WE ARE COMFORTABLY NUMB, AND THE DATA AGGREGATORS KNOW IT….

Who knew Pink Floyd’s classic rock hit could be the theme song to the current state of data breaches.  Given the lack of any lasting public outrage for data breaches and leaks of personal data, I find myself wondering if the masses really care?  Meaning, do they care enough to take action. Financial action.  

Sure, politicians have seized the moment by quickly passing GDPR and California’s new Consumer Privacy Act, which have punitive financial penalties.  However, I suspect that has more to do with wielding political power than truly protecting the individual, but that’s topic for another discussion. What I am talking about is would consumers actually stop or reduce doing business with companies who have been (ahem) a little careless with their data.  Frankly, I don’t see it happening any time soon.  

The director of our security practice, Ben Thurston, forwarded me a link to this WIRED article on a recent data leak at Exactis. Turns out this little known (to me, at least) Florida based marketing and data aggregation firm just exposed a nearly 2 terabytes personal information database with almost 340 million records.  That’s huge!  It’s bigger than the Equifax breach that garnered a lot more attention. OK, this leaked data didn’t contain any credit card data or social security numbers, so it’s no big deal, right? Not so fast. What was exposed, apparently was a very well curated database of other juicy personal information, such as address, phone, interests, number and age of children, among other tidbits.  All a bad actor must do is marry this information to other stolen financial information (readily available on the dark web) and you have quite a recipe for identity theft.  Now that type of criminal activity can turn your life into a credit and financial nightmare.  

Are you feeling a little ill, yet?    

Eh, probably not.  And therein lies the problem. 

We have been conditioned not to care.  We’ve become apathetic in many ways. Mainly, because we feel no significant immediate impact, financial or otherwise, as a population.  Other than the obligatory email from said breached entity to promptly change your password or receiving a new debit card from your local bank “out of an abundance of caution” (my personal favorite line), we really are not impacted.  At least, that’s what how we have been made to feel.  When the Target breach occurred back in 2013, I thought this might be the turning point.  Since Target executives got fired, perhaps other organizations’ leaders might not want to suffer the same fate, so they would step up their cybersecurity efforts.  Financial companies, tired of shouldering the bulk of the financial costs of stolen credit cards, would finally band together and hold retailers and other holders of PCI data accountable.  Alas, I’m not sure a lot has changed. And, if it has changed, it is clearly not working.  Sure, companies spend billions on security prevention and detection, but that’s table stakes.  Most companies treating it as a cost of doing business, so you don’t get sued for negligence. We, as consumers, are comforted by corporate messaging allaying our fears that everything will be OK and please keep consuming. Which we are apparently happy to do.  So, the show goes on and we go about our merry little lives.  Sure, every day individuals are victimized by identity fraud, but that largely goes unnoticed and under reported. I’m not saying this is some grand conspiracy by corporate world powers to suppress the truth, simply to keep the great consumer economic engine running smoothly (although…).  More likely the behavior is attributed to basic human psychology. 

By large, humans are quite trusting.  In general, we believe people and organizations run by people will do the right things.  If we didn’t, would we ever fly an airline that had a crash due to faulty maintenance check?  If fact, I would bet most people think that after an airline has a crash it would be even more safe to fly it.  Mainly, because we assume the airline would immediately check all the planes in the fleet to ensure this tragic event would not occur again.  At least not for a while.  Probably sound thinking. It seems clear we feel the same way about data breaches and leaks.  I’m sure you have seen the TV commercial for a credit monitoring service offering a free dark web scan to see if your personal information is out there.  Spoiler alert –of course it is!  That’s why they give the service away, because it’s pretty much worthless (to you) other than to scare you into possibly buying their service.  Sadly, I’m fairly sure that every Americans’ personal data is, in some capacity, out on the dark web for sale.  Oh, you don’t use a credit card, so you’re safe, right?  Perhaps, you’ve never connected to the internet or signed up for an online service, so you got to be in the clear, correct? Well, sorry to say even those individuals would not necessarily be immune from having their data hacked, skimmed or otherwise nefariously absconded.  Did you file a tax return? Probably.  Can you definitively say the government hasn’t “lost” your data? Nope, yet we continue to trust.  Why? Because we want to and, arguably, must trust. What is our alternative?  

Good question. 

Shoppers still go to Target. If Amazon suffered a data breach, would you continue use their super convenient service? Probably. Definitely. Why is that? It’s easy, we as consumers feel no pain and we trust. If there is pain, it’s just a little pinprick. Like a slight increase in your credit card interest rate. Nothing big, mind you, say a quarter of a point, but across millions of accounts, that’s a lot money being quietly scooped out of our pockets.  Oh, for certain we, as consumers, pay for cost of credit card breaches, but what about our loss of personal data and privacy?  That’s our intellectual property, so to speak.  Should we not be entitled to some compensation for all the details of our personal lives being peddled around the internet in all form and fashion? The data aggregators will argue we are compensated (you got that free cat of month computer wallpaper, after all) or we voluntarily offered it up by signing up for a loyalty card or Facebook. Until we hit companies in their wallet, we can’t expect things to change all that much.  So, the show goes on. We are blissfully trusting and naïve at best, but mostly likely just comfortably numb.