Wells Fargo and Visa released a study on Thursday that reported a significant decline in reports of identity theft last year. Still, the losses to individuals and financial services providers may be as much as $49 billion.
In part, the decline can probably be attributed to improved diligence by financial services companies as well as consumers, along with better software for detecting and stopping fraud. Private insurers are now offering low-cost identify theft insurance as well, suggesting that the risk is a manageable one.
But there is still one important defense that has not been implemented: eliminate the use of social security numbers as customer identifiers.
This is common sense--using the same number both to identify a customer and validate her identity is sloppy security practice; it's also lazy software design. And no one really disagrees.
Using a customer identifier that is not the SSN wouldn't be hard in the abstract. The problem--and the reason merchants resist it--is the cost of modifying existing systems and data bases, many of the legacy variety.
There was some talk of "encouraging" this reform through legislation, see http://www.epic.org/privacy/ssn/, but nothing recently.
This is an instance where I do think federal legislation would be appropriate--it's a targeted solution to a collective action problem. In this case, without a deadline and the threat of enforcement, merchants would be unlikely to spend the money making the change unless they were confident their competitors would be spending the same money and time.