When was the last time you ran outside when you heard a car alarm? I remember once driving an old, heavy, muffler-challenged vehicle through a parking garage and setting off every car alarm in my wake. They made a lot of noise, but I don’t remember anybody rushing to the scene.
Similarly, when was the last time you got one of those letters in the mail saying that your personal information may have leaked out in a data breach? Probably recently. I’ve received two just in the past three weeks. I’ve also had to replace credit cards that someone else tried to use. What can do you do about it? Don’t let the card disappear into the back of the restaurant for one thing, but it still happens. Replace the card and sign up for six months of free credit monitoring, I suppose. But I’ve already got six months of free credit monitoring.
Maybe we’re all being desensitized or becoming indifferent, but whatever it is, it seems to be happening at a time when attacks are increasing in their frequency and severity. Those notices are now just another piece of junk mail. (I was at an event once where I met the Postmaster General. We got chatting and in the course of the conversation I said the words “junk mail.” “We refer to it as ‘advertising mail,'” he corrected me.)
Depending on who’s counting, an average of between one and thirty data breaches are reported each day.
Yes, that’s a huge range. Some sources don’t differentiate between a breach (attack) and a leak (accidental exposure), but the end result is the same: data ending up where it’s not supposed to be. Nevertheless, we seem to have collectively come to a point where we just accept the inevitability of these intrusions and the fraud that results from them. In the best case, cleaning up the mess after someone uses our stolen data is annoying. In the worst case big chunks of money can disappear from our bank accounts.
Data might be called the new oil, but unlike oil, when data leaks you can’t ever fully clean it up. All you can do is to do your best to make what leaked less harmful.
Credit card companies have gotten better at identifying potentially fraudulent charges. Customers are alerted to questionable use and given the option to confirm the charge, or deny it and get a new card. The last time I had to arrange for a new card the phone call took less than three minutes. Some will even automatically identify recurring charges and arrange for the new card detail to be updated for you.
I suppose it’s possible to go off-grid, to not use credit cards, to not conduct business online, and to not give our information to companies that store our data in computer databases. Now that I hear that out loud, I’m not sure it is possible. (Aside: I find it amusing that several “off-grid” proponents have YouTube channels.) We did stop printing social security numbers on checks and using them as student IDs, so I suppose that was a good start.
Search for “how can I protect my credit card number and social security number” and you’ll find dozens of useful articles from the Social Security Administration, credit card companies, financial services companies, credit reporting agencies, universities, newspapers, magazines, and anti-virus software vendors.
All agree that one simple best practice is to be vigilant, keeping an eye on our credit cards and bank accounts. Constantly. Assume that someone is trying to get in and we need to catch them as quickly as possible.
The problem is that this same desensitization seems to be happening on the corporate side as well. Yes, large data breaches make the national news, but did you know that there have been over a thousand just this year? Target took a significant short-term hit following theirs, but more than a decade later all has been forgotten and forgiven. Earlier this year a hacking group claimed that they stole personal information, including social security numbers, for nearly every person in the United States from National Public Data. Do you remember seeing it in the news? Yes. For more than a day or two? No. What did you do about it? Nothing.
Most companies have a Chief Information Security Officer (CISO) and at least one Data Protection group. Many also require that all employees complete data security training. Data Governance teams are working more closely with Data Protection teams. This is all great stuff, but the leaks still happen.
The meteoric rise of Artificial Intelligence has created a new escape route for sensitive data. If your Large Language Model is trained on sensitive data, unless you have specific safeguards in place, it’s not going to necessarily recognize when it’s responding with sensitive data.
Is more and stricter regulation the answer? New consumer protection regulations seem to be multiplying but are they effective? Do we need Sarbanes-Oxley like legislation that includes personal legal liability when data escapes? How much more do we really want the government to get involved? I would prefer that companies find solutions themselves before the politicians jump in even more. What do you think?
0 Comments