What does a corporation owe you after a data breach?
It’s a question that grows in importance with each new report of a data breach: How much responsibility should companies take for protecting people’s privacy?
The most common response when a corporate database gets hacked is for the business to offer a year of free credit monitoring — a better-than-nothing measure that will alert people to suspicious activity involving their credit files but will do nothing to prevent fraud, identity theft or other mischief.
West Los Angeles resident Jairo Angulo and his wife were among nearly 80 million current and former Anthem health insurance policyholders whose personal information was reported hacked last February.
Names, addresses, birth dates, Social Security numbers, email addresses and employment information, including income data, were accessed by digital thieves in what the company described as a “highly sophisticated cyberattack.”
Anthem responded by offering two years of free credit monitoring by AllClear ID, a Texas company formerly known as Debix that crops up frequently as the go-to cleanup crew after large-scale security breaches. Its service was offered after hacks at Home Depot, Sony and the UPS Store.
Anthem has patted itself on the back for offering two years of monitoring rather than the customary one. To Angulo, 66, that was nowhere near enough.
“If your Social Security number and other information is out in the world, it’s out there forever,” he told me. “Anthem should be paying for my credit monitoring for the rest of my life.”
He said as much to the insurer. He received his answer recently: No.
While I get that Anthem doesn’t want to be on the hook for covering people’s credit monitoring for the rest of their lives, Angulo raises an interesting point — and I completely understand his concern.
About a decade ago, my Social Security number was used by an identity thief to run up bills on credit cards and at Indian casinos. After I managed to track the guy down in Connecticut and handed him over to law enforcement, he was found guilty of Social Security fraud and deported to his native Jamaica.
But here’s the thing: This guy still knows my Social Security number. He’ll know it until the day he dies. I could change my number, but that would create a cascade of hassles and confusion because it’s my de facto ID number, the core component of every important file in my life, from marriage to mortgage.
Paul Stephens said it’s right to be worried. He’s director of policy and advocacy for the Privacy Rights Clearinghouse in San Diego and, like Angulo, his personal information was jeopardized by the Anthem hack.
“There are so many Social Security numbers involved here,” Stephens said, “it would be wise for a criminal to just hold on to them for a few years and wait until people are less vigilant. It absolutely makes sense to maintain credit monitoring beyond a couple of years.”
Darrel Ng, an Anthem spokesman, said that “securing our member, provider and client data is a top priority,” but he declined to comment on the question of offering credit monitoring for life.
He did say, though, that many policyholders now can opt in to maintaining their AllClear credit monitoring for as long as they remain Anthem members. If they change insurers, their credit monitoring ends.
That’s a step in the right direction, so let’s take a closer look at what people are getting. It’s not as comprehensive as Anthem might want them to think.
The AllClear monitoring offered by the company tracks only your TransUnion credit file. It pays no attention to your files at rival credit reporting agencies Experian and Equifax. This is significant because not all creditors report information to all agencies.
If you’re not simultaneously monitoring all three, it’s possible you’ll miss incidents of fraud or ID theft.
“This wasn’t well publicized,” Stephens said. “It was buried in the fine print. When I called AllClear, they told me I didn’t have to have my credit monitored at all three agencies, which is simply untrue.”
Also, a deep dive into AllClear’s terms and conditions reveals that users of the service must agree to give up their right to sue the company and accept arbitration to settle any disputes. Plus, that arbitration must take place in Austin, Texas.
I pointed out to an AllClear spokeswoman, Ellie Fanning, that indefinitely is a long time. She said most people’s data will be deleted after six years “except in the case of an ongoing dispute or investigation.”
The Privacy Rights Clearinghouse estimates that nearly 900 million consumer records could have been accessed by hackers in almost 5,000 known data breaches since 2005. Many other data breaches, of course, may have been undetected or went unreported.
The upshot here is that the business world has shown itself to be an untrustworthy minder of people’s personal info, either due to negligence or to a lackluster approach to database and network security.
My answer to that: Lawmakers should require that all customer data maintained by companies for any reason be encrypted — that is, safeguarded by powerful software that renders the data unintelligible to outsiders.
Moreover, companies should be required to go a step beyond credit monitoring for any customer affected by a data breach. Businesses also should provide free credit freezes through all three credit agencies. This would block access to your credit file by anyone lacking a PIN code and is the most effective way of preventing hackers and fraudsters from receiving credit in your name.
Both these moves — encryption and credit freezes — would be more expensive for companies and thus would immediately prompt them to step up their game in protecting customers’ information. As it stands, they clearly lack sufficient incentive to impose adequate security.
In March, L.A.-based Lamps Plus discovered that a hacker had accessed the unencrypted W-2 forms of every employee at the company, which included their names, addresses, Social Security numbers, earnings and withholding information.
The hacker subsequently submitted bogus tax returns to the Internal Revenue Service, seeking refunds in other people’s names.
Clark Linstone, Lamps Plus’ chief financial officer, said the company “regrets this incident” and is “doing everything possible” to assist workers.
That includes a year of free credit monitoring.
David Lazarus is the consumer issues columnist for the Los Angeles Times