White House, Equifax Agree: Social Security Numbers Must Go

Rewriting Laws

“You’d need to change a lot of existing public law," Rotenberg said. “There would need to be extensive hearings and study about the consequences. It’s a complicated issue."

The government’s own record of protecting Social Security numbers has its blemishes. Medicare, the federal health-care program for senior citizens, has long used the numbers on identification cards recipients must carry. After years of criticism by the agency’s inspector general for the risks that creates, new cards with different numbers are currently being rolled out.

The failure of the Social Security number is that there’s only one for each person, “once it’s compromised one time, you’re done,” Bob Stasio, a fellow at the Truman National Security Project and former chief of operations at the National Security Agency’s Cyber Operations Center.

Public and private keys -- long strings of code -- could help validate identities. For instance, the government could issue each person a public key and private key. If people were to open a bank account, for instance, they could provide their public key -- instead of a Social Security number -- and the bank would send a message that could only be decrypted using their private key. If the private key gets compromised, the government could easily issue another one.

Saved by Math

Stasio also cited emerging blockchain technology as another potential tool. It could create a kind of digital DNA fingerprint that’s “mathematically impossible” to duplicate. In place of a Social Security number, each person could receive a blockchain hash -- a kind of algorithm unique to an individual -- that is stamped on every digital transaction or action.

That type of technology “could be used as a much more efficient and mathematically sound method of transaction, identification and validation,” Stasio said.

While lawmakers were unanimous in criticizing Equifax’s response to a breach that compromised information on 145.5 million U.S. consumers, they were divided on how to fix the underlying issue. Democrats on the panel have reintroduced legislation imposing requirements for when companies have to report data breaches, while Oregon Republican Greg Walden noted the company’s human errors, saying “you can’t fix stupid.”

Smith said the Equifax employee responsible for communicating that the vulnerable software needed to be patched didn’t do so. That failure was compounded when a scan of the company’s systems didn’t find that the vulnerability still existed, the former CEO said.