Apparently there’s a proposed settlement for the Anthem breach. As a refresher, this was one of the largest data breaches on record, with roughly 80 million individuals data compromised. The settlement breaks records – for $115M. But is it a good settlement?
What victims are going to get is two years of low value credit monitoring – at a cost of $659/person or about $50M (assuming everyone signs up). There’s also a potential for folks to claim actual costs associated with the disclosure. The attorneys are getting about $39M – nice paycheck there. I’ll leave comment on the fairness of the legal fees alone, and just focus on the first two, because ‘two years of credit monitoring’ seems to be the industry playbook for a data disclosure.
That playbook covers both credit card data theft, medical records, as well as other financial information. Unfortunately, the risk and impact can vary widely depending on what’s stolen. When Target, Home Depot, or TJ Maxx lost credit cards, it’s an annoyance – have to get a new card, maybe a couple of phone calls, and you’re done. Debit cards have much more liability and can be harder to recover from. As an aside, that’s why I recommend against using – or even having – them, as they have a much lower level of legal protection than a credit card. In those cases, two years of credit monitoring might be fine.
Situations where your fundamental data is lost – SSN, birth date, medical history, banking information, and so forth presents life-long risks. These range from on-going identity theft, criminal fraud, extortion, loss of employment or other opportunities and so forth. In those cases, as with Anthem, two years of monitoring is inadequate given the long term impact. It’ll take the bad guys more than that long to work through that number of records. This is a business for them, and they’re likely to just be patient and wait to use most of them until after the free period expires.
And let me be clear, I’m right there with Brian Krebs opinion of credit monitoring. It’s overpriced, and at best will let you know that your credit was just stolen, not prevent it from doing so. He recommends (and I wholeheartedly echo) that the best option is to get a credit freeze from all four agencies. Rather than recreate his good work, here’s a link to instructions on how to do it. Even if you weren’t part of this breach, it’s worth doing as a preventative measure – as is creating accounts with IRS and Social Security Administration. Oh, and if you freeze your accounts, monitoring services are useless, as third party ones can’t see anything, and the in-house ones can only see in-house data.
Take a few minutes and go do that (if you’re at a secure system), I’ll wait……
Ok, all done? Good. If you want to hedge your bets, getting coverage for identity restoration services might be worthwhile. State Farm and AllState offer a rider for homeowner’s policies that’s affordable.
As far as documenting actual costs and getting them recovered, you might be able to get the cost of placing a freeze covered, but that’s about it – and I doubt they’ll cover the costs for the rest of your life. Similar to when I’ve written about how hard attribution of an attack to a particular agent is, attributing identity theft to a particular breach is essentially impossible. How aggressive will they be on proving a linkage? It’ll be interesting to see.
So what would I like to see instead of this canned playbook?
- Cash award option for the retail cost of the identity theft services offered. Lifelock’s top end one runs about $650 for two years. That’d cover a big chunk of the freeze/unfreeze costs for many years.
- Formal letter sent to each victim stating that they are at risk of identity theft. In many states, that triggers free freeze/unfreeze options.
- Counselors available to help obtain freezes when there’s inaccurate information on credit reports that prevents the automated systems from working (I had that at one agency…extremely painful to resolve).
Tort reform, and caps on attorney fees are also on my list, but this is a security blog, not a political one. But there is one political solution here – we need to reform data ownership laws. If it’s our data, and these companies are just the custodians of it, and liable under law for abuse, misuse and disclosure, it’ll change behavior.
In the end we should all assume that our personal information either has been, or will be, captured by the bad guys and take appropriate precautions. That means watching credit card and bank statements for suspicious activity, not answering any inbound phone call about personal information (call the company back from the number on your statement), getting a credit freeze and locking down other accounts, never, ever using a device other than your own for financial transactions and buying – and using – a shredder.