Dan Solove argues that if the FTC would just conclude that the use of Social Security numbers as a password or authenticator is unreasonable data security, a lot of identity theft could be prevented.
I think he’s right, but there has always been and would be tremendous pushback against the proposal. I’m not confident that Congress would back the FTC under intense pressure/lobbying on the issue, and they might wind up scaling back some of the FTC’s authority or calling for rules and regulations and all the things the agency has been firmly avoiding.
But it’s a good idea, and it’s worth asking why Congress just doesn’t enact a law that gives entities X years to cease and desist using SNN for authenticators or passwords.