Increasingly, in the aftermath of a big news data security item—whether it takes the form of a high-profile mega breach (think: Office of Personnel Management, Anthem, Sony Pictures, Home Depot, Target) or a low-tech data grab—an odd phenomenon happens. First, there is what you might call the “water cooler” phase—news of the breach comes up in casual conversation. As the news coverage quickly moves on to whatever else is happening in the world, those conversations move on as well. The next thing that happens, unfortunately, is a widespread case of collective amnesia.
At least part of the reason this amnesia sets in is that we don’t talk enough about what these breaches and compromises mean on the consumer level. If you have ever found yourself in the sights of an identity thief, you know all too well how horrible life can be after you press send on an e-filed tax return and you’re blocked because you already filed, open that letter from a collection agency for a debt you’ve never heard of, are refused coverage by an insurer, or are denied a loan for a new home, car or investment because your credit has been compromised. But for many consumers, the attack takes the form of a credit card account takeover, which is more a nuisance than anything else. And this low-fallout scenario may be why a significant number of people move on to the next news item after a breach. We’re used to thinking the bank will make everything all right.
But it’s not always so simple.
Meanwhile, the increasing number of high-profile compromises reveals a generalized apathy in the face of data insecurity—or worse still, resignation. The fact that more than a billion records containing personally identifiable information are already out there and for sale on the information black markets is no longer headline news. The notion that identity theft is now the third certainty in life, right behind death and taxes, is increasingly a truism among informed consumers. So, in the face of that, what does one do? As I outline in my forthcoming book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves, I urge readers to start thinking in terms of the three M’s: Minimizing risk, Monitoring your identity and Managing the damage.
The threat to email and the practice of stashing work documents on non-secure email accounts definitely falls under the heading of the first M: Minimizing risk.
Here are a few points to bear in mind:
- Email is not a safe environment to store data. It is a delivery system.
- Email is not a safe delivery system for sensitive information. There are secure systems—Zixmail, Hushmail, PGP Desktop Email, JumbleMe, Djigzo and others you can check out in Entrepreneur’s roundup—and to varying degrees, they are safer since they encrypt messages and require authentication before access is granted, but nothing is failsafe, and there is always the issue of human error.
- Passwords are not supposed to be convenient or permanent. The best passwords are impossible to remember and temporary, i.e., Ou45x11!per.iSfG4EeW might work for a week or so. But don’t cut and paste it, since that means the password resides somewhere on your hard drive.
As we bounce from one breaking news story to the next, there is very little talk in the way of what consumers can do to better protect themselves from what we should call “the new data insecurity.” If the head of the CIA can be hacked, it doesn’t only mean that you can be hacked, too. That should go without saying. What it means is far more alarming: We aren’t learning anything.
Adam Levin is chairman and founder of CyberScout and Credit.com, where this story originally appearead as an Op/Ed contribution. It does not necessarily represent the views of the company or its partners.