With the Anthem breach at the forefront of everyone's mind, I have been thinking on who really loses the most when user data is stolen? The media headlines call it the Zappos or Target or Home Depot, or JP Morgan or Sony or Anthem (wow this is a long list) breach, however who is the biggest loser? For the breached organizations, the cost of offering identity protection services for twelve months for breached victims and performing some short term security fixes to mollify shareholders and the public, along with managing a few months of brand notoriety is often par for the course! Soon earnings go back to where they were; consumers have been shown to have short memories, and with attractive prices and easy to use websites they come right back.
The real loser in this breach is you or I, the person whose data was actually lifted during the breach. If identity coupled with credit card information is sold, the data is worth four to five US dollars; but throw in healthcare information, which includes your social security number, primary physician info, medical records etc. and now you are talking of hundreds of dollars per user record, with no time or location constraints for the data to be used and or misused.
Despite being the victim, this is no time for a pity party. You are ultimately responsible for protecting yourself. Stolen user information can be used to open fraudulent bank accounts, make false health claims, take out loans, and commit crimes, to name just a few possibilities, with no time or geographic boundaries. More than the average Joe, you now need to keep an eagle eye on your bank and credit card accounts, watch for unaccounted withdrawals or purchases, set yourself up to be alerted on credit checks made on you, sign up for identity protection services and going forward stay vigilant for the unknown, because someone out there can assume your identity and do something completely unexpected. Not to say this could not happen to anyone, but just like a smoker has a higher chance of lung cancer the odds are stacked a bit more heavily against you.
Given the slew of security breaches, I think it’s time consumer protection agencies start ramping up identity protection standards that organizations must sign up to with regards to storage of user data. Ease of use must be balanced by privacy considerations. While a user may be signed into a website faster if their information is unencrypted, that should not drive organizations to store passwords in the clear. Just putting out terms and conditions that most of us never read does not absolve an organization of its responsibilities to us. Also in the event of a breach organizations must be fined and the fines must be significant enough to be detriments to continuing callousness.
We as consumers must become more aware of the risks posed and recognize that our personal information is something valuable. We need to make wise choices when sharing information, always keeping our security posture in mind. The next time you read of a sizeable hack, don’t imagine that the organization that has been breached is the victim; the true losers are we the consumers. Unless we do something about it this trend is not going to get any better. We need to demand controls and better security, for after all what is at stake is our identity, and that is what makes us who we are.