We consultants have an easy life. For the most part our techniques are uncomplicated and our advice is, while good, pretty obvious. Even better, most clients don’t want our advice. They either want us to read a script, or they have a dozen reasons our advice is good in theory, but won’t work in the “real world.”

Personally, most of what I do is Undercover Boss except I’m not the boss. In my experience, employees know exactly what’s wrong with the organization, have a pretty good idea how to fix it, and have an accurate bead on why management will never make the repairs.

In the case of information security, it’s usually even easier than that: If companies would just:

> Patch: Now, please.

> Encrypt everything: Too expensive? Net the cost of the time needed to decide what should be encrypted and what doesn’t need to be against the cost of encryption. Encrypting everything costs less.

> Rotate keys: Rotate them at least as often as users are required to change their passwords because the data in your corporate databases is more sensitive than the data in individual laptops. What would you do without me?

> Phish: Subject everyone in the company to white hat phishing attacks. Everyone. Frequently. Model your attacks on real-world ones. Explain to employees who click what they fell for and how to spot the next one. Because the bad guys don’t bother trying to crack passwords any more. They just ask for them.

One more: Add “Don’t store this because we don’t need it and never will” to your company’s master data management practices. I spent much of my spare time over the past week trying to figure out what uses EquiFax might have for storing social security numbers in its credit records, and I’ve come up dry. My social security number has no bearing on my creditworthiness.

With this exception: It’s the only form of personal identification that won’t change over time.

The “never will” qualifier deserves a bit of explanation. I worked with a life insurance company once upon a time that routinely deleted a lot of information about applicants once they became policy holders because they didn’t need it anymore.

Until the time, a few decades later when the importance of customer analytics was becoming apparent.

So “never will” is a balancing act.

Which gets us to: In response to last week’s column proposing SSN 2.0, several correspondents and Commenters pointed out that when we who till the soil of corporate IT need to determine if someone should be allowed into a system, we establish a key value … the user ID … and one or two authenticators, of which passwords are the most prominent.

Social security numbers play both roles — they’re both identifier and authenticator, on the theory that only the holder of a social security number knows what it is.

It’s a quaint perspective, but seriously folks, haven’t we become just a wee bit more sophisticated in the 81 years since the Social Security administration issued its first batch of cards?

Not to mention since Woolworth became the first and possibly worst identity thief of all time? (You just have to read about this — click here.)

In an interesting way what we’re looking at is really a common IT problem: A system that elegantly solves a problem is expanded to solve additional related problems. Then it’s expanded again. And with every expansion the system’s architecture becomes another notch messier, until it reaches the point where it’s at risk of collapsing under its own weight.

When the subject is business applications this means it’s time for modernization, conversion, or a re-write, to a system designed from the beginning to handle the actual scope of the solution.

Here, the original problem was to uniquely identify citizens registered with the Social Security Administration, to which the IRS added taxpayer identification.

Now, the SSN is used by businesses asking the question, “Can we trust this person to hold up their end of the bargain when we sign a mutually binding contract?” It’s the public connecting point for all of a person’s financial records.

Whether my semi-whimsical SSN 2.0 proposal bears any resemblance to what a real solution would look like is anyone’s guess. What I am pretty sure of is that, if your company stores consumer information and doesn’t follow at least the practices described here and last week (no, not “best practices” — call them “barely adequate practices”), it will end up contributing to the problem.

A quick poll: Which recent disaster was the worst: (A) Hurricane Harvey; (B) Hurricane Irma; (C) the Equifax data breach?

Equifax said its systems were breached starting in mid-May until it discovered the hack on July 29. It informed the public on September 7.

The United States is home to about 240 million adults. Equifax provided enough personal details to make 143 million of them vulnerable to identity theft. Add all the other remaining big breaches, account for overlap, carry the one, and you end up with, in round numbers, everyone.

The bad guys have something in common with the Social Security Administration: They both know your social security number.

It’s long past time to fix this mess. And since nobody is stepping up to the plate, it’s time for a modest proposal from the Keep the Joint Running Think Tank, otherwise known as yours truly with a bottle of beer in his hand and a keyboard in front of him.

Okay, “fix” might be going too far, but there are some steps we could take that, if not simple, would at least be straightforward. Share them with your senators and congressperson. Starting with the most obvious and working our way down through the list of nearly-as-obvious:

> SSN 2.0: The Social Security Administration should issue each of us a brand-spanking-new social security number that nobody other than it and you know about. Except, that is …

> Business access to SSN 2.0: Some businesses do have a specific need for some individuals’ social security numbers. SSN 2.0 redefines business use of social security numbers. As of now it’s a right. Under SSN 2.0 it becomes a privilege — soliciting and storing an individual’s social security number will be illegal, except for businesses that have a demonstrable need. Any other company caught storing social security numbers in any company database will be immediately liquidated.

> SSN 2.0 certification: In order to be awarded the right to store social security numbers, applicants must prove compliance with the agency’s data protection requirements. Chief among these:

– Universal encryption of every bit of stored data. No, not just personally identifiable information (PII). Everything. That eliminates the possibility of the “Oops — we missed that one! Sorry …” factor. Too expensive? Don’t be ridiculous. Compare this expense to the cost of fixing the massive level of identity theft we’re in for.

Oh, by the way … does anyone reading this think the data Equifax lost was encrypted? Me neither. Which leads to this question: What? And this one: Seriously?

– AI-based intrusion detection: Companies that encrypt all their data can still be breached, and decryption keys can be stolen — through social engineering techniques if not hacking.

Even with stolen decryption keys a breach isn’t that big a deal. An undetected breach is a big deal. The use of AI techniques to detect intrusions is in play right now. There’s simply no valid reason other than bad budget priorities for failing to detect and address a breach for a month or more.

– The fundamentals: Keeping current with patches, rotating encryption keys, role-based identity management applied to all employee transitions, white-hat hacking … you know, not even best practices, as if there was such a thing. Just the minimum standards of basic professionalism.

– Keep the PR department out of it: I don’t care if the breach makes the company look bad. The company’s image really isn’t the issue.

> FBMA: For hurricanes, tornadoes, floods, and earthquakes we have FEMA. For massive data breaches we have bupkis. It’s time to create the Federal Breach Management Administration. FEMA in Houston has, I think, demonstrated the validity of federal government intervention in disasters of a certain size and scope. This is just as logical in the virtual world as the physical one.

I know many of KJR’s subscribers have a libertarian bent, and don’t think the Federal government has any business regulating or involving itself in the financial transactions between two parties.

After all, immediately after reporting the breach (which is to say about four months after the breach itself), Equifax offered everyone affected a free identity theft monitoring service.

Because of course I’m going to trust the company that lost my data to let me know my data has been stolen.

And oh, by the way, as reported by The Denver Post’s Tamara Chuang, (“Clearing up confusion on the Equifax data breach, no thanks to Equifax,” 9/8/2017) those foolish enough to sign up inadvertently gave up their right to sue.

Just an opinion here: One important role for government is evening out a hopelessly asymmetrical balance of power.

Like, for example, the imbalance between Equifax’s power to collect data about you and your power to avoid doing business with it.