April 15, 2011— -- In the 21st century, the data breach apology letter has established itself as a new literary art form.
Countless CEOs from corporations big and small as well as elected officials have had to reach out to the public and offer mea culpas that both communicate how sorry they are that this serious breach happened, and ultimately that there is nothing to worry about because nothing has happened to you … yet.
So how does one communicate that something is both grave and inconsequential? It's not easy, but just take a look at these modern classics from the past few months.
"I deeply regret the exposure of the personal information that occurred and am angry that it happened…. I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location. We take information security very seriously, and this type of exposure will not happen again."
- April 11, 2011, Texas State Comptroller Susan Combs, responding to news that 3.5 million Social Security numbers, addresses, birthdates and (somewhat fewer) driver's license numbers left on a easily accessible, public computer server for an entire year (which means that someone has very likely been messing with Texans).
"We are extremely regretful that this incident has impacted…. clients and their customers. We take consumer privacy very seriously and work diligently to protect customer information…. We apologize for the inconvenience that this matter has caused consumers and for the potential unsolicited emails that may occur as a result of this incident. We are taking immediate action to develop corrective measures intended to restore client confidence in our business and in turn regain their customers' confidence."
- April 6, 2011, Bryan J. Kennedy, president of Epsilon, an email marketing firm, responding to news that likely tens of millions of email addresses on the marketing lists of some of the country's largest banks, retailers and lifestyle companies were compromised because an unauthorized user gained access to Epsilon's systems.
And how could we forget this old chestnut?
"Our experts have advised us there is no indication at this time that any of your personal information has been accessed or misused…. is committed to preventing further incidents of this kind. We have reviewed our data security practices, and are putting additional protections in place to help assure the security of all our clients' personal information…. Keeping your information secure is of the utmost importance to us, and we very much regret that this situation occurred."
- February 14, 2011, David Zitlow, EVP at Cord Blood Registry, responding to news that the names, Social Security numbers and credit card information of 300,000 clients were left unencrypted on several back-up discs stuffed in a backpack that was stolen out of an employee's car.
It is very likely that you or someone in your family has read a press report which included a quote, or received a letter containing one of the above now-hackneyed statements. The reason you have is because data breaches of typhoon magnitude are occurring with frightening frequency. In the last few months there have been several major breaches, like those mentioned above.
Unprotected Sex and Globalization
As I reflect upon all of this, two things come to mind: unprotected sex and globalization.
For years we have been warned that engaging in unprotected sex guaranteed that we were not only having intimate relations with the object of our affections but also every person with whom he or she had ever slept. Example: you think you are dealing with JPMorgan Chase, Citigroup, Target, Disney Destinations, Verizon, or Walgreen's. In actuality, their email is being managed by a third party. You believe the business with whom you're affiliated has employed strict security measures that protect the integrity of your information, yet in so many cases they are relying upon a vendor that may not practice the same stringent protocols, or does, but is sunk by the incompetence or carelessness of employees, or the evil genius of a sophisticated hacker.
Then there's the reality of globalization: the globalization of industry (which is why when you call your favorite institution's helpline you're talking to someone in India, Costa Rica, or the Philippines) and, the globalization of finance (which is why 20 percent of that single-family home mortgage in Kansas was blended with 10 percent of the mortgage on my friend's Park Avenue co-op, and sold to a financial institution in Copenhagen). In fact, the housing crisis was in no small measure caused by the fact that securitization of mortgages utterly removed the maker of the mortgage from the risk of nonpayment. All the institutions that bought that securitized polyglot of mortgages couldn't "know the customer." And, of course, the customer had no real way of knowing to whom he actually owed his monthly payment. This globalization has become ubiquitous, so that no one knows anyone personally anymore. It's also why there are probably parts of 100 different cows in that hamburger you're eating. If any one of those bovines had a problem, it will end up in 1,000 human diners.
[Free Tool: Obtain your Identity Risk Score from Credit.com]
The spate of recent identity breaches is also the result of globalization—of information. You may provide personal data to an institution with which you have done business for years; but what you are coming to realize is that your data is likely being provided by your institution to many other companies, for marketing or e-mail communication purposes, or for who knows what else? According to the 2011 Global Security Report from Trustwave, 88 percent of data compromises originated with a third-party vendor, compared to 12percent for which the primary business was responsible.
The impact of these breaches continues to grow. It has reached the point where not only your Social Security number, but also your health information, address, phone number, high school, college, favorite color, political and/or religious preference, or your "perfect" man or woman can be discovered by almost anyone. The worst part is, naturally, that you can't know who has your information, who stole it, and oftentimes when it was stolen. The murky language with which breach incidents are announced and discussed (see above) tells you exactly nothing. You become an unwitting, innocent victim and statistic, without knowing exactly who your assailant is. Before all this, if you got mugged, you would at least know what was stolen, and you probably could describe the thief. Theft these days is much more sophisticated and much less personal.
The Human Factor
Ultimately this isn't about what a few companies should or shouldn't have done when it comes to securing data. The reality is that even when companies employ stringent security protocols, people aren't perfect and sometimes they make mistakes or are derelict in their responsibilities. But because of the globalization of information, handing over client information to third parties is now just part of doing business. Many organizations employ companies to manage things like email marketing projects (we haven't, but will in the future), because they can't do that kind of thing in-house. Hopefully they do their due diligence and asked the right questions about security, but there's always a risk that a person who they don't employ will make a mistake. It's a scary proposition, because regardless of the third-party affiliation, the buck ultimately stops with the company that manages the relationship. As an owner of a couple companies myself, it's the kind of thing that sometimes keeps me up at night.
So what can you, the consumer, do?
It's clear that you can't prevent identity theft. You can do everything right and still be on the wrong database at the wrong moment and suddenly you are in a world of hurt. What you can do is minimize your risk of exposure, employing many of the techniques I have written about. You can enroll in services and engage in practices that can help you detect as quickly as possible that the integrity of your sensitive information has been compromised. You can set up a damage control program to deal with the problem quickly and efficiently should the need arise. You can demand that the institutions with which you do business become as protective of your personal data as they are covetous of their trade secrets and intellectual property. And finally, you can elect people, who appoint people who respect the sanctity of your identity.
Adam Levin is chairman and cofounder of Credit.com. His experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit.