Given how much misinformation we feed consumers about breaches, the zippy headline can put such an artful spin on it:
“Anthem was the Victim of a Sophisticated Cyber Attack
-No evidence health data was compromised
-No evidence credit card data was compromised
-Members will receive free credit repair and ID protection services”
This should be the place you come for the truth about data breaches, though, beyond all of the crying wolf and the bad risk assessments. Even though there are lots of great, critical posts and news pieces about the Anthem breach, they haven’t come close enough to this truth: Anthem may be the worst breach we’ve ever seen, and it is in any event a wake-up call to our health care system, our government and every sector of our economy that has not rethought identity protection, because it will be followed by more and more similarly dangerous breaches that make the credit card breaches of the last few years look like nothing, not to mention the even more serious breaches of the critical infrastructure and the internet of things in our homes.
Let’s imagine you were a very sophisticated national government wanting to do harm to the US through cybercrime against personal information. Would you go after payment cards? No way. Not only are consumers protected by law and card brand policies; all the banks/card brands need to do is issue new card numbers, and it cuts off the potential for fraud, so the only cost can be the cost of reissuing the cards. Of course, payment card breaches have in fact cost a lot, but that’s only because retailers, banks and their respective, conflicted advisors have managed many of the big breaches badly; faced with a bigger threat, even those adversaries could come together to prevent harm. Most importantly, the payments industry can always move — as they are now — toward more secure identity management systems, because the individual is not tied to a number that ties together almost all of the other aspects of his or her life.
You wouldn’t focus on medical information either. Yes, a lot of harm can be done with some of that information, such as bribery or fraud in individual cases, but if you wanted to achieve harm and make money at scale and quickly, you would focus on our truly broken, accidental system of universal identity management, our Social Security numbers (SSNs). Unlike the credit card numbers, these numbers cannot be changed; your number is your number for life. So although the early warning issued by Anthem is as gratefully accepted as the early warning in a credit card breach, it is considerably less valuable and worse news. Instead of “Heads up; you can protect yourself by watching your bank/payment card statement from the breached account, and getting a new card number and automatically getting the fraud written off if there is any problem,” the message is, “Heads up; time to start watching all of your accounts and anything else about you that can be hacked, not to mention all of the above about each of your children, and trying in vain to protect all that for THE REST OF YOUR MISERABLE LIVES.”
OK, it’s not quite that bad, but only because your SSNs are already partly exposed, so the Anthem breach only increases the risk to them.
One implication of this simple truth is that a year or two of credit monitoring, while a more appropriate offer in the context of Social Security number breach than a credit card breach (precisely because you can’t just change the number in the former), is clearly inadequate given the duration of the risk. The only principled offer of protection would be lifetime services, and although lifetime credit monitoring services may be prohibitively expensive, lifetime fraud resolution services are available. Since the SSNs breached include the SSNs of all of our dependent children, most of whom don’t have credit yet, the need for lifetime services is even more apparent (although if you live in one of the 16 states that allow you to put credit freezes on those children, you should probably do it).
The bigger point is that we have a de facto national identity system that sets us up for lots of fraud and ID theft, and we could redesign it either across the board or industry by industry with dynamic or other more sophisticated and resilient identity systems. This issue has been debated for many decades, but what we can do with technology keeps getting better and better. This identity system is the reason that the Anthem breach is such bad news, and why we will see so many like it, and I wrote this post because the noise around these events may prevent us from facing this simple truth. Many plaintiffs’ lawyers, privacy advocates, the FTC and state attorneys general will harp on Anthem’s failure to encrypt the breached data, even though the FTC’s former chief technologist, Steve Bellovin, published a good critique of that argument. The biggest problem, as security experts have known for decades, is a national system of partially secure personal identification numbers that cannot be changed. The Anthem breach might come to nothing — for example if the FBI secretly bought all of the information back from the hackers — but it should be a wake-up call for a new identity system in the interest of real cybersecurity.
Jon Neiditz leads the Big Data, Privacy and Information Security Practice at leading information law firm Kilpatrick Townsend & Stockton LLP, co-chairs the Data Protection Committee of the International Technology Law Association (ITechLaw), and is listed as one of the Best Lawyers in America in Information Management Law. One of the first lawyers to focus on big data, Jon has led such practices at other major law and consulting firms, served as a senior advisor in government, chaired a number of nonprofit organizations, and managed in-house compliance initiatives. He blogs at http://datalaw.net/
