When U.S. Attorney General Alberto Gonzales held a news conference on Monday to discuss the new identity theft guidelines, he seemed to have two clear goals.
First, to be asked questions that have nothing to do with fired U.S. Attorneys. (He looked as though he was fighting the urge to paraphrase Henny Youngman. "Take my identity....please!") But the more important goal was to be photographed looking concerned about this terrible identity theft situation. "Just awful. Really bad. Please write down the concerned look on my face."
It's a shame that the report doesn't accomplish much. It encouraged fewer uses of Social Security numbers for non-Social Security purposes. Two problems with that. That has already been U.S. government policy for many years. The second problem is that the numbers are very difficult to change once they're issued and they are being widely used by banks, businesses, schools and tons of other entities outside the U.S. government. Unlike a credit card that can be easily reissued when its number get stolen, SS numbers are more or less permanent. Clamping down on SS usage now after the vast majority of Americans have had their numbers used extensively for a huge list of forms won't do much good. Fear not. There's no indication the government is serious about cracking down.
The report addressed the lack of security that many businesses use when supposedly protecting consumer data. But the guidelines suggest nothing to change that situation.
Helpful moves would be more serious crackdowns on retail security or perhaps making Social Security numbers easier to change.
There's a bigger problem behind retail security, though. It's not practical for the federal government to dictate security policies because it can so much between different industry segments. But retail security guidelines today?including PCI?are simply not being taken seriously. Visa has conceded that most (64 percent) of its largest retailers are not compliant (at least when they last revealed such stats, back in December).
There are no retail IT execs who actively oppose PCI, but the lack of compliance usually involves a handful of specific regs that a particular retailer can't meet. To say that PCI is imperfect security is like saying that, at Tiananmen Square, the Chinese government delivered imperfect crowd control.
If the retail industry cannot get compliant with its own security rules, it's silly to think that federal rules have much of a chance of having an impact. But for a photo opp, they work quite nicely.