A comment on Slashdot made me think - in a similar way FEMA became the subject of late-night show jokes and ultimate mistrust after Katrina, would the Social Security Administration lose control of what they intended to be just a benefits number if something big were to happen to a large number of SSNs?

One of these days some government employee is going to run an errand with a laptop in his car and a lucky car thief will drive off with every single name and Social Security number in the country. You could fit them all on a USB thumb drive. And they could be all over the Internet within hours. It would be game over for Social Security numbers and the rickety infrastructure that has been built on top of them. It’s only a matter of time before this happens. It might not be in a single theft as I described, but smaller thefts will eventually add up to the point where everyone’s SSN has been compromised, and someone is going to compile them and make them widely available.

MillionthMonkey, Slashdot.org, June 20, 2006.

Can you have both good external security and internal data security policies? According to the folks behind the Payment Card Industry (PCI) Data Security Standard, who are about to release a new version of the standard, it is best to create good external policies, such as broader vulnerability scan, rather than have strong data protection rules. The new standard, due this summer, will relax the requirement that data be made unreadable whenever it is stored and will only ask companies to replace encryption with other types of security technology, such as additional firewalls and access controls.

Although there are legitimate reasons for avoiding privacy in some situations - such as older payment systems not built to support scrambling technology - the problem lies within the premise that external protection is all it takes to protect sensitive data. No matter how sophisticated firewalls, access controls, and server applications become, inevitably there will be new vulnerabilities disclosed and computer criminals will be able to penetrate the external protection, which may have been 100% protected the day before the vulnerability became public.

In light of the new guidelines, the PCI should be considered as a minimum baseline, and not as a recommended optimal setting for protecting payment data. It is far too often that we hear about personal or financial information being stolen, often from an unencrypted data media, and the new PCI guidelines do not seem to address this problem.