After the Equifax breach, we need a policy solution for identity theft

While CNN Money has a pretty mainstream article of advice on the Equifax hack here, a supplementary article by David Goldman lays it on the line, “What’s the worst that can happen?”

The absolute worst might be being framed for a crime, like sex trafficking or child pornography.  In most circumstances that a novelist can imagine, it would still be pretty easy to prove that physically the culprit couldn’t have been “you”.  There are a variety of other outcomes, including job loss or denial or a mortage or lease. For millennials, the risk can extend for decades.  For seniors, it’s probably very minimal.

One comment that gets made by social conservatives particularly (and some libertarians) is that you are ultimately responsible for your own reputation, no matter what, because you live in a society that offers you the benefits of civilization.  I can remember an employer warning us about this in the late 1980s when we suddenly had to pass credit checks to keep our jobs.   I can remember that ten years ago there were prosecutors who looked at finding child pornography on a personal computer as an “strict  liability offense”, although since they they have accepted the idea that malware can put it there. This seems to be a very disturbing philosophy that transcends the plain meaning idea of the law normally, and that most of us cannot live with (especially those on the margins).

Maybe maintaining credit freezes would protect everyone, but it sounds pretty impractical in the long run.

So I think that in the identity theft idea, we need a new policy solution.  I had outlined an idea back in 2006 using “National Change of Address” at USPS, which I had worked on in Minneapolis on my own career back in 1998.

Now I would say, the credit reporting companies should develop the idea of a secondary social security number verifier, which a user can add to her file, and which could not have been hacked yet because it does not yet exist.   I would not be so comfortable with letting the Social Security administration run it. Get some security companies (not Kaspersky, in Russia) to help develop it.  It could be put into two-step verification required to pull a credit report, although it so it would need to be tied to sim cards and not just to phone numbers, which can also be stolen.

(Posted: Sunday, September 17, 2017 at 9:15 AM)