Business Columns & Blogs

What does a corporation owe you after a data breach?

Columnist David Lazarus has firsthand knowledge of dealing with an identity thief: He tracked one down and handed him over to authorities. The thief was found guilty of Social Security fraud and deported to his native Jamaica. And yet, Lazarus says, he’s left with this chilling conclusion: The thief still knows his Social Security number. Sure, we can change our number, but that’s everyone’s de facto ID number.
Columnist David Lazarus has firsthand knowledge of dealing with an identity thief: He tracked one down and handed him over to authorities. The thief was found guilty of Social Security fraud and deported to his native Jamaica. And yet, Lazarus says, he’s left with this chilling conclusion: The thief still knows his Social Security number. Sure, we can change our number, but that’s everyone’s de facto ID number. Detroit Free Press file illustration

It’s a question that grows in importance with each new report of a data breach: How much responsibility should companies take for protecting people’s privacy?

The most common response when a corporate database gets hacked is for the business to offer a year of free credit monitoring – a better-than-nothing measure that will alert people to suspicious activity involving their credit files but will do nothing to prevent fraud, identity theft or other mischief.

West Los Angeles resident Jairo Angulo and his wife were among nearly 80 million current and former Anthem health insurance policyholders whose personal information was reported hacked in February 2015.

Names, addresses, birthdates, Social Security numbers, email addresses and employment information, including income data, were accessed by digital thieves in what the company described as a “highly sophisticated cyberattack.”

Anthem responded by offering two years of free credit monitoring by AllClear ID, a Texas company formerly known as Debix that crops up frequently as the go-to cleanup crew after large-scale security breaches. Its service was offered after hacks at Home Depot, Sony and the UPS Store.

Anthem has patted itself on the back for offering two years of monitoring rather than the customary one. To Angulo, 66, that was nowhere near enough.

“If your Social Security number and other information is out in the world, it’s out there forever,” he told me. “Anthem should be paying for my credit monitoring for the rest of my life.”

He said as much to the insurer. He received his answer recently: No.

While I get that Anthem doesn’t want to be on the hook for covering people’s credit monitoring for the rest of their lives, Angulo raises an interesting point – and I completely understand his concern.

About a decade ago, my Social Security number was used by an identity thief to run up bills on credit cards and at Indian casinos. After I managed to track the guy down in Connecticut and handed him over to law enforcement, he was found guilty of Social Security fraud and deported to his native Jamaica.

But here’s the thing: This guy still knows my Social Security number. He will know it until the day he dies. I could change my number, but that would create a cascade of hassles and confusion because it’s my de facto ID number, the core component of every important file in my life, from marriage to mortgage.

Cause for concern

Paul Stephens said it’s right to be worried. He is director of policy and advocacy for the Privacy Rights Clearinghouse in San Diego and, like Angulo, had his personal information jeopardized by the Anthem hack.

“There are so many Social Security numbers involved here,” Stephens said, “it would be wise for a criminal to just hold on to them for a few years and wait until people are less vigilant. It absolutely makes sense to maintain credit monitoring beyond a couple of years.”

Darrel Ng, an Anthem spokesman, said that “securing our member, provider and client data is a top priority,” but he declined to comment on the question of offering credit monitoring for life.

He did say, though, that many policyholders now can opt in to maintaining their AllClear credit monitoring for as long as they remain Anthem members. If they change insurers, their credit monitoring goes bye-bye.

That’s a step in the right direction, so let’s take a closer look at what people are getting. It’s not as comprehensive as Anthem might want them to think.

The AllClear monitoring offered by the company only tracks your TransUnion credit file. It pays no attention to your files at rival credit reporting agencies Experian and Equifax. This is significant because not all creditors report information to all agencies.

If you’re not simultaneously monitoring all three, it’s possible you’ll miss incidents of fraud or ID theft.

“This wasn’t well-publicized,” Stephens said. “It was buried in the fine print. When I called AllClear, they told me I didn’t have to have my credit monitored at all three agencies, which is simply untrue.”

Fine print

Also, a deep dive into AllClear’s terms and conditions reveals that users of the service must agree to give up their right to sue the company and accept arbitration to settle any disputes. Plus, that arbitration must take place in Austin, Texas.

On top of that, the company’s privacy policy says that even after your credit monitoring ends, “AllClear ID may retain your personal information indefinitely … to resolve disputes, to comply with official investigations or proceedings, and/or to enforce AllClear ID’s agreements.”

I pointed out to an AllClear spokeswoman, Ellie Fanning, that indefinitely is a long time. She said most people’s data will be deleted after six years “except in the case of an ongoing dispute or investigation.”

The Privacy Rights Clearinghouse estimates that nearly 900 million consumer records potentially have been accessed by hackers in almost 5,000 known data breaches since 2005. Many other data breaches, of course, may have been undetected or went unreported.

The upshot here is that the business world has shown itself to be an untrustworthy minder of people’s personal info, either due to negligence or to a lackluster approach to database and network security.

My answer to that: Lawmakers should require that all customer data maintained by companies for any reason be encrypted – that is, safeguarded by powerful software that renders the data unintelligible to outsiders.

Moreover, companies should be required to go a step beyond credit monitoring for any customer affected by a data breach. Businesses also should provide free credit freezes through all three credit agencies. This would block access to your credit file by anyone lacking a PIN code and is the most effective way of preventing hackers and fraudsters from receiving credit in your name.

Both these moves – encryption and credit freezes – would be more expensive for companies and thus would immediately prompt them to step up their game in protecting customers’ information. As it stands, they clearly lack sufficient incentive to impose adequate security.

David Lazarus is a Los Angeles Times columnist. He answers consumer questions. Contact him: david.lazarus@latimes.com or @Davidlaz. Read more by Lazarus at fblinks.com/laz.

  Comments