Data is a valuable commodity online. It’s therefore no surprise that criminals—whether they are acting alone or as part of transnational groups—have sought to unlawfully access, obtain and use this data.
Over the last few years, numerous data breaches were reported by commercial, financial, health, education, and government institutions (some examples: Target, Home Depot, J.P. Morgan Chase, CareFirst BlueCross BlueShield, University of Hawaii, and the Office of Personnel Management).
The data stolen was primarily customer information.
In response to these data breaches, companies have sought to assuage customers’ concerns and fears by offering them credit monitoring services for one to two years. But this credit monitoring service is a form of “security theater.”
While the credit monitoring service “looks” like a security measure, it does not actually provide users with any form of security. It is merely designed to make users who are offered this service feel safer. The credit monitoring service alerts users to the identity theft and fraud after it has occurred; it serves no preventative function and thus does not protect users from these illicit activities.
To make things worse, even the credit bureaus have suffered breaches.
In the aftermath of these breaches, like the above-mentioned institutions, those whose data had been compromised from the credit bureau’s database were offered one year of free monitoring services that the bureaus themselves created and now sell to others. It is absurd that companies can collect, store, transfer, and sell users’ data without being properly held accountable for the loss of user data after a breach of their systems.
At the very least, these companies should be held liable for the loss of user data. They should be required to provide sufficient funds to users to freeze and unfreeze their credit, and provide users with lifelong monitoring services and reimbursement for the time and resources users spend to deal with the aftermath of the theft of their data.
Indeed, if companies really wanted to protect users, they would provide them with money that users could put into an account and use to freeze and unfreeze their credit.
Security freezes prevent criminals from opening up accounts, lines of credit and credit cards in the victim’s name, because access to the victim’s credit file is blocked. Fifty U.S. states and the District of Columbia allow users to freeze their credit. But customers must pay to freeze and unfreeze their data, with the exception of those allowed to initially freeze their data (i.e., the first freeze) at no cost.
Depending on the state, those who have suffered from identity theft and fraud—and have a police report that can substantiate this—and/or are of a certain age (e.g., 65 years or older), can freeze their credit for free. Others have to pay a fee.
It’s important to note here that most states unfortunately charge users when they freeze their data before becoming a victim of identity theft (unless the person is part of a specific age group that does not have to pay; this exemption depends on the state). This fee may serve as a deterrent for users to proactively protect themselves from identity theft.
If companies really wanted to protect users, they could take greater care of users’ data.
In addition, the government could pass a law that holds companies liable for the loss of user data. Data protection laws are few; those currently in place only protect certain types of data (e.g., health).Moreover, these laws do not prevent data breaches, nor do they help users whose data is lost.
Individuals whose data is compromised will have to spend time and resources to deal with the financial implications of the breach, even though the loss or compromise of the data was no fault of their own. In certain cases, a class action suit may be possible (depending on the incident and what type of data was stolen). However, this does not help the users whose stolen data could not be easily changed (e.g., social security number); nor does it prevent future fraudulent activity against the users.
U.S. citizens have been convinced that identity theft and fraud is their problem, even though individuals often become victims of identity theft and fraud through no fault of their own.
Indeed, numerous data breaches within the U.S. have compromised Americans’ data; despite these occurrences, users bear the brunt of the burden to deal with the consequences of a data breach. Ultimately, the companies who suffered the data breach should be responsible for dealing with the consequences of the breach, not the users.
Editor’s Note: See Marie-Helen Maras’ recent interview on John Jay’s Criminal Justice Matters program.
Marie-Helen Maras is a former U.S. Navy cyberspecialist and author of “Cybercriminology.” She is currently an associate professor at John Jay College of Criminal Justice. She welcomes comments from readers.