One curious effect of the commonness of data breaches is that we’ve become inured against shock. It used to be that a sizeable data breach was big news, certainly if the data lost or accessed was of a sensitive nature. Remember the Target data breach in 2013? It dominated news cycles for weeks, largely because it was one of the first times that consumers recognized how data security could affect them. But these days? Ho-hum.
We’ll give you an example. Earlier this week, LabCorp — one of the largest medical testing and lab results companies — announced in its latest 8K filing with the SEC that a data breach had exposed the records of up to 7.7 million of its customers. The breach occurred at a third party provider – American Medical Collection Agency – sometime between August 2018-May 2019, and the records exposed includes names, dates of birth, dates that testing occurred, information about the testing itself, as well as addresses, phone numbers, and balances due. In short, a full range of information about millions of patients’ medical testing.
If American Medical Collection Agency sounds familiar, it’s because it is the exact same company that Qwest Diagnostics revealed on Monday was behind a similar breach, this time for nearly 12 million of its customers. So, in one 24 hour period, AMCA is outed as the source of a data breach affecting nearly six percent of the entire US population.
The “Meh” Culture
Despite the seriousness of the breach and its implications — New Jersey’s senators have already demanded answers from Qwest Diagnostics about the situation — nothing much seems to be happening about the AMCA breach. There is no public outcry, and certainly no calls for changes in legislation or enforcement. It’s just another breach, and not even a comparatively big one. Our collectively blasé response to the insecurity of data reflects a process of deepening desensitization. It isn’t just that the breaches are so frequent, it’s that they’re so frequent and so huge. Remember that Yahoo’s breach exposed the records of more than three billion users, and that even a medium sized breach these days runs into the hundreds of millions.
Studies show that, over time, consumers have become less concerned about data breaches and data insecurity. The relentless number of data breaches and hacks reported in the news certainly doesn’t help, as it creates an impression among consumers that “my data is probably already stolen anyway, so what difference does another one mean?” In fact, it is the very commonness of breach announcements that reversed a years-long trend of greater awareness and greater concern about data security and privacy in the US. Perhaps most strikingly, polling shows that Americans are less concerned about the security of their health data than the security of their financial data.
But even when it comes to financial data, Americans generally have not been able to sustain public outcry or attention long enough to effect meaningful change. The Equifax breach in 2017, for instance, went from public obsession to public oblivion in just a few months. Despite the loss of hundreds of millions of records about a third of the US population, Equifax’s response was to announce that it would provide free credit monitoring (which turned out to be a disaster) and, frankly, that’s about it. The GAO reported a year and a half later that there have been virtually no major changes at the company, no higher-level punishments. In fact, the only criminal charges levied were against two insiders who shorted Equifax stock prior to the public announcement of the breach. But, because seemingly everyone has forgotten about or stopped caring about the breach, it seems that the controversy is over.
And now consider the data breach at First American Corporation, one of the largest repositories of financial data in the country. Brian Krebs reported that more than 885 million records were exposed, that virtually all of them contained highly sensitive financial information, that some social security numbers tied to financial accounts, and that the breach was so comprehensive it exposed the internal corporate documents of small businesses. This information wasn’t even hacked, it was simply available, via the internet, to anyone who could find it. The result? Within a week, public interest in the story had evaporated, and searches for First American were back to historical levels.
What Gives?
This all seems fairly depressing. Why is the public response to the theft of sensitive personal information so subdued, and why are people not more focused on mandating changes? I think there are a number of reasons, but they all basically distill into two themes: awareness and agency.
The public may be aware that these breaches are happening, but they likely don’t have as strong as grasp of the consequences as they should. For instance, stolen health information can lead to rejections from insurance companies, while leaked financial data can undermine the chances for getting a loan. Employers routinely search the web (both the regular one and the Deep/Dark ones) to conduct research on potential hires and their backgrounds. The more data about you that is available, the less private you can keep your life, your opinions, and your complaints about your boss and how much he interferes in your personal life.
The other issue is a feeling that, regardless of what we may want to do, there’s very little that the average consumer can do to change security practices, privacy regulations, and the general data consumption of large companies. To an extent, that’s right: individual consumers don’t have leverage in these situations outside of the very rare class action that makes a difference.
One solution to the hopeless/helpless conundrum is a combination of public response and private choice. Congress is especially keen to appear like it’s doing something about privacy and data security these days, especially after its . . . performance . . . during the Zuckerberg Facebook hearings. If ever pressure on elected officials to require better, stronger data protection practices were going to have an effect, it’s now. Along those same lines, some in Congress actually seem to be developing expertise in these issues, including by hiring staff members who will advise exclusively on data protection. That’s good, and that’s right.
But there isn’t a single legislative solution to infosec or privacy problems. Although the need for clarity in legislation has never been stronger in the United States, the lesson of the GDPR’s first year is that rumors of the death of surveillance capitalism and bad data security practices have been greatly exaggerated. Yes, GDPR represents a step in the right direction, and yes, it’s still only the first year, but given the relatively muted impact GDPR has had on the conduct of European-based companies (many of which have still yet to implement a GDPR compliance program), it’ll take much more than sweeping legislative change to shift attitudes to data security. (Oh, and just to reiterate our very non-mainstream opinion: there won’t be sweeping legislation in the US in 2019, and maybe not even in 2020).
That’s where private action comes in. Consumers can create, and grow, a market for secure products and services by demanding them. There are no shortage of companies that will make privacy a part of their value propositions, and they aren’t all web browsers and privacy screens. To the extent that the public wants more privacy, it has to act on it. For now, that can be as simple as investigating Apple’s secure sign-on platform or changing their “do not track” and cookie settings. But in the long-term, identifying businesses that will provide services with privacy and security at their core has to be a component of consumer strategy. If not, our collective numbness to data breaches and bad privacy practices will only spread.