The Anthem breach has captured headlines around the nation. For good reason.
With 80 million records involved, it is the largest health-related data breach by a factor of almost 20. And it is also among the five largest breaches ever reported in any sector.
But there are more reasons to pay attention to the Anthem breach than just its size. There are practical lessons for us all.
First, many past mega breaches have included credit card numbers and passwords—data that can be exploited immediately but are also easy to change. The information at stake in the Anthem breach—name, address, Social Security number, birth date, phone number, email address and employer—pose different risks.
Taken together, these data can be used to commit various types of fraud, from opening credit or insurance accounts in someone else’s name to filing fraudulent tax returns or targeting phishing emails. Moreover, these data are hard, if not impossible, to change.
But the likelihood of these risks materializing depends largely on the willingness of businesses and government agencies to accept this type of information as verification of identity.
Except for Social Security numbers, all the information involved in the Anthem breach is readily available on the Internet or from public records. Even Social Security numbers are used every day in thousands of settings.
Knowing this, no intelligent company would ever rely on a Social Security number or birth date for online identification. But we do it all the time. Just last month, when I signed up for my new health savings account, I learned that the provider had set the default password as my Social Security number.
Similarly, fraudulently claiming a tax return owed to someone else is one of the nation’s fastest-growing frauds because the IRS allows you to file for a return with only a Social Security number, birth date and name. So if Anthem’s breach threatens individuals, it is due in large part to poor security practices by others, not Anthem.
The breach is also a powerful reminder about the importance of law. We would likely never have learned about the Anthem breach were it not for Indiana’s breach notification laws, and Indiana’s credit freeze law provides perhaps the best protection individuals can use to guard themselves from the fallout. Visit http://www.in.gov/attorneygeneral/2411.htm to learn how to place a freeze on your credit report.
However, the Anthem breach is a powerful reminder that we need the federal government to take more seriously its responsibilities for cyber security.
Anthem may have been ill-prepared. It had already paid $1.7 million in fines in 2013 for poor security practices. Moreover, the stolen records were unencrypted, and leaked internal documents suggest that it took the company more than seven weeks to detect the intrusion.
However, Bloomberg reports that there is evidence tying the Anthem attack to “Chinese state-sponsored hackers who are stealing personal information from health-care companies for purposes other than pure profit.”
If this proves true, it raises the legitimate question of how any company can be prepared to fight state-sponsored attacks. Historically, fighting other nations has been the role of government. But in cyber security, the government has not stepped up to the plate, leaving many American companies, as well as consumers, exposed and vulnerable.•
Cate is a distinguished professor and C. Ben Dutton Professor of Law at the Indiana University Maurer School of Law, and a senior fellow and former director of the IU Center for Applied Cybersecurity Research. Send comments on this column to [email protected].