Silent Epidemic: Data Theft has become a Public Health Crisis
One in four Americans was the victim of data theft, but policy makers can’t find the spirit to act.
What if I said that there was a disease that affected one in four adults in the U.S.? This disease caused pain and hardship and the costs of curing it were considerable – ranging to thousands of dollars per patient? And, again: one in four people contacted this disease – 25% of the adult population?
Most epidemiologists would consider a disease that widely spread to be an “epidemic.” After all, the CDC considers an influenza outbreak to be an “epidemic” when around 7% of morbidity (deaths) in a given observation period are due to the flu.
Here in the U.S., however, there’s a long-standing affliction bearing down on a quarter of the population, but nary a mention of the words “epidemic.” In fact, officials who monitor this disease are loath to even see it for what it is: a public health crisis. That’s because the disease isn’t biological, it is social and technological. That disease is data theft.
While there is no comprehensive, federal accounting of this “disease,” a survey of 2,000 U.S. consumers released by the firm Accenture gives some dimensions to the problem. Accenture found that 26 percent of U.S. consumers have had their personal medical information stolen from technology systems. Of those, around half (50 percent) were victims of medical identity theft. Anecdotally, evidence of this epidemic can be found in your local paper, where the police logs will document a steady stream of complaints to local authorities about online fraud, credit card fraud, malware attacks and the like.
Hospitals and other healthcare facilities were the most common sites of identity theft. More than one-third (36 percent) of respondents who experienced a breach said it occurred in a hospital. Other common sources of leaked data: urgent-care clinics (22 percent), pharmacies (22 percent), physicians’ offices (21 percent) and health insurers (21 percent).
Of course, the healthcare sector isn’t the only source of data theft. The Department of the Treasury said it identified more than 800,000 tax filings that were fraudulent in 2015, totaling $4.3 billion in refunds. Numbers aren’t available for 2016 yet, but expect both the number of fraudulent filings and the cost to the Treasury to go up.
Today, consumers in the U.S. face risks of online crime, identity theft and fraud in almost every arena: from healthcare and their interactions with government to banking and shopping. The consequences of being a victim are felt directly. Accenture’s survey found that stolen identity information was used to purchase items or for other fraudulent ends – for example: receiving medical care or prescriptions that are billed to the victim.
Still, there is precious little help for them. The Accenture survey found that half (50 percent) of consumers who experienced a breach found out about it themselves, through noting an error on their credit card statement or benefits explanation, whereas only one-third (33 percent) were alerted to the breach by the organization where it occurred, and only about one in seven (15 percent) were alerted by a government agency.
As for legal remedies: while victims of credit card theft are absolved of financial responsibility for fraudulent charges amounting to more than $50, that isn’t the case in other forms of theft. Victims of medical identity theft often have no automatic right to recover their losses, Accenture noted. In the case of medical identity theft, victims incurred $2,500 in out-of-pocket costs per incident, on average.
What’s to be done about this? Faced with previous epidemics and public health crises (think: smoking, AIDS or, more recently, Ebola), the U.S. government has mounted large scale, multi-front campaigns to turn back the tide. These efforts typically involved the work of multiple agencies of the federal government and extensive coordination with communities of experts and state and local authorities. Research and development was funded through U.S. universities to address core health problems (the spread of AIDS, smoking-related illnesses, treatment and a vaccine for Ebola). Those programs had the effect of changing behavior and addressing core problems – whether that was the availability of a dangerous product or the risk of certain behaviors.
Alas, no such effort has taken place to address the scourge of data and identity theft, so both threats and bad behavior persist. Despite the rash of tax identity fraud, for example, a report by the firm CyberScout found that most Americans (58%) were not worried about tax fraud and will continue to engage in practices that make such fraud more likely. A recent survey by the Pew Center found that 8 in 10 Americans simply memorize or write down their passwords, while a substantial minority (39%) “solve” the password complexity problem by reusing the same (or a very similar) password across accounts.
At the policy level, while the EU has codified still protections for consumer data and stiff penalties for companies that lose control of personal information (the EU GDPR), no similar federal law has found any traction in the U.S. Capitol in recent years. That has left it to states like California and, more recently, New York, to take the lead in protecting citizens – a patchwork approach that is confusing, costly for businesses to comply with and less efficient than harmonized federal laws.
The U.S. needs to fight another war – this one in the realm of public health and safety. The target should be cyber criminals and identity thieves who prey on our citizens and the goal: greatly reducing the incidence of data and identity theft.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business