Avoiding data breaches is nearly impossible for most consumers. Have you stayed at a Marriott? Worked for the federal government? Shopped at a Target or Home Depot? Applied for an account with Capital One? You are most likely a victim. Indeed, at this point it might be harder to find an American who has not been affected by a data breach than one who has.
The script is now painfully familiar: A company reports a major data breach affecting millions of consumers, apologizes profusely, and promises to do better.
Unfortunately, the most common response to these announcements is a few days of mild public outrage followed by a collective shrug.
But this needs to change.
The risk is rising because the amount of data collected and stored about consumers is steadily growing — it has doubled in the last five years. Unfortunately, the methods used to protect this information are changing at a much slower pace.
Even worse, most companies reporting a data breach are offering consumers the same tired remedy: free credit monitoring.
For most Americans, free credit monitoring is about a useful as two buggies in a one-horse town. Everyone who wants it already has it because they’ve already been a victim of a data breach. Yahoo is offering two years of free credit monitoring to 194 million people, Equifax is offering ten years of free credit monitoring to 143 million people, and now Capital One, which just announced a data breach affecting 100 million Americans, is set to do the same. And all active military personnel qualify for free credit monitoring thanks to a new rule set to go into effect this fall.
A cynic might think companies are only offering free credit monitoring because they know most consumers won’t bother to take them up on the offer.
Not only do most of those who want it already have it, but credit monitoring does little to protect against other types of identity theft, such as when people steal medical benefits or use stolen personal data to engage in employment fraud. Plus, these services can overwhelm consumers with false alerts, leading them to ignore the warnings.
Credit monitoring is like putting a security alarm on the house with a broken lock — it does nothing to keep criminals out, it only signals when they are in. Without remedying the underlying cause of poor security, these types of data breaches will keep occurring.
A better option is to start requiring companies that are responsible for data breaches to offer consumers their choice of a menu of security-enhancing products and services. Not only will this spur consumer adoption of better security, but it will create a market for these services.
For example, Social Security numbers are terribly insecure, yet widely used to identify people because there is no better alternative. Secure electronic IDs — physical smart cards or digital certificates installed on mobile apps — would be a viable replacement. Unfortunately, new technologies like these present a chicken-or-egg problem: consumers have no reason to adopt them until businesses accept them, and businesses have no reason to accept them until consumers adopt them. But consumers having the option to get free electronic IDs after the next data breach would jump-start the market for these products. And by making Social Security numbers less valuable, they would diminish the value of data breaches for attackers.
Or consider that only about 12 percent of Americans use password managers, while the vast majority, 86 percent, just choose to memorize them. That is why “123456” is still the most common password. A free subscription for a year or two to a password manager could help consumers secure all their online accounts. And free security tokens — hardware-based keys to securely log in to an online service — could get more consumers to start using multi-factor authentication.
There is nothing stopping the companies responding to data breaches from offering these alternatives now, or regulators demanding these on behalf of consumers in settlements, but they may not do this unless Congress intervenes. But it is important to do this right. Ideally, the Federal Trade Commission or another government body would be tasked with regularly updating a list of eligible security-enhancing consumer products and services that consumers could choose from to ensure security continues to improve.
This change certainly will not fix everything. Businesses still need to invest in better enterprise security, replace outdated systems and keep current on software patches. But by raising the bar on how companies respond after data breaches, policymakers can break the status quo and start to fix some of the underlying causes of data breaches.