When it comes to the scourge of data breaches and personal data theft, ignorance is bliss.
That is the unavoidable conclusion of a number of recent studies, which show that U.S. consumers are deeply concerned about the privacy and security of the data they share online, but often assume that massive data leaks and thefts have miraculously spared their personal information from exposure.
Consider the recent poll conducted by Harris of around 2,200 U.S. adults that found that while 94 percent of Americans have heard about the security breaches that have happened in the last year, only 12 percent think their data has been stolen during the same time period. (That poll was sponsored by the security firm Tenable.)
A survey of 450 Massachusetts adults sponsored by that state’s Advanced Cyber Security Center (ACSC), a non profit consortium, found a similar pattern. In that poll, only 22 percent of Massachusetts residents believe that their personal credit information was affected by the Equifax breach. Forty nine percent of those surveyed were sure that their personal credit information had not been affected by the breach.
As we know, this is madness - or at least willful ignorance. The Equifax breach, for example, involved the theft of sensitive data, including credit information, on 145 million people. All but a couple million of those were U.S. consumers. According to data from The Federal Reserve, there are only 235 million consumers in the US and just 167 million with a credit card. That means around 86% of U.S. credit card holders had data that was exposed in that breach - not 12%.
And there was more bad news this week, after the security firm UpGuard disclosed that it had come across leaked files from the data analytics firm Alteryx. Among that data was a “ConsumerView” database of profiles from Equifax’s competitor, Experian, containing information on 123 million US households including addresses, occupants, credit card use, debt information and in some cases shopping preferences. According to the U.S. Census Bureau, there are only around 126 million households in the U.S., which means that if you’re a member of a U.S. household, you had a 97% chance of being in that Experian database.
The sad truth is that if you use the Internet for just about anything or if you frequent brick and mortar establishments like Target or Home Depot, at least some of your data has fallen into the hands of cyber criminals, nation state actors, hacktivists and the like. That’s about as sure a bet as you can make.
So why do U.S. consumers have such a rosy view when asked about the security of their data? For one thing, the U.S. lacks a comprehensive, federal data privacy and data protection law that compels firms to notify consumers when their information has been compromised. Yes, 48 states and U.S. territories have laws that may (or may not) compel notification, but the lack of a uniform standard makes your likelihood of learning of the theft of your information dependent in part on where you live.
Also, humans - or, really, our brains - are really bad at calculating things like risk and probability, especially when the “risk” is something abstract (your data being stolen) rather than concrete (being eaten by a lion).
What could help consumers is more information and education about online risks. Mandatory and explicit notification of cyber incidents that affect consumers would make sure that anyone whose data was exposed or stolen is aware that they are a victim. Regulators could also devise a system for assessing the security of particular service providers who do business online, so consumers would have some way of measuring the relative risk of using a particular site. Vendors like UpGuard and BitSight already do this for businesses. Extending it consumers and providing a Zagat style rating of security and data privacy protections would help level the playing field and give ordinary consumers a better idea of where they stand.