Businesses should share our suffering after hacks

One question grows more important with each report of a data breach: How much responsibility should companies take for protecting people’s privacy?

The common response when a corporate database gets hacked is for the business to offer a year of free credit monitoring — a better-than-nothing measure that will alert people to suspicious activity but will do nothing to prevent fraud or identity theft.

West Los Angeles resident Jairo Angulo and his wife were among nearly 80 million Anthem health insurance policyholders whose personal information was reported hacked in February 2015.

Names, addresses, birth dates, Social Security numbers, email addresses and employment information, including income data, were scooped up by digital thieves in what the company described as a “highly sophisticated cyberattack.”

Anthem responded by offering two years of free credit monitoring by AllClear ID, a Texas company frequently used as the cleanup crew after large-scale security breaches. Its service also was offered after hacks at Home Depot, Sony and the UPS Store.

Anthem has patted itself on the back for offering two years of monitoring rather than the customary one. For Angulo, 66, that wasn’t nearly enough.

“If your Social Security number and other information is out in the world, it’s out there forever,” he told me. “Anthem should be paying for my credit monitoring for the rest of my life.”

He said as much to the insurer and received an answer: No.

Angulo raises an interesting point, and I understand his concern.

A decade ago, my Social Security number was used by an identity thief to run up bills on credit cards and at casinos. After I tracked the guy down in Connecticut and handed him over to law enforcement, he was convicted of Social Security fraud and deported to his native Jamaica.

But here’s the thing: This guy still knows my Social Security number. He’ll know it until the day he dies. I could change my number, but that would bring a cascade of hassles because it’s the core component of every important file in my life, from marriage to mortgage.

The Privacy Rights Clearinghouse estimates nearly 900 million consumer records potentially have been accessed by hackers in almost 5,000 known breaches since 2005. The upshot is that the business world has shown itself to be an untrustworthy minder of people’s personal info.

My answer: Lawmakers should require that all customer data maintained by companies for any reason be encrypted — safeguarded by powerful software that renders the data unintelligible to outsiders.

Moreover, companies should be required to go a step beyond credit monitoring for any customer affected by a data breach. Businesses need to provide free credit freezes through all three major credit agencies.

This would block access to your credit file by anyone lacking a PIN code and is the most effective way of preventing fraudsters from receiving credit in your name.

Both these moves — encryption and credit freezes — would be more expensive for companies and thus would prompt them to step up their game in protecting customers’ information.

As it stands, they clearly lack sufficient incentive to impose adequate security.

— Los Angeles Times

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.