Where is American consumers’ outrage over data breaches?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.postandcourier.com/article/20150212/PC1002/150219822

It has been almost a week now since health insurer Anthem disclosed that
hackers had gotten hold of data on 80 million of its customers. Which just
means we’re that much closer to the disclosure of the next giant data hack.

This is going to keep happening, obviously. One big reason is that, for
Anthem and lots of other companies that possess our most sensitive data,
protecting it isn’t the core of their business. Cleaning up after this mess
is going to be an expensive pain for Anthem, but the attack is unlikely to
drive away customers. If Anthem got a reputation for being dramatically
worse at protecting customer data than other health insurers, the corporate
human-resources people who choose insurers might start to defect. But as
long as it’s approximately as bad as the rest, that shouldn’t be a worry.

Things would be very different, one presumes, if instead of health
insurers, banks and retailers storing our data for us, we chose
personal-data services to watch over our private information and represent
us as we transacted and interacted. For those companies, protecting
customer data would be the very core of their business. Sure, there would
still be data breaches. But competitive forces would push the best data
protectors (and the best data-protection methods) to the top.

This vision of how the world of personal data ought to work, with
individuals owning their data and hiring companies to manage it, has been
in the air for a few years now. Blogging pioneer Doc Searls, who calls it
vendor-relationship management, has been trying to drum up support for it
with a book and the ongoing ProjectVRM at Harvard Law School. Alex “Sandy”
Pentland of the MIT Media Lab helped get a World Economic Forum project
going on “Rethinking Personal Data,” which has on occasion come close to
embracing the customer-owns-the-data approach. And there has been startup
after startup aiming to address some aspect of this.

What there haven’t been, as far as I can tell, are any big success stories
or signs of a real shift in the direction of putting the customer in
charge. Instead, most of the data-related excitement in business circles
has revolved around finding ways to gather, process and monetize ever more
information on consumers. This isn’t so much about Social Security numbers,
as in the Anthem breach, as it is about data that “is either passively
observed about individuals or computationally inferred about them,” in the
words of one recent WEF report. Anything that stands in the way of such
data gathering is an obstacle to be pushed aside or navigated around — and
while Searls and Pentland argue that their approach might make people
willing to share even more data, in the short term it would interfere with
the business models of Google, Facebook and scores of other companies, so
it’s not happening.

In a Q&A with the Harvard Business Review in November, Pentland said he was
“quite hopeful” that change would come “because people are fed up.” Are
they? In another WEF report, “The Internet Trust Bubble,” pollsters asked
people in 63 countries in 2012 “to what extent do you trust the following
institutions to protect your personal data?” Banks and financial
institutions scored the highest, with 60.5 percent of respondents answering
5, 6 or 7 on a 7-point trust scale. Providers of health and medical
services came in second, at 55.1 percent, and government authorities in
third, at 52.9 percent. No other sector cracked 50 percent. At the bottom
of the list were mobile-phone operators (43.7 percent), shops and
department stores (38.9 percent), companies that provide social-networking
services (37.4 percent) and online marketers and advertisers (29 percent).

Given the recent hacks at JPMorgan Chase and Anthem, one would imagine that
trust in banks and health providers is lower now. Overall, the world’s
consumers appear to be justifiably suspicious, even fed up. So far, though,
it’s still an inchoate, diffuse sort of fed-up-ness. What exactly will it
take to get us so fed up that we actually, en masse, do something about it?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!