breaches involving consumers’ personal information. But all states and territories do require it for security breaches involving certain categories of information.

There are an estimated nearly 500 million active Social Security numbers (SSNs). Because government agencies and private businesses often use SSNs for a wide range of purposes unrelated to Social Security, the SSN has become the de facto national identifier. For this reason, SSNs are particularly valuable to identity thieves. They are used to assume the identity of another individual and commit fraud. They therefore require heightened protective measures. Agencies and businesses have begun replacing SSNs with specialized ID numbers to better protect customers’ identities. For example, starting in 2018, new Medicare cards have a Medicare-specific number on them in place of an SSN.


Information Security

In this policy: FederalLocalState

Policymakers and the private sector should adopt a strong and effective information security program. The program should be proportionate to the risks posed to consumers’ personally-identifiable information (PII).

They should also:

  • create, test, and operationalize an incident management framework and policies that will allow for swift detection and response to potential and actual security incidents affecting the confidentiality of consumers’ PII; and
  • limit the use of PII in internal processes unless absolutely necessary, retain PII for only as long as necessary, and securely dispose of data no longer needed.

Consumers whose information is put at risk as a result of a security breach should receive free long-term identity monitoring services and other forms of assistance. Companies that have been breached should provide information about additional free ways people can protect themselves from identity theft, such as putting in place a credit freeze. Identity monitoring service providers should refrain from marketing add-on services to those who receive free monitoring.

Social Security numbers

In this policy: FederalLocalState

Companies, government agencies, and individuals should protect the unauthorized use, display, collection, and sale of Social Security numbers (SSNs). Criminal and civil penalties for SSN misuse should be increased.

Companies should not be allowed to post or publicly display SSNs. They also should not print them on cards, transmit them over the internet or by facsimile, or send them by mail without safety measures.

In order to prevent fraud, the sale and purchase of SSNs in the private sector should be prohibited.

Policymakers should restrict unnecessary or inappropriate collection of SSNs when consumers purchase goods or services. Alternatives to SSNs should be used where practical.