The recent thefts of personal data from companies and government agencies make it clear that Social Security numbers can no longer be relied on as proof of identity, according to Gartner, Inc. Gartner analysts said enterprises should use this data as only part of an overall "identity score."

Avivah Litan, vice president and distinguished analyst at Gartner, recently testified at the oversight hearings for the Committee on Veteran's Affairs regarding the theft of sensitive information belonging to 26.5 million veterans and spouses from a Veteran Affairs employee's home. Ms. Litan told the committee that this latest compromise shows just how unprotected some of the nation's most sensitive data is.

"This incident also shows that the Social Security number has become an extremely unreliable piece of information and cannot be trusted to be unique to an individual. Companies should not rely on Social Security numbers alone as proof of individual identity," Litan said. "As many as one-in-seven adult Social Security numbers in the U.S. may already have been compromised."

Litan is providing more detailed analysis regarding identity theft during the Gartner IT Security Summit, which is taking place here through June 7.

While security managers are attempting to implement more-stringent security measures around sensitive information, the price tag for such protection can cause sticker shock for many companies. Security managers are facing challenges in receiving the budget required to better protect customer and business-sensitive information. Gartner analysts point out that data protection is much less costly than data breaches.

"A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention and strong security audits combined," Litan said. "This compares with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach."

Encrypting stored data can provide the most robust data protection, but if that is unfeasible because of undue cost and complexity, companies should deploy comprehensive host-based intrusion prevention systems (HIPS). However, successfully deploying HIPS requires strong server configuration control and additional administrative cost and complexity. Another option is strong security audits to validate that the organization has deployed satisfactory mitigating controls, reducing the need for data encryption or HIPS.

"None of these options are mutually exclusive, but implementing all three will still be less expensive than having to respond to a large-scale data breach," Ms. Litan said.

Additional information on identity theft prevention is being released at the Gartner IT Security Summit, being held at the Marriot Wardman Park Hotel in Washington, DC. Gartner analysts, industry experts and IT security practitioners are delivering unbiased, realistic analysis on the current state of IT security, as well as an independent overview of the market during the next 12-18 months. For complete event details please visit the Gartner IT Security Summit Web site at

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access