When U.S. Attorney General Alberto Gonzales held a news conference on Monday to discuss the new identity theft guidelines, he seemed to have two clear goals.
First, to be asked questions that have nothing to do with fired U.S. Attorneys. (He looked as though he was fighting the urge to paraphrase Henny Youngman. “Take my identity….please!”) But the more important goal was to be photographed looking concerned about this terrible identity theft situation. “Just awful. Really bad. Please write down the concerned look on my face.”
Its a shame that the report doesnt accomplish much. It encouraged fewer uses of Social Security Numbers for non-Social Security purposes. Two problems with that. That has already been U.S. government policy for many years. The second problem is that the numbers are very difficult to change once theyre issued, and they are being widely used by banks, businesses, schools and tons of other entities outside the U.S. government.
Unlike a credit card that can be easily reissued when its number get stolen, SS Numbers are more or less permanent. Clamping down on SS usage after the vast majority of Americans have had their numbers used extensively for a huge list of forms wont do much good. Fear not. Theres no indication the government is serious about cracking down.
The report addressed the lack of security that many businesses use when supposedly protecting consumer data. But the guidelines suggest nothing to change that situation.
Helpful moves would be more serious crackdowns on retail security or perhaps making Social Security numbers easier to change.
Theres a bigger problem behind retail security, though. Retail security guidelines today—including PCI—are simply not being taken seriously. Visa has conceded that most (64 percent) of its largest retailers are not compliant (at least when they last revealed such stats, back in December).
There are no retail IT execs who actively oppose PCI, but the lack of compliance usually involves a handful of specific regs that a particular retailer cant meet. To say that PCI is imperfect security is like saying that, at Tiananmen Square, the Chinese government delivered imperfect crowd control.
If the retail industry cannot get compliant with its own security rules, its silly to think that federal rules have much of a chance of having an impact. But for a photo opp, they work quite nicely.
Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at [email protected].
To read earlier retail technology opinion columns from Evan Schuman, please click here.