Nine-Digit Dilemma

Reacting to the epidemic of identity theft, some states are curbing the use of the Social Security number for identifying customers and employees. Now IT has to figure out what to do.

Open an online bank account, and you'll need to plug in your Social Security number for identification. Get your insurance information online? Same thing. The nine-digit SSN is the key that unlocks many doors -- which is convenient for the consumer but also a tremendous privacy threat in a world where identity theft is the No. 1 form of consumer fraud.

Hackers or identity thieves who get a person's SSN can gain access to a huge amount of confidential data because the SSN has been used in so many industries as a customer account or employee number.

Identity theft has been rampant, victimizing 3.4% of American adults between July 2002 and June 2003, according to Gartner Inc. in Stamford, Conn. Concerns about identity theft have led to state legislation to restrict the use of the SSN on ID cards or, in the case of California Senate Bill 1386, to prod businesses into beefing up security by making them liable for disclosures of private information.

But Jim Hurley, an analyst at Boston-based Aberdeen Group Inc., says better security still won't solve the problem.

"No amount of electronic security is going to reduce the risk of having these SSNs -- and their owners' identity data -- stolen, fleeced, bartered and otherwise lost to the Internet winds," he wrote in a recent report. "When the breaches become public knowledge -- and they will -- publicity flames will be stoked high by the newly enacted California statute, Senate Bill 1386, and the litigation-for-pay industry."

Hurley says there's only one alternative: "Eliminate [the] use of Social Security numbers as digital identity credentials, before the house goes up in flames."

But it's not that simple. After all, banks must still collect their customers' SSNs in order to comply with Internal Revenue Service reporting regulations. Insurers also must sometimes store SSNs or other identifiers, such as driver's license numbers, for tax or underwriting purposes. And employers need to keep the SSNs of their workers for tax purposes, even if they're not used as official employee identifiers.

"You have to divide the problem into two parts: those companies that must, because of U.S. regulatory requirements, include SSNs in their data, and those that do not," says Doug Lewis, who recently retired as CIO at InterContinental Hotels Group PLC.

The hotel conglomerate's Holiday Inn chain once used SSNs as the prime identifier for its Priority Club members, Lewis says. "Then they recognized the privacy issues and reissued the Priority Club cards without SSNs," he says. "The conversion consisted of morphing the SSN to another number using a mathematical algorithm."

Other organizations are also dumping SSNs. For example, the Georgia Institute of Technology, Northwestern University, Ohio State University and the University of Illinois have all announced moves away from using SSNs on student ID cards. A handful of states, including Arizona, New York, Rhode Island and Wisconsin, have enacted laws to regulate colleges' and universities' use of SSNs.

Here to Stay

Some companies eliminated the use of SSNs as employee identifiers long ago. "When we went global, we had to issue everyone new numbers because foreign employees don't have Social Security numbers," says Suzanne Gordon, CIO at SAS Institute Inc. in Cary, N.C. "We haven't used SSNs around here for system access for 18 years."

But for banks and other financial institutions, SSNs will continue to be found in databases, whether or not they're used as account numbers, so the security problem remains. "I'm more concerned about the risk of someone hacking into a database, because these institutions need to maintain the Social Security numbers of their customers," says Barry Thompson, a banking security consultant in Syracuse, N.Y.

The health care industry, including insurers, faces an even more profound dilemma. "The entire health system, from providers to hospitals to insurers, tracks people by their Social Security numbers," says Kirk M. Herath, associate general counsel and chief privacy officer at Nationwide Insurance Cos. in Columbus, Ohio. "It might be more secure if everyone generated a random number, but then we would have difficulty talking to each other."

The insurer's conundrum is compounded by California's SB 1386. Among other things, the law requires companies to notify consumers if they have reason to believe that nonpublic information has been compromised. It also prohibits the use of SSNs on mailings, whether electronic or postal, a provision that directly hits insurance companies that use SSNs as customer IDs. SB 1386 covers any company with customers or employees in California.

"When we came to grapple with SB 1386, it forced us to look at the issue holistically," says Herath. "We decided it made no sense to protect the Social Security numbers of California residents only, because they were intermingled with other customers in our databases. We decided compliance was to be national in scope."

Nationwide allowed each of its business units to tackle the problem as it saw fit. "Each system is a different animal," Herath explains. "Some removed, redacted or scrambled the Social Security number with an algorithm. Others generated numbers randomly."

Tougher Than Y2k

But a more stringent approach to SSNs is being taken by Blue Cross and Blue Shield of Minnesota. "We are eradicating them," says John Ounjian, CIO at the Egan, Minn.-based health insurance association. "We are not merely doing it with our current membership but also with our historical databases."

This task has proved to be a good deal more complex than the Y2k conversion of a few years ago. "Y2k involved a field expansion. But membership numbers are built into the database design," Ounjian explains.

One option is to encrypt the SSN, but he says he rejects that idea because "if for some reason the key is stolen or compromised, all of those ID numbers can be retraced to the SSN, and we'll never even know it is happening."

Ounjian likewise rebuffs the use of pseudonymization, a process developed by London-based Sapior Ltd. that attempts to overcome some of the difficulties associated with encryption.

"Encryption and password protection provide all-or-nothing access," says Steve Crutchley, chief security officer at 4FrontSecurity Inc., an information security consultancy in Reston, Va., that has partnered with Sapior.

"Pseudonymization replaces identifiers with a computer-generated pseudonym on a one-to-one basis," Crutchley explains. "The true identities are retained on a secure computer system and available for reidentification as needed by those with access permission."

That's not good enough for Ounjian, who says that, "as long as you are using a defined algorithm, there is always a master key. Like the master key to an office building, you are only as secure as the key."

For Nationwide's Herath, encrypting the SSN would be the ideal solution because it would maintain the connection among records throughout the health care process. But he laments that "there are not a lot of affordable and flexible encryption solutions out there. We may end up with a swipe card that has the number embedded in its strip. The problem there is that the family practitioner on Main Street doesn't necessarily have the technology [to read it]."

Meanwhile, Ounjian is spending $6 million to make the conversion at Blue Cross and Blue Shield of Minnesota. "From what I hear, it takes between $4 million and $7 million to do this job," he says. Besides converting the databases, the association is also modifying applications to accommodate the new member numbers and absorbing the costs of printing new ID cards for all of its members.

For all of the effort and expense it takes to rid a company of the SSN scourge, Herath is concerned about the downside of this trend. "Abandoning Social Security numbers means that it will be tougher to identify people," he says. "It's more likely that there will be mistakes in treatment and services."

Buxbaum is a freelance writer in Potomac, Md. He can be contacted at pab001@aol.com.

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
 
Shop Tech Products at Amazon