Given the record of government agencies losing tons of data – like when Texas left personnel files including Social Security Numbers on a public server for more than a year and a half – having a federal agency be the storehouse for identity data would not be my first choice of solution.
Last month the Obama administration proposed an approach called the National Strategy for Trusted Identities in Cyberspace (NSTIC).
It must be a well-thought out plan, because it not only has extensive PDFs explaining the details of the NSTIC, and the "reasons we need it." It also has a simplistic animation describing how NSTIC would work.
I haven't seen anything quite as patronizing since the last time I was willing to sit through a vendor presentation at a trade show in exchange for an Earth globe squishy ball or flashlight keychain as a bribe to the kids to let me back in the house when I got home.
NSTIC is supposed to rely on a network of private-industry organizations and store bits of your information in different places, so it's not all available in one vulnerable spot.
It's supposed to provide mechanisms to let consumers establish whether a web site is legit before they give it any information, and control who gets access, when and for how long.
Federal agencies would set the data-exchange and security standards, probably set or limit the costs, adn require companies participating in it abide by the Fair Information Practice Principles (another PDF).
Given how well companies that already are supposed to be securing our data – to protect their own assets, if not ours – I'm not that confident a new agency trying to enforce a set of information-management practices most companies will fight to avoid is going to be all that successful.
I'm also concerned the cost. A 2009 survey from Financial Executives International found the average cost of audits and reporting stemming from the 2002 Sarbanes-Oxley Act is $1.7 million. Smaller companies had smaller costs.
There's no telling what the cost, or even responsibility of the companies having to manage customer identities according to NSTIC guidelines (which have not yet been set) would be.
I'm confident cost estimations from CFOs and CIOs will range from "way too much" to "holy #%@#," however.