Wall Street’s reaction to Anthem data breach: ho-hum
The parent of Anthem Blue Cross disclosed late Wednesday that hackers stole the personal information of as many as 80 million customers and employees in the worst security breach of a U.S. healthcare company.
On Thursday, Anthem Inc. shares fell just 42 cents — less than a third of 1%. Wall Street basically shrugged off this latest example of corporate cyber-weakness as not even being worth as much as a cup of coffee.
“This is a massive mistake,” said Scott Spiro, chief executive of Computer Solutions Group, a Los Angeles tech-security firm. “There’s clearly not enough accountability if the stock market isn’t recognizing the danger of what’s happening here.”
Yet this is where we find ourselves. Computer security breaches have become so frequent and so ubiquitous that they’re recognized by investors as little more than a routine business cost.
For consumers, this is completely unacceptable.
“Companies are getting off relatively unscathed,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse in San Diego. “They provide some credit monitoring to placate consumers, but they have no real incentive to do better.”
The Anthem hack is particularly troubling because the potential damage runs so deep. Stolen data include people’s names, addresses, Social Security numbers, birth dates, medical history and employment information, including how much they make.
This is like one-stop shopping for identity thieves.
“Imagine what you could do with all that information,” Stephens said. “You could call up almost any bank or financial company and answer any identification question a service representative might have. Then you could close down accounts, transfer money — do anything you want.”
Scott Brown, an L.A. computer-security consultant, said the business world is in “a time of transition,” coming to terms with increasingly sophisticated hackers and seeking out appropriate countermeasures.
“There’s no such thing as airtight security,” he said. “It’s just a myth that a system can be impregnable.”
Security experts say we’ll never be able to stop hackers at the source. All too often, they say, cyberattacks originate overseas, beyond the reach of U.S. law enforcement. There were reports Thursday that China may have played a role in the Anthem hack.
But more can be done to keep the bad guys at bay.
Here are some places to start:
Encrypt all data. Businesses say it’s too costly and too cumbersome to shield data under layers of encryption. It slows things down, they say, and harms productivity.
This is both reckless and foolish. None of the data accessed by hackers in recent incidents was encrypted. If it had been, the danger to consumers would have been minimal or nonexistent.
It’s now painfully obvious that unencrypted info represents easy pickings for cyberthieves. Businesses and government agencies should be required to shield all information with the strongest possible encryption and to regularly ensure that their defenses are intact.
Substantial fines should be levied for businesses that fail to meet these standards.
Limit the info. Do companies really need all the information they seek from customers? And if so, does it all have to be stored in the same place, as Anthem seems to have done?
Moreover, Social Security numbers were never intended to serve as a national identification system. They’re too easily obtained by others and serve as keys to way too many confidential records.
It’s time that a new ID system be created, using state-of-the-art technologies such as bar codes or so-called QR codes.
Increase the pain. When a hack the magnitude of what Anthem experienced causes a company’s stock to dip by a mere 42 cents, the message to other businesses is that security breaches aren’t something you need to worry about.
The stakes need to be much higher. Fine a company $100 for every person affected by a security breach.
In Anthem’s case, this would mean a penalty of up to $8 billion. I guarantee this would get the attention of senior executives.
I also guarantee that computer security instantly would become the foremost consideration for boards of directors and shareholders.
A stronger response. As it stands, breached companies almost always offer a year of free credit monitoring to customers. That isn’t enough.
Along with free credit monitoring, they should offer free credit freezes, which allow consumers to lock their credit files to all inquiries, giving access only through a personal identification number.
A credit freeze basically prevents fraudsters from opening credit card accounts or seeking loans in your name because lenders are blocked from checking your credit files. It typically costs about $10 to put a freeze in place and $10 each time you authorize access.
Hacked companies should bear that cost. In fact, there should be no cost at all.
The big credit reporting firms — Experian, Equifax and TransUnion — use credit freezes as yet another way to profit from consumers’ privacy issues.
None of us gave permission for them to exploit our files in such a way. We’re the ones who should be in control. Credit freezes should be the default setting, and consumers should be the ones who decide who can have access to their records.
If nothing else, the Anthem hack serves as a wake-up call that even the supposedly best-protected databases are insufficiently defended.
“I know you expect us to protect your information,” said Joseph R. Swedish, Anthem’s chief executive. “We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem.”
We now know that whatever trust and confidence the company enjoyed, it was undeserved.
We also know that talk is cheap when it comes to keeping hackers out. Actions are what count.
And to date, corporate America has shown itself woefully unwilling to rise to the challenge.
David Lazarus’ column runs Tuesdays and Fridays. he also can be seen daily on KTLA-TV Channel 5 and followed on Twitter @Davidlaz. Send your tips or feedback to david.lazarus@latimes.com.
