Anthem Data Breach a 'Wake-Up Call'
Health insurance giant Anthem's hacking last week, leaving vulnerable personal information for 80 million current and former customers and employees (see 1502050028), was a subject of an Online Trust Alliance (OTA) panel on privacy Thursday, at which speakers were divided about the breach's significance. Anthem said Wednesday that personal information was stolen, but Anthem CEO Joseph Swedish said in a statement, “There is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.” A Democratic FTC commissioner and the head of the group that organized Thursday's event both called the breach a wake-up call.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Just because a company suffers a data breach doesn’t mean that the FTC will file a complaint, Commissioner Julie Brill said at the event: “Stuff happens. It’s impossible to have perfect security.” She said the FTC has taken 55 data security actions to date.
Companies need to have reasonable security, Brill said. Companies need to have a process in place, set up a good security system, examine the security system, fix vulnerabilities and respond when hacked, she said. “Not everyone who suffers a breach will be in trouble because reasonable security doesn’t violate the law,” Brill said. “Just because you don’t suffer a breach doesn’t mean you didn’t violate the law” and the FTC may take action, she said.
House Homeland Security Committee Chairman Michael McCaul, R-Texas, said in a written statement that the Anthem "attack" is a "reminder of the persistent threats we face, and the need for Congress to take aggressive action to remove legal barriers for sharing cyber threat information. ... As Chairman I will lead this effort with other committees in the House and Senate to ensure we move forward with greatly needed cybersecurity legislation as soon as possible."
The Anthem data breach is a “wake-up call,” said OTA Executive Director Craig Spiezle. Brill agreed, adding there are “lots and lots of breaches” that the public is largely unaware of because notification laws vary from state to state. Talking about President Barack Obama’s call for federal data breach and data security legislation, Brill said she would like to see a requirement that companies must notify consumers of a data breach unless there is no risk of harm. For instance, if a tape were recovered soon after it was lost and it was determined no information had been taken, or a database were highly encrypted, notification wouldn’t necessarily be needed, Brill said. “Nuisance notification is removed,” while allowing consumers to take action given that the risk of identity theft lasts for years following a data breach, she said. Brill advocated for a strong federal law when it comes to data breaches and for the FTC to have authority. State law enforcement and attorney generals would still be able to enforce the law as well, Brill said.
More than 60 state bills related to privacy passed last year, Brill said. Most of those bills were “nips and tucks” related to issues such as data privacy and employers asking employees for social media passwords, she said. The legislation was important since privacy doesn’t exist without data security, Brill said, but Congress needs to act. Congress should at least introduce the Consumer Privacy Bill of Rights that Obama urged a few years ago, Brill said. Doing so shows other countries that "the U.S. is being serious about privacy,” and lets the public have a discussion, she said. Though Brill said she recognized the “good regime” of U.S. privacy laws, “the problem I have is the laws were created in the 1990s and early 2000s,” she said: There are gaps where information is not protected.
As noted in the FTC Internet of Things privacy report (see 1501270034), there are products and services that don’t have a user interface where consumers can exercise their choices, Brill said. Seventy percent of the information on the 25 billion devices currently in use is shared over an unencrypted network, Brill said. “This is a huge security issue,” as it can affect a device’s functionality, Brill said. For example, a hacker could disable a driverless car or a pacemaker, she said. “Unless security is done right, this will become more common.” Third-party data brokers and advertisers also should offer consumers a chance to opt out of the collection of information used for marketing purposes, Brill said. Entities creating consumer profiles need more accountability for collecting sensitive information such as whether an individual has AIDS, diabetes or is a single parent, she said. “Aggregators must be more responsible where they sell information.”
Companies need to think about “building security from the start” and keep self-regulatory codes up to date, Brill said. “We are seeing companies competing on privacy” after recognizing consumers are concerned, Brill said. Spiezle said he just purchased a smart home, which had a default administrator and password that were simply "admin" and "password" respectively. “The company said don’t change them because it’s easier on us,” Spiezle said, adding that not changing this information is also “easier for criminals.”